1.1. TechNet Security Summit 2004 Rights Management Services Jimmy Andersson Principal Advisor Q Advice AB
2.2. TechNet Security Summit 2004 AGENDA Part 1: Overview – Business Value Part 2: Components Part 3: Key Flow (if we got time)
3.3. TechNet Security Summit 2004 Clarification DRM - Digital Rights Management RMS - Rights Management Services IRM - Information Rights Management RMA - Rights Management Add-on
4.4. TechNet Security Summit 2004 Part 1: Overview Define the problem Windows Rights Management Services –Overview –Scenarios –Demo –Infrastructure Requirements
5.5. TechNet Security Summit 2004 ACL Yes No Perimeter Today
6.6. TechNet Security Summit 2004 Todays Policy Today, most communication policies only exist on paper Its easy to unintentionally forward s & documents Its easy to intentionally share/sell plans w/competitors, press, Internet
7.7. TechNet Security Summit 2004 Windows Rights Management Services (RMS) Windows platform information protection technology Better safeguard sensitive information –Keeps Internal Information Internal Protected information can only be viewed by authorized users –Establishes an audit trail to track usage of protected files –Augments existing perimeter-based security technologies Persistent protection –Protects your sensitive information, no matter where it goes Protected information is encrypted with AES 128 bit encryption –Enforces organizational policy digitally via RMS templates –Users can easily define how the recipient can use their information Sample rights include view, read-only, copy, print, save, forward, modify, and time-based Flexible and customizable technology –Integrates with familiar applications and is easy to use Utilizes familiar names & groups (distribution lists in AD) –Provides the flexibility to designate full control to a named group of users –Enables custom solutions through SDKs
8.8. TechNet Security Summit 2004 Components (quick overview) Server –Windows Rights Management Services (RMS) A Windows Server 2003 information protection service Desktop –Updates to Windows client Rights Management APIs for Windows 98SE+ “Rights Management Add-on for Internet Explorer” –RMS-enabled applications Any application which has utilized the RMS SDK Office 2003 is the first Enterprise app to implement RM Software Development Kit –For both client-based and server-based development
9.9. TechNet Security Summit 2004 Windows RMS Workflow AuthorRecipient RMS Server Database Server Active Directory Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file. 3.Author distributes file. 4.Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license.” 5.Application renders file and enforces rights. 1.Author receives a client licensor certificate the “first time” they rights- protect information. 1
10. TechNet Security Summit 2004 RMS Usage Scenarios Control access to sensitive plans Set level of access: view, change, print, etc. Determine length of access Protect Sensitive Files Word 2003, PowerPoint 2003 Excel 2003, Windows RMS Keep Executive off the Internet Reduce internal forwarding of confidential information Templates to centrally manage policies Do-Not-Forward Outlook 2003 Windows RMS Safeguard financial, legal, HR content Set level of access: view, print, export View Office 2003 rights protected info Safeguard Intranet Content IE w/RMA, RMS SDK Windows RMS Keep Internal Information Internal
11. TechNet Security Summit 2004 DEMO
12. TechNet Security Summit 2004 Scenario 1: Protecting Sensitive
13. TechNet Security Summit 2004
14. TechNet Security Summit 2004
15. TechNet Security Summit 2004
16. TechNet Security Summit 2004
17. TechNet Security Summit 2004
18. TechNet Security Summit 2004
19. TechNet Security Summit 2004 Receiving rights-protected
20. TechNet Security Summit 2004
21. TechNet Security Summit 2004
22. TechNet Security Summit 2004
23. TechNet Security Summit 2004
24. TechNet Security Summit 2004
25. TechNet Security Summit 2004 Thank you for the advance notice of the pending changes. I will provide you with the requested feedback by noon tomorrow. Carol
26. TechNet Security Summit 2004 Protecting Sensitive Information in Word 2003
27. TechNet Security Summit 2004
28. TechNet Security Summit 2004
29. TechNet Security Summit 2004
30. TechNet Security Summit 2004 Research Division Research Division (All) Cynthia; Adam Cynthia Randall; Adam Barr
31. TechNet Security Summit /03/2004
32. TechNet Security Summit 2004
33. TechNet Security Summit 2004
34. TechNet Security Summit 2004 Opening a Rights-Protected Document
35. TechNet Security Summit 2004
36. TechNet Security Summit 2004
37. TechNet Security Summit 2004
38. TechNet Security Summit 2004
39. TechNet Security Summit 2004
40. TechNet Security Summit 2004
41. TechNet Security Summit 2004
42. TechNet Security Summit 2004
43. TechNet Security Summit 2004
44. TechNet Security Summit 2004
45. TechNet Security Summit 2004
46. TechNet Security Summit 2004
47. TechNet Security Summit 2004 Intranet Scenario
48. TechNet Security Summit 2004
49. TechNet Security Summit 2004
50. TechNet Security Summit 2004
51. TechNet Security Summit 2004
52. TechNet Security Summit 2004
53. TechNet Security Summit 2004
54. TechNet Security Summit 2004
55. TechNet Security Summit 2004
56. TechNet Security Summit 2004
57. TechNet Security Summit 2004
58. TechNet Security Summit 2004
59. TechNet Security Summit 2004
60. TechNet Security Summit 2004
61. TechNet Security Summit 2004
62. TechNet Security Summit 2004
63. TechNet Security Summit 2004
64. TechNet Security Summit 2004
65. TechNet Security Summit 2004
66. TechNet Security Summit 2004 RMS Will NOT … …provide unbreakable, hacker-proof security …protect against analog attacks
67. TechNet Security Summit 2004 Technology Requirements Server –Window Server 2003 running RMS Standard, Enterprise, Web or Datacenter Editions –Active Directory ® directory service Windows Server 2000 or later Provides a well-known unique identifier for each user – address property for each user must be populated –Database Server Stores configuration data & use license requests Microsoft SQL Server™ or similar –Per Proc or with SQL CALs MSDE (single server deployments) Client –Windows desktop with RMS client software –An RMS-enabled application Required for creating or viewing rights-protected content. Microsoft Office 2003 includes RMS-enabled applications – Word, Excel, PowerPoint, Outlook –Office 2003 Professional is required for creating or viewing rights-protected content –Office 2003 Standard allows users to view—but not create—rights-protected Office content. Internet Explorer with the Rights Management Add-on (RMA) allows users to view rights-protected content
68. TechNet Security Summit 2004 Part 1: Summary RMS enables customers to keep internal information internal Key benefits: –Safeguards sensitive internal information –Augments existing perimeter security technologies –Digitally enforces organization policies –Persistently protects information –Easy to use RMS availability:
69. TechNet Security Summit 2004 Part 2: RMS Components
70. TechNet Security Summit 2004 Components of RMS RMS Client Lockbox RMS Client APIs RMS Certificates & Licenses RMS-Enabled Applications RMS Server MSN RMS Services Rights-Protected Information Supporting Technologies for RMS How Does RMS Client Validate Your Access?
71. TechNet Security Summit 2004 RMS Client Lockbox Lockbox is a unique, per-machine, Microsoft-generated DLL (by servers at MSN) Lockbox contains private key for machine, bound to HWID for that machine HWID is based on computer parameters such as: –Disk geometry, network card address, processor type Lockbox (secrep.dll) performs critical RMS functions on the client: –Validate machine against HWID –Validate applications (manifest check) –Authenticate & validate users –Encryption/decryption (has own DES & AES128 implementations)
72. TechNet Security Summit 2004 RMS Client Components & APIs Client Components & their APIs are the glue between RMS-enabled applications and the lockbox –Msdrm.dll, Msdrmhid.dll, Msdrmctrl.dll All RMS-enabled applications perform their work through these APIs, and any applications can program to these APIs (Client SDK), e.g.: –Requesting machine activation –Finding RMS services –Requesting, parsing licenses & certificates –Managing licenses (enumerate, store) –Creating offline publishing licenses Client components call the lockbox to perform the security operations
73. TechNet Security Summit 2004 Certificates and Licenses Machine Certificate – Identifies a trusted PC and contains the unique Public Key for that machine (one for each PC) RM Account Certificate (RAC) – Names a trusted user identity ( address) and contains the public-private key pair for that user (one per user on a PC); private key is encrypted with machine’s public key. Client Licensor Certificate (CLC) – Names a trusted user that is authorized to publish RMS-protected information without requiring connectivity to a RMS server. Allows the user to sign Publishing Licenses and owner use licenses via the Lockbox (one per user on a PC). Publishing License – Issued by either an RMS server or by a CLC through the lockbox, it defines the policy (names principals, rights & conditions) for acquiring a Use License for rights-protected information and contains the symmetric key that encrypted the rights-protected information encrypted to the public key of the RMS server that will issue Use Licenses Use License – Issued only by an RMS server, it grants an authorized principal (user with a valid RAC) rights to consume rights-protected information based on policy established in the Publishing License. Revocation Lists – Names principals (mainly public keys) that are no longer trusted by the RMS system. Use Licenses can require a fresh revocation list to be present prior to any RMS-enabled application being able to decrypt the information RM Account Certificate Machine Certificate Client Licensor Certificate RM Account Certificate RM Publishing License RMS Licensor Certificate (or CLC) RM Use License RM Publishing License Machine Certificate Lockbox DLL Revoke RAC key RM Account Certificate Revocation List
74. TechNet Security Summit 2004 RMS-Enabled Applications RMS-enabled applications may implement RMS features such as pre- licensing, content access, certificate requests Applications can be based on the Server SDK (e.g. sample “RMS-enabled SPS server” from Server SDK) Applications can be based on the Client SDK (e.g. Office Word 2003, Office Outlook 2003, RMA) Applications need to have all RMS-enabled libraries and executables listed in the application manifest, which is signed with an RMS code-signing private key The signature is included in a manifest (XML file) for the application –The manifest is a signed XML file containing hashes of all listed files –The manifest should include all files that call RMS Client APIs RMS Client APIs validate the hashes in the manifest against all listed files before unlocking rights-protected information
75. TechNet Security Summit 2004 RMS Server Architecture RMS server is an ASP.NET Web service –Protocol is SOAP over HTTP/HTTPS –Internet Information Server (IIS) 6 only –Single request/response transaction model –Stateless for most requests – all processing on front end –Relational database such as SQL Server (or MSDE) used for configuration & logging Requests –Client Machine Activation: One time process to create and download lockbox per machine –Certification and Client Enrollment: Binding a user key pair to a specific machine. One time per user per machine –Licensing: requesting a license to use a piece of content (“Use License”); One time per content per user XrML-based input/output Pluggable Crypto Provider
76. TechNet Security Summit 2004 RMS Server components RMS Server is an ASP.NET application –Uses AD for authenticating users, determining addresses for users, confirming membership of users in groups –Uses MSMQ to forward logging entries to SQL Server –Uses SQL Server to store RMS configuration, AD group expansion cache, and all logged client activities –Uses IIS (Windows Integrated authentication) to authenticate all users
77. TechNet Security Summit 2004 MSN RMS Services MSN hosts necessary services to support Windows RMS –Server enrollment & Machine activation service MSN also hosts the “trial” Passport certification service (for Office 2003 users) –Certification service –License service The trial service gives people a chance to try Rights Management Services features without deploying an Enterprise RMS
78. TechNet Security Summit 2004 Rights-Protected Information a Rights Info w/ addresses Content Key Encrypted with the server’s public key Publishing License The Content of the File (Text, Pictures, metadata, etc) End User Licenses Content Key (big random number) Rights for a particular user Encrypted with the user’s public key Created when file is protected Only added to the file after server licenses a user to open it Encrypted with Content Key, a cryptographically secure 128-bit AES symmetric encryption key Encrypted with the server’s public key Encrypted with the user’s public key ULs are stored in the local RMS license cache, not in the s directly
79. TechNet Security Summit 2004 Technologies Supporting Windows RMS AD & LDAP –Store user accounts, DLs, provide directory of addresses, SCP location.NET Framework & ASP.NET –Application environment for all critical RMS server application code MSMQ & DB –Stores RMS configuration information, user keypairs, activity logs, cache of AD groups for expansion XrML –Standard* in which all the licenses, certificates are structured SOAP –Protocol standard for all message exchanges between client and server, server and MSN, and client and MSN UDDI –Directory for finding the MSN RMS services
80. TechNet Security Summit 2004 How Does RMS Client Determine You’re Allowed to Access Content? Validate the RAC and UL are “trusted” –File hasn’t been altered since signing (encrypted hash matches current hash) –Digital signature on RAC/UL - validate the signing key matches the signature (RSA) –Check that signature chains to MSN root server –Lockbox knows which hierarchy (production, test) it’s a member of, and knows the public key for the hierarchy Validate RMS-enabled application –Extract manifest for app (signed list of all DLLs and their hashes) –Check hash of all files in the manifest = hash listed in manifest Validates the user’s rights – each app has to request specific rights to open a doc – RMS Client ensures the user has those rights before granting access If it’s a Permanent Windows RAC, it also validates the logged on user’s SID with SID in RAC You can’t use a RAC or server private key to sign an app – RMS Client checks that the signing key was issued by the right kind of server (i.e. issued by an RMS App-signing CA)
81. TechNet Security Summit 2004 Summary & More Information
82. TechNet Security Summit 2004 Q&A