1. 主講人： 精誠公司恆逸教育訓練中心 資深講師：張書源
運用版權管理服務實現文件控管稽核
主講人：
精誠公司恆逸教育訓練中心
資深講師：張書源

2. 大 綱
版權管理服務架構
版權管理服務的設定與部署
如何利用版權管理服務保護文件安全性

3. Legal & Regulatory Compliance
Information Loss is Costly Information loss – whether via theft or accidental leakage – is costly on several levels
Financial
The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004
Loss of revenue, market capitalization, and competitive advantage
Legal & Regulatory Compliance
Increasing regulation: SOX, HIPAA, GLBA
Bringing a company into compliance can be complex and expensive
Non-compliance can lead to significant legal fees, fines and/or settlements
Image & Credibility
Leaked executive s can be embarrassing
Unintended forwarding of sensitive information can adversely impact the company’s image and/or credibility

4. Information leakage is top-of-mind with Business Decision Makers
Virus infection
20%
22%
35%
36%
63%
Unintended forwarding of s
Loss of mobile devices
Password compromise
piracy
Loss of digital assets, restored 0%
10%
20%
30%
40%
50%
60%
70%
“After virus infections, businesses report unintended forwarding of s and loss of mobile devices more frequently than they do any other security breach”
Jupiter Research Report, 2004

5. Traditional solutions protect initial access…
Authorized Users
Yes
Information Leakage No
Access Control
List Perimeter
Unauthorized Users
Unauthorized Users
Trusted Network
…but not ongoing usage

6. Today’s policy expression…
…lacks enforcement tools

7. How does RMS address this?
Augments Existing Technologies to Provide Persistent Protection
Encrypts sensitive content
Protects inside and outside the trusted network
Protects during and after delivery
Enforces Organizational Policies
Allows organizations to establish and apply centrally-managed policies
Allows organizations to track the information’s lifecycle
Supports smartcard authentication
Provides a platform for value-added solutions
Supports development of rich, third-party solutions on top of RMS via the RMS Software Development Kit (SDK)
Provides flexibility to integrate with an enterprise’s existing internal applications

8. Common Usage Scenarios
Client-side Scenarios
Do-not-forward
Persistent document protection
Mixed-version Office environments
Server-side Scenarios
Regulatory compliance & IP protection
Secure business process automation
Central control of information protection
Platform and Management Scenarios
Centrally define and manage permission templates
Log and audit who has accessed rights-protected information
Extend RMS platform to apply and enforce rights protection on HTML content via the Rights Management Add-on for IE (RMA)

9. Client Usage Scenarios
Requires RMS +
Do-Not-Forward
Reduce internal/external forwarding of confidential information
Keep sensitive where it belongs
Outlook 2003
Protect Sensitive Files
Control access to sensitive content
Set granular permissions per user
Determine length of access
Word 2003
Excel 2003
PowerPoint 2003
Communicate in a Mixed Version Environment
Users without Office 2003 can view rights-protected files via Internet Explorer
Does not provide authoring capability
Rights Management Add-on for IE (RMA)

10. Case Study: Swisscom Situation Solution Benefit
Sensitive executive s and internal confidential documents needed to be protected for competitive reasons
“The integration of RMS with Office 2003, combined with the product’s ease of deployment and management, makes it easy for virtually all of Swisscom’s employees to keep their critical documents and information safe – without having to learn a cumbersome set of new technologies.”
Heinz Schär Member of Management Swisscom IT Services AG
Solution
Tested RMS/IRM for six months, then conducted pilot evaluation
Positive end-user feedback drove a full rollout of Office 2003 plus RMS to 19,000 desktops
Benefit
Improved confidentiality
Great end-user adoption due to intuitive integration in Office 2003
Strong platform for extended information protection solutions

11. Server Usage Scenarios
Enable Regulatory Compliance & IP Protection
Extends protection to managed content stored by document and records management solutions
Enables archival of RMS-protected s
Protected content can be securely indexed and searched
Secure Business Process Automation
Enables workflow engines to extend information protection to business process automation
Applies rights protection in a centralized way
Control Information Protection Centrally
Enables content inspection gateways to inspect RMS-protected content and apply RMS-protection centrally
Enables ISVs to develop server-based solutions

12. Windows RMS Workflow
Author receives an identity certificate the first time they rights-protect information
SQL Server
Active Directory
Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file
RMS Server
Author distributes file 1 4
Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license” 2 5 3
Application renders file and enforces rights
Information Author
The Recipient

13. How does RMS work?
App
App
RMS
Client
RMS
Client OS OS

14. OS
RMS
Client
App

15. App App RMS Client RMS Client OS
User tries to publish or consume content
User tries to publish or consume content
RMS
Client
RMS
Client OS
Application calls into RMS Client to create a new session

16. App RMS Client OS User tries to publish or consume content
Application calls into RMS Client to create a new session
RMS Client starts bootstrapping process…
Machine Activation

17. App RMS Client OS Machine Activation
RMS Client generates 1024-bit RSA key pair
RMS
Client OS
Private key secured by CAPI
Public key stored in security processor certificate (SPC)
SPC signed by client

18. App RMS Client OS Machine Activation
RMS Client generates 1024-bit RSA key pair
RMS
Client OS
Private key secured by CAPI
Public key stored in security processor certificate (SPC)
SPC signed by client

19. App RMS Client OS Machine Activation
RMS Client generates 1024-bit RSA key pair
RMS
Client OS
Private key secured by CAPI
Public key stored in security processor certificate (SPC)
SPC signed by client
New for SP1: The RMS Client is activated without contacting a server or requiring admin privileges.
The user’s identity must be established on the machine by account certification.
SPC

20. Account Certification
RMS
Account Certification
SPC

21. Account Certification
RMS
DOMAIN\username
SID
Account Certification
RMS Client contacts RMS Server with a certification request, sending SPC
SID
DOMAIN\username
SID
User is authenticated
SPC
Server validates SPC
address is retrieved from AD
User’s 1024-bit RSA key pair is generated and stored in database
SPC

22. Account Certification
RMS
DOMAIN\username
SID
Account Certification
RMS Client contacts RMS Server with a certification request, sending SPC
User is authenticated
SPC
Server validates SPC
address is retrieved from AD
User’s 1024-bit RSA key pair is generated and stored in database
User’s private key is encrypted with machine public key
SPC

23. Account Certification
RMS
DOMAIN\username
SID
Account Certification
User’s private key is encrypted with machine public key
RAC is created and user’s address and public key are added
RAC
Server signs RAC
SPC

24. Account Certification
RMS
Account Certification
User’s private key is encrypted with machine public key
RAC is created and user’s address and public key are added
RAC
Server signs RAC
RAC is returned to client
The user now has a RAC that can be used for consumption.
In order to publish, the user needs a Client Licensor Certificate (CLC).
SPC

25. RMS Client contacts RMS Server for client enrollment, sending RAC
RMS Server validates RAC
RAC
Server generates CLC 1024-bit RSA key pair
CLC private key is encrypted with RAC public key
SPC
RAC

26. RMS Client contacts RMS Server for client enrollment, sending RAC
RMS Server validates RAC
RAC
CLC
Server generates CLC 1024-bit RSA key pair
CLC private key is encrypted with RAC public key
CLC is generated, granting the user the right to publish
Server information, such as URL and server public key, is also added to CLC
SPC
RAC

27. CLC is returned to client
RMS
Client Enrollment
Server information, such as URL and server public key, is also added to CLC
Server signs CLC
CLC is returned to client
CLC
CLC
The client is now ready for both publishing and consumption of protected content.
SPC
RAC

28. App App RMS Client RMS Client OS Publishing
User creates content using RMS-enabled application
User specifies recipients, rights, and conditions to publish content, or chooses a template
Application calls into RMS Client for publishing
App
App
RMS
Client
RMS
Client
read, print
expires 30 days OS
CLC
SPC
RAC

29. App RMS Client OS Publishing
Application calls into RMS Client for publishing
RMS Client generates 128-bit AES content key
Client encrypts content
Client creates publishing license (PL)
App PL
RMS
Client
read, print
expires 30 days OS
CLC
SPC
RAC

30. App RMS Client OS Publishing Client creates publishing license (PL)
Rights data and content key are encrypted by server public key from CLC
Server URL is added to PL
CLC signs PL
App PL
RMS
Client
read, print
expires 30 days
read, print
expires 30 days OS
SPC
RAC
CLC

31. App RMS Client RMS Client OS Publishing CLC signs PL
The client returns the PL to the application
The application can now package the PL with the content
The content can now be sent to its recipients
App PL
read, print
expires 30 days
RMS
Client
RMS
Client PL
read, print
expires 30 days OS
CLC
SPC
RAC

32. App RMS Client OS Publishing
The content can now be sent to its recipients
Publisher sends protected content to recipient using any mechanism
Assume recipient has already been bootstrapped
The recipient needs a use license in order to access the content
App
RMS
Client PL
read, print
expires 30 days OS
CLC
SPC
RAC
CLC
SPC
RAC

33. App App RMS Client RMS Client OS Licensing
Recipient opens document in RMS-enabled application
Application calls RMS Client to retrieve a use license. PL
RAC
expires 30 days
read, print
expires 30 days
read, print
RMS Client sends PL and RAC to RMS Server
Server validates RAC and PL
Data from PL is decrypted
App
App
RMS
Client
RMS
Client PL
read, print
expires 30 days OS
CLC
SPC
RAC

34. App RMS Client OS Licensing Data from PL is decrypted
If content was published to a group, server checks group membership in the AD
read, print
expires 30 days
read, print
expires 30 days UL
RAC
expires 30 days
read, print
expires 30 days
read, print
If identity in RAC matches PL or group membership, server begins constructing use license (UL)
Rights are granted to user
App
RMS
Client PL
read, print
expires 30 days OS
CLC
SPC
RAC

35. App RMS Client OS Licensing Rights are granted to user
Content key encrypted by RAC public key UL
expires 30 days
read, print
RAC
Encrypted key added to UL
UL signed by server
UL returned to client
App
RMS
Client PL
read, print
expires 30 days OS
CLC
SPC
RAC

36. App RMS Client OS Licensing Rights are granted to user
Content key encrypted by RAC public key
Encrypted key added to UL
UL signed by server
UL returned to client
Recipient can now bind the license and open the content
App
RMS
Client UL
expires 30 days
read, print PL
read, print
expires 30 days OS
CLC
SPC
RAC

37. App RMS Client OS App RMS Client OS Accessing Content SPC RAC UL UL PL
read, print
expires 30 days
App
RMS
Client OS
App
RMS
Client UL
expires 30 days
read, print PL
read, print
expires 30 days OS
SPC
RAC
CLC

38. App App RMS Client RMS Client OS Accessing Content
Application calls RMS Client to bind license and decrypt content
RMS Client uses security processor to decrypt RAC private key
RAC private key decrypts content key
SPC
RAC UL
App
App
RMS
Client
RMS
Client
read, print
expires 30 days OS

39. App RMS Client RMS Client OS Accessing Content
RAC private key decrypts content key
RMS Client decrypts content
Application renders content and enforces rights
App
SPC
RAC UL
RMS
Client
RMS
Client
read, print
expires 30 days OS

40. RMS Solution Components
Server
Client
RMS Server
Runs on Windows Server 2003 (Standard, Enterprise, Web or Datacenter Editions)
Provides certification and licensing
Active Directory® directory service
Windows Server 2000 or later
Provides a well-known unique identifier for each user
address property for each user must be populated
Database Server
Microsoft SQL Server™ (recommended) or MSDE
Stores configuration, user keys, and logging data
RMS Client software
An RMS-enabled application
Required for creating or viewing rights-protected content
Microsoft Office 2003 Editions includes RMS-enabled applications – Word, Excel, PowerPoint, Outlook
Office Professional 2003 is required for creating or viewing rights-protected content
Other Office 2003 Editions allows users to view – but not create – rights-protected content.
Rights Management Add-on (RMA) for Internet Explorer 6.0
Allows users to view rights-protected content in IE
Enables down-level viewing support for content protected by Office 2003

41. RMS Server RMS server is an ASP.NET Web service Requests
Protocol is SOAP over HTTP/HTTPS
Internet Information Server (IIS) 6 only
Single request/response transaction model
Stateless for most requests – all processing on front end
DB such as SQL (or MSDE) used for configuration & logging
Requests
Machine Activation: One time process to create and download secure trusted root per machine
Certification and Client Enrollment: Binding a user key pair to a specific machine. One time per user per machine
Licensing: requesting a license to use a piece of content (“Use License”); One time per content per user
XrML-based input/output
Pluggable Crypto Provider

42. RMS Server RMS Server is an ASP.NET application
Uses AD for authenticating users, determining addresses for users, confirming membership of users in groups
Uses MSMQ to forward logging entries to SQL Server
Uses SQL Server to store RMS configuration, AD group expansion cache, and all logged client activities
Uses IIS (Windows Integrated authentication) to authenticate all users

43. Technologies Supporting Windows RMS
AD & LDAP
Store user accounts, DLs, provide directory of addresses, SCP location
.NET Framework & ASP.NET
Application environment for all critical RMS server application code
MSMQ & SQL
Stores RMS configuration information, user keypairs, activity logs, cache of AD groups for expansion
XrML
standard* in which all the licenses, certificates are structured
SOAP
Protocol standard for all message exchanges between client and server, server and MSN, and client and MSN
UDDI
Directory for finding the MSN RMS services
The XrML standard has not been ratified by Oasis, but has been approved by MPEG-21 and the Open eBook forum (OeBF). Oasis is expected to issue a decision about XrML v2 as a standard in XrML is licensed by ContentGuard, the licensing subsidiary of Xerox’s Palo Also Research Center (PARC) where it was developed.
Microsoft RMS complies with XrML v1.2.

44. RMS-Enabled Applications
RMS-enabled applications may implement RMS features such as pre-licensing, content access, certificate requests
Applications can be based on the Server SDK (e.g. sample “RMS-enabled SPS server” from Server SDK)
Applications can be based on the Client SDK (e.g. Office Word 2003, Office Outlook 2003, RMA)
Applications need to have all RMS-enabled libraries and executables signed with an RMS code-signing private key
The signature is included in a manifest (XML file) for the application
The manifest is a signed XML file containing hashes of all listed files
The manifest should include all files that call RMS Client APIs
RMS Client APIs validate the hashes in the manifest against all listed files before unlocking rights-protected information
RMA = Rights Management Add-on for Internet Explorer.

45. RMS Client Components & APIs
Client Components & their APIs are the glue between RMS-enabled applications and the lockbox
Msdrm.dll, Msdrmhid.dll, Msdrmctrl.dll
All RMS-enabled applications perform their work through these APIs, and any applications can program to these APIs (Client SDK), e.g.:
Requesting machine activation
Finding RMS services
Requesting, parsing licenses & certificates
Managing licenses (enumerate, store)
Creating offline publishing licenses
Client components call the lockbox to perform the security operations
Client components & APIs are same thing – lockbox does security ops

46. Scaling an RMS DeploymentAD
Scaling an RMS Deployment
SQL
Firewall
RMS
Balancer
SSL

47. RMS at Microsoft FY05 Deployment Statistics
79,000 unique users
23,000 unique users per week
71,000 content licenses issued per week
10 RMS-related helpdesk calls per week
Overall helpdesk volume is 11,000 calls per week
20% escalated to Tier 2 client support
Median time to certify <1 second
Over 1,000,000 use licenses served

48. RMS does not protect against analog attacks…

49. RMS Product Roadmap Today FY06 FY07 RMS Version Key Scenarios
RMSv1 with SP1
RMSv1 with SP1
RMS for Windows Mobile
RMSv2 (Longhorn)
Key Scenarios
Enterprise information policy expression and enforcement
Intra-company content exchange
Integration with server-based, centrally managed solutions
Access protected content on Windows Mobile devices
Broader external collaboration scenarios
Increased security while maintaining ease of use
Improved deployment and management
Platform Enhancements
Active Directory integration
FIPS compliance
Smartcard support
Windows Mobile support
Modified trust infrastructure
Expanded authentication support
RMS-enabled Microsoft Apps
Office 2003: Outlook, Word, PowerPoint, Excel
Pocket Inbox
Additional client and server applications

50. Authoring Rights-Protected Information with RMS and Word 2003

54. Creating a Do-Not-Forward e-mail with RMS and Outlook 2003

56. Consuming Rights-Protected Information with RMS and Outlook 2003 and Excel 2003

62. Resources RMS Website: http://www.microsoft.com/rms
RMS Blog:
RMS TechNet Virtual Lab:
Microsoft Security:
Microsoft IT’s RMS deployment:
RMS SDK on MSDN:

63. Questions ?