Presentation is loading. Please wait.

Presentation is loading. Please wait.

DEP350 Windows ® Rights Management (Part 1): Introduction, Concepts, And Technology Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure.

Published byMarilynn Bishop Modified over 9 years ago

Similar presentations

Presentation on theme: "DEP350 Windows ® Rights Management (Part 1): Introduction, Concepts, And Technology Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure."— Presentation transcript:

1

2 DEP350 Windows ® Rights Management (Part 1): Introduction, Concepts, And Technology Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure Microsoft Corporation

3

4 Agenda Introduction to Rights Management Demo: Rights Management in Action Microsoft Rights Management Services Technology Components Q&A

5 Access Control List Yes No People Fil e Firewall Access Control Today

6 Rights Management Technology that… Allows individuals and businesses to project usage policy onto the information that they own Any application Any format Policy persists with information Sample rights include view, read-only, copy, print, save, forward, modify, and time-based Rights live within the file wherever the file goes

7 RM Will NOT … …Restrict MP3 usage so you can’t play them the way you want …Provide unbreakable, hacker-proof security …Protect against analog attacks

8 An Analog Attack …

9 Benefits Information integrity Information integrity Trusted collaboration Trusted collaboration Persistent file protection Persistent file protection Windows Rights Management Scenarios and Features Scenarios Control email forwarding and printing Control email forwarding and printing Policy-based document protection Policy-based document protection Time-based access expiration Time-based access expiration Templates – “Company Confidential” Templates – “Company Confidential” Protect Web content Protect Web content Key Features Centralized policy templates Centralized policy templates Simple setup and administration Simple setup and administration Publishing to DLs in Active Directory Publishing to DLs in Active Directory Auditing of server requests Auditing of server requests Administrative override access Administrative override access Trust of externally certified RMS users Trust of externally certified RMS users Revocation and exclusion support Revocation and exclusion support

10 Windows Rights Management Components Windows Rights Management Services (RMS) Windows Server 2003 Updates to Windows client Rights Management client APIs for Windows 98SE+ Rights Management Add-on for Internet Explorer Software Development Kit For both client-based & server-based development RM-enabled applications Any application which has utilized the RM SDK Office 2003 is the first Enterprise app to implement RM

11 Rights Management In Action demo demo

12 Windows Rights Management Service (RMS) RM Service for Windows applications Windows Server 2003 add-on service Enables Enterprises to engage in RM protection of sensitive information Managed Web Service implementation ASP.NET implementation HTTP SOAP request/response protocol Server SDK for server-server RM scenarios Built with Enterprises in mind High scalability, flexible topologies, ease of administration - all top design priorities

13 RMS Certificates And Licenses Machine Certificate – Identifies a trusted PC and contains the unique Public Key for that machine (one for each PC) RM Account Certificate – Issued off of a a Machine Certificate, names a trusted user identity (e-mail address) and contains the public-private key pair for that user (one per each user on a PC) Client Licensor Certificate – issued off of a RAC, it names a trusted user that is authorized to publish RM protected information offline, i.e. sign Publishing Licenses offline via the Lockbox (one per each user on a PC) Publishing License – Issued by either an RMS server or by a Lockbox (when published offline) it defines the policy (names principals, rights & conditions) for acquiring a Use License for RM protected information and contains the symmetric key that encrypted the RM-protected information encrypted to the public key of the RMS server that’ll issue Use Licenses Use License – Issued only by an RMS server, it grants an authorized principal (user with a valid RAC) rights to consume RM protected information based on policy established in the Publishing License Revocation Lists – Names principals (mainly public keys) that are no longer trusted by the RM system. Use Licenses can require a fresh revocation list to be present prior to any RM-enabled application being able to decrypt the information RM Account Certificate MachineCertificate Client Licensor Certificate RM Account Certificate RM Publishing License RMS Licensor Certificate (or CLC) RM RM Use Use License License RM Publishing License MachineCertificate Lockbox DLL Revoke RAC key RM RM Account Account Certificate Certificate Revocation List

14 RMS Application Overview 1. Author creates a file and defines a set of rights and rules. The application encrypts the document with a symmetric key 2. Optional (can be done offline): The application sends an unsigned Publishing License to the Enterprise’s RMS servers 3. RMS signs and returns the Publishing License; If offline publishing, the RM lockbox signs the Publishing License using the user’s Client Licensor Certificate 4. The author distributes the file 5. The recipient opens the file, and the application sends the user’s RM Account Certificate (RAC) and the publishing license to RMS as part of the use license request 6. RMS validates the user’s RAC and the request. The use license is issued and returned 7. The application binds to that use license, renders the information and enforces the rights Document Author Document Recipient SQL RMS Root Cluster 1 2 3 4 5 6 7

15 RMS Architecture RMS is an ASP.NET Web service Protocol is SOAP over HTTP/HTTPS Internet Information Server (IIS) 6 only Single request/response transaction model Stateless for most requests – all processing handled on front end SQL (or MSDE) DB used for configuration & logging Requests Machine Activation: One time process to create and download secure trusted root per machine Certification and Client Enrollment: Binding a user key pair to a specific machine. One time per user per machine Licensing: requesting a license to use a piece of content; One time per content per user XrML-based input/output Pluggable Crypto Provider

16 “Root” RMS Cluster Primarily for hardware Activation, DRM Account Certificate, Sub-Enrollment Departmental License Servers sub-enroll from “Root” RMS Cluster Root cluster is the default publishing/licensing server; Group Policy override can point users to departmental licensing cluster Simple scale-out mechanism via provisioning of RMS clones (“Join existing cluster” option) Enterprise’s Intranet EnrollmentService HW Activation Service HW Activation Proxy RMS Account Cert Enrollment Licensing Content Licenses, Templates Baseline RMS Topology Licensing Departmental RMS Server

17 Learn More about RM DEP351 – Deploying RMS Tomorrow 16:45 in this very room Learn about RMS http://www.microsoft.com/rm Learn about the RM add-on http://www.microsoft.com/windows/ie/downloads/addon

18 Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

19 evaluations evaluations

20 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "DEP350 Windows ® Rights Management (Part 1): Introduction, Concepts, And Technology Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure."

Similar presentations

We have to Share Data - Now What? Jon R. Wall Security / IA Microsoft.

We have to Share Data - Now What? Jon R. Wall Security / IA Microsoft.
Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.

Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.
Rights Management Services (RMS) Paul Cullimore Graham Calladine Security Solutions Team, MCS, UK.

Rights Management Services (RMS) Paul Cullimore Graham Calladine Security Solutions Team, MCS, UK.
Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Microsoft Confidential Solution Overview: Foxit Software Corporation’s PDF Security Suite.

Microsoft Confidential Solution Overview: Foxit Software Corporation’s PDF Security Suite.
Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft

Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft
PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.

PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Understanding Active Directory

Understanding Active Directory
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
Module 6: Configuring AD RMS

Module 6: Configuring AD RMS
SIM318. Protect Sensitive Information Reduce risk associated with information leaks Improve regulatory compliance Centrally manage information protection.

SIM318. Protect Sensitive Information Reduce risk associated with information leaks Improve regulatory compliance Centrally manage information protection.
Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.

Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Similar presentations

Ads by Google