DEP350 Windows ® Rights Management (Part 1): Introduction, Concepts, And Technology Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure Microsoft Corporation

Agenda Introduction to Rights Management Demo: Rights Management in Action Microsoft Rights Management Services Technology Components Q&A

Access Control List Yes No People Fil e Firewall Access Control Today

Rights Management Technology that… Allows individuals and businesses to project usage policy onto the information that they own Any application Any format Policy persists with information Sample rights include view, read-only, copy, print, save, forward, modify, and time-based Rights live within the file wherever the file goes

RM Will NOT … …Restrict MP3 usage so you can’t play them the way you want …Provide unbreakable, hacker-proof security …Protect against analog attacks

An Analog Attack …

Benefits Information integrity Information integrity Trusted collaboration Trusted collaboration Persistent file protection Persistent file protection Windows Rights Management Scenarios and Features Scenarios Control forwarding and printing Control forwarding and printing Policy-based document protection Policy-based document protection Time-based access expiration Time-based access expiration Templates – “Company Confidential” Templates – “Company Confidential” Protect Web content Protect Web content Key Features Centralized policy templates Centralized policy templates Simple setup and administration Simple setup and administration Publishing to DLs in Active Directory Publishing to DLs in Active Directory Auditing of server requests Auditing of server requests Administrative override access Administrative override access Trust of externally certified RMS users Trust of externally certified RMS users Revocation and exclusion support Revocation and exclusion support

Windows Rights Management Components Windows Rights Management Services (RMS) Windows Server 2003 Updates to Windows client Rights Management client APIs for Windows 98SE+ Rights Management Add-on for Internet Explorer Software Development Kit For both client-based & server-based development RM-enabled applications Any application which has utilized the RM SDK Office 2003 is the first Enterprise app to implement RM

Rights Management In Action demo demo

Windows Rights Management Service (RMS) RM Service for Windows applications Windows Server 2003 add-on service Enables Enterprises to engage in RM protection of sensitive information Managed Web Service implementation ASP.NET implementation HTTP SOAP request/response protocol Server SDK for server-server RM scenarios Built with Enterprises in mind High scalability, flexible topologies, ease of administration - all top design priorities

RMS Certificates And Licenses Machine Certificate – Identifies a trusted PC and contains the unique Public Key for that machine (one for each PC) RM Account Certificate – Issued off of a a Machine Certificate, names a trusted user identity ( address) and contains the public-private key pair for that user (one per each user on a PC) Client Licensor Certificate – issued off of a RAC, it names a trusted user that is authorized to publish RM protected information offline, i.e. sign Publishing Licenses offline via the Lockbox (one per each user on a PC) Publishing License – Issued by either an RMS server or by a Lockbox (when published offline) it defines the policy (names principals, rights & conditions) for acquiring a Use License for RM protected information and contains the symmetric key that encrypted the RM-protected information encrypted to the public key of the RMS server that’ll issue Use Licenses Use License – Issued only by an RMS server, it grants an authorized principal (user with a valid RAC) rights to consume RM protected information based on policy established in the Publishing License Revocation Lists – Names principals (mainly public keys) that are no longer trusted by the RM system. Use Licenses can require a fresh revocation list to be present prior to any RM-enabled application being able to decrypt the information RM Account Certificate MachineCertificate Client Licensor Certificate RM Account Certificate RM Publishing License RMS Licensor Certificate (or CLC) RM RM Use Use License License RM Publishing License MachineCertificate Lockbox DLL Revoke RAC key RM RM Account Account Certificate Certificate Revocation List

RMS Application Overview 1. Author creates a file and defines a set of rights and rules. The application encrypts the document with a symmetric key 2. Optional (can be done offline): The application sends an unsigned Publishing License to the Enterprise’s RMS servers 3. RMS signs and returns the Publishing License; If offline publishing, the RM lockbox signs the Publishing License using the user’s Client Licensor Certificate 4. The author distributes the file 5. The recipient opens the file, and the application sends the user’s RM Account Certificate (RAC) and the publishing license to RMS as part of the use license request 6. RMS validates the user’s RAC and the request. The use license is issued and returned 7. The application binds to that use license, renders the information and enforces the rights Document Author Document Recipient SQL RMS Root Cluster

RMS Architecture RMS is an ASP.NET Web service Protocol is SOAP over HTTP/HTTPS Internet Information Server (IIS) 6 only Single request/response transaction model Stateless for most requests – all processing handled on front end SQL (or MSDE) DB used for configuration & logging Requests Machine Activation: One time process to create and download secure trusted root per machine Certification and Client Enrollment: Binding a user key pair to a specific machine. One time per user per machine Licensing: requesting a license to use a piece of content; One time per content per user XrML-based input/output Pluggable Crypto Provider

“Root” RMS Cluster Primarily for hardware Activation, DRM Account Certificate, Sub-Enrollment Departmental License Servers sub-enroll from “Root” RMS Cluster Root cluster is the default publishing/licensing server; Group Policy override can point users to departmental licensing cluster Simple scale-out mechanism via provisioning of RMS clones (“Join existing cluster” option) Enterprise’s Intranet EnrollmentService HW Activation Service HW Activation Proxy RMS Account Cert Enrollment Licensing Content Licenses, Templates Baseline RMS Topology Licensing Departmental RMS Server

Learn More about RM DEP351 – Deploying RMS Tomorrow 16:45 in this very room Learn about RMS Learn about the RM add-on

Community Resources Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers

evaluations evaluations

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.