1. Windows Rights Management Services SP1 Overview and Opportunities Roger Lawrence Senior IT Consultant Microsoft Australia SOL216

2. Agenda The business problem Windows Rights Management Services What’s new in SP1 Scaling an RMS deployment Product roadmap Q&A

3. “A public-relations firm is dealing with a public- relations nightmare after unintentionally e-mailing journalists and others documents about one of its clients, Seattle-based Cell Therapeutics.” - The Seattle Times In the News… “A public-relations firm is dealing with a public- relations nightmare after unintentionally e-mailing journalists and others documents about one of its clients, Seattle-based Cell Therapeutics.” - The Seattle Times “Desmond Patrick Kelly, 52, is accused of leaking confidential documents, including a memo by former veterans' affairs minister Danna Vale, in which the Government rejected calls to raise war veterans' pensions by $650 million.” - The Herald Sun

4. The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004 Loss of revenue, market capitalization, and competitive advantage Information Loss is Costly Information loss – whether via theft or accidental leakage – is costly on several levels Leaked executive e-mails can be embarrassing Unintended forwarding of sensitive information can adversely impact the company’s image and/or credibility Increasing regulation: SOX, HIPAA, GLBA Bringing a company into compliance can be complex and expensive Non-compliance can lead to significant legal fees, fines and/or settlements Financial Image & Credibility Legal & Regulatory Compliance

5. Information leakage is top-of-mind with Business Decision Makers 0%10%20%30%40%50%60%70% Loss of digital assets, restored E-mail piracy Password compromise Loss of mobile devices Unintended forwarding of e-mails 20% 22% 35% 36% 63% “After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach” Jupiter Research Report, 2004 Virus infection

6. Traditional solutions protect initial access… Access Control List Perimeter No Yes Trusted Network Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but not ongoing usage

7. Today’s policy expression… …lacks enforcement tools

8. How does RMS address this? Supports development of rich, third-party solutions on top of RMS via the RMS Software Development Kit (SDK) Provides flexibility to integrate with an enterprise’s existing internal applications Encrypts sensitive content Protects inside and outside the trusted network Protects during and after delivery Allows organizations to establish and apply centrally-managed policies Allows organizations to track the information’s lifecycle Supports smartcard authentication Augments Existing Technologies to Provide Persistent Protection Enforces Organizational Policies Provides a platform for value-added solutions

9. Common Usage Scenarios Server-side Scenarios Regulatory compliance & IP protection Secure business process automation Central control of information protection Client-side Scenarios Do-not-forward e-mail Persistent document protection Mixed-version Office environments Platform and Management Scenarios Centrally define and manage permission templates Log and audit who has accessed rights-protected information Extend RMS platform to apply and enforce rights protection on HTML content via the Rights Management Add-on for IE (RMA)

10. Users without Office 2003 can view rights-protected files via Internet Explorer Does not provide authoring capability Rights Management Add-on for IE (RMA) Client Usage Scenarios Reduce internal/external forwarding of confidential information Keep sensitive e-mail where it belongs Outlook 2003 Requires RMS + Control access to sensitive content Set granular permissions per user Determine length of access Word 2003 Excel 2003 PowerPoint 2003 Communicate in a Mixed Version Environment Do-Not-Forward E-mail Protect Sensitive Files

11. Improved confidentiality Great end-user adoption due to intuitive integration in Office 2003 Strong platform for extended information protection solutions Sensitive executive e-mails and internal confidential documents needed to be protected for competitive reasons Tested RMS/IRM for six months, then conducted pilot evaluation Positive end-user feedback drove a full rollout of Office 2003 plus RMS to 19,000 desktops Case Study: Swisscom Benefit Situation Solution “The integration of RMS with Office 2003, combined with the product’s ease of deployment and management, makes it easy for virtually all of Swisscom’s employees to keep their critical documents and information safe – without having to learn a cumbersome set of new technologies.” Heinz Schär Member of Management Swisscom IT Services AG

12. Server Usage Scenarios New for SP1: RMS offers centrally managed information protection when integrated into server-based solutions Extends protection to managed content stored by document and records management solutions Enables archival of RMS-protected e-mails Protected content can be securely indexed and searched Enables workflow engines to extend information protection to business process automation Applies rights protection in a centralized way Enables content inspection gateways to inspect RMS-protected content and apply RMS-protection centrally Enables ISVs to develop server-based solutions Enable Regulatory Compliance & IP Protection Secure Business Process Automation Control Information Protection Centrally

13. Authoring Rights-Protected Information with RMS and Word 2003

17. Creating a Do-Not-Forward e-mail with RMS and Outlook 2003

19. Consuming Rights-Protected Information with RMS and Outlook 2003 and Excel 2003

25. Creating a protected PDF file using RMS, Liquid Machines, and Adobe Acrobat

29. Opening a protected PDF file using RMS, Liquid Machines, and Adobe Acrobat

31. About Liquid Machines Liquid Machines Document Control for Windows RMS – available now Extends RMS policy enforcement across more than 65 applications and file formats Policies are enforced as content moves between different applications http://www.liquidmachines.com

32. How does RMS work?

34. 1.User tries to publish or consume content 2.Application calls into RMS Client to create a new session 1.User tries to publish or consume content

35. 2.Application calls into RMS Client to create a new session Machine Activation 3.RMS Client starts bootstrapping process…

36. Machine Activation a.RMS Client generates 1024-bit RSA key pair b.Private key secured by CAPI c.Public key stored in security processor certificate (SPC) d.SPC signed by client

37. a.RMS Client generates 1024-bit RSA key pair b.Private key secured by CAPI c.Public key stored in security processor certificate (SPC) d.SPC signed by client Machine Activation

38. b.Private key secured by CAPI c.Public key stored in security processor certificate (SPC) SPC Machine Activation d.SPC signed by client a.RMS Client generates 1024-bit RSA key pair The user’s identity must be established on the machine by account certification. New for SP1: The RMS Client is activated without contacting a server or requiring admin privileges.

39. SPC Account Certification

40. SPC a.RMS Client contacts RMS Server with a certification request, sending SPC b.User is authenticated DOMAIN\username SID d.E-mail address is retrieved from AD DOMAIN\username SID username@domain.com e.User’s 1024-bit RSA key pair is generated and stored in database SID Account Certification SPC c.Server validates SPC

41. Account Certification SPC a.RMS Client contacts RMS Server with a certification request, sending SPC b.User is authenticated d.E-mail address is retrieved from AD e.User’s 1024-bit RSA key pair is generated and stored in database f.User’s private key is encrypted with machine public key c.Server validates SPC DOMAIN\username SID username@domain.com

42. RAC Account Certification SPC g.RAC is created and user’s e-mail address and public key are added h.Server signs RAC f.User’s private key is encrypted with machine public key DOMAIN\username SID username@domain.com

43. SPC RAC Account Certification i.RAC is returned to client g.RAC is created and user’s e-mail address and public key are added h.Server signs RAC f.User’s private key is encrypted with machine public key The user now has a RAC that can be used for consumption. In order to publish, the user needs a Client Licensor Certificate (CLC).

44. RAC Client Enrollment a.RMS Client contacts RMS Server for client enrollment, sending RAC c.Server generates CLC 1024-bit RSA key pair d.CLC private key is encrypted with RAC public key SPCRAC b.RMS Server validates RAC

45. CLC RAC Client Enrollment a.RMS Client contacts RMS Server for client enrollment, sending RAC c.Server generates CLC 1024-bit RSA key pair d.CLC private key is encrypted with RAC public key e.CLC is generated, granting the user the right to publish SPCRAC b.RMS Server validates RAC f.Server information, such as URL and server public key, is also added to CLC

46. CLC Client Enrollment g.Server signs CLC SPCRAC f.Server information, such as URL and server public key, is also added to CLC CLC h.CLC is returned to client The client is now ready for both publishing and consumption of protected content.

47. Publishing a.User creates content using RMS-enabled application c.Application calls into RMS Client for publishing b.User specifies recipients, rights, and conditions to publish content, or chooses a template group@example.com read, print expires 30 days CLCSPCRAC

48. c.Application calls into RMS Client for publishing PLPublishing group@example.com read, print expires 30 days d.RMS Client generates 128- bit AES content key e.Client encrypts content f.Client creates publishing license (PL) CLCSPCRAC

49. CLCSPCRAC f.Client creates publishing license (PL) PLPublishing g.Rights data and content key are encrypted by server public key from CLC group@example.com read, print expires 30 days h.Server URL is added to PL group@example.com read, print expires 30 days i.CLC signs PL

50. Publishing j.The client returns the PL to the application k.The application can now package the PL with the content PL group@example.com read, print expires 30 days PL group@example.com read, print expires 30 days The content can now be sent to its recipients CLCSPCRAC

51. The content can now be sent to its recipients CLCSPCRACPublishing PL group@example.com read, print expires 30 days Publisher sends protected content to recipient using any mechanism Assume recipient has already been bootstrapped The recipient needs a use license in order to access the content CLCSPCRAC

52. a.Recipient opens document in RMS-enabled application Licensing b.Application calls RMS Client to retrieve a use license. PL group@example.com read, print expires 30 days c.RMS Client sends PL and RAC to RMS Server RAC d.Server validates RAC and PL e.Data from PL is decrypted PL group@example.com read, print expires 30 days group@example.com read, print expires 30 days CLCSPCRAC

53. UL group@example.com read, print expires 30 days Licensing f.If content was published to a group, server checks group membership in the AD PL group@example.com read, print expires 30 days g.If identity in RAC matches PL or group membership, server begins constructing use license (UL) e.Data from PL is decrypted h.Rights are granted to user CLCSPCRAC user@example.com read, print expires 30 days group@example.com read, print expires 30 days user@example.com read, print expires 30 days

54. RAC UL user@example.com read, print expires 30 days Licensing i.Content key encrypted by RAC public key PL group@example.com read, print expires 30 days j.Encrypted key added to UL h.Rights are granted to user j.UL returned to client k.UL signed by server CLCSPCRAC

55. Licensing PL group@example.com read, print expires 30 days CLCSPCRAC i.Content key encrypted by RAC public key j.Encrypted key added to UL h.Rights are granted to user j.UL returned to client k.UL signed by server Recipient can now bind the license and open the content UL user@example.com read, print expires 30 days

56. UL user@example.com read, print expires 30 days Accessing Content PL group@example.com read, print expires 30 days SPCRACCLC SPCUL user@example.com read, print expires 30 days RAC

57. Accessing Content SPCUL user@example.com read, print expires 30 days RAC b.RMS Client uses security processor to decrypt RAC private key a.Application calls RMS Client to bind license and decrypt content c.RAC private key decrypts content key

58. Accessing Content SPCUL user@example.com read, print expires 30 days RAC d.RMS Client decrypts content c.RAC private key decrypts content key e.Application renders content and enforces rights

59. What’s New in RMS SP1? Meets operational requirements for high- security, isolated, or sensitive environments Smartcard authentication support Offline server enrollment FIPS 140 certification Enables centrally managed business scenarios Server Lockbox security processor enables ISVs to build RMS-aware server applications Archival systems, content inspection gateways, records management, index and search, etc. Enhances usability & eases deployment RMS Client no longer requires end-user admin access to activate Client works with standard deployment tools Supports VPC Supports query-based groups

60. SP1 Changes Description Dynamic role-based security Support for Query Based Groups with Exchange 2003 Enables RMS policies to be applied based on dynamic groups, defined by queries of AD for certain attributes RMS checks recipient’s group membership against the rights assigned to the content Improved Outlook RPC over HTTP Authentication process for RPC over HTTP streamlined for a better end-user experience Eases client rollout Deploy RMS clients without touching desktops Removes requirement for end-user admin privileges Supports familiar deployment technologies such as SMS and GPO Support for phased deployment RMS v1 and RMS SP1 are interoperable for a smooth transition Supports Virtual PC RMS now supports Virtual PC for mixed customer environments Improved tools and guidance with RMS SP1 Toolkit Provides improved tools and step-by-step guides What’s New in RMS SP1? Enhanced usability and deployment

61. RMS Client software An RMS-enabled application Required for creating or viewing rights-protected content Microsoft Office 2003 Editions includes RMS-enabled applications – Word, Excel, PowerPoint, Outlook Office Professional 2003 is required for creating or viewing rights-protected content Other Office 2003 Editions allows users to view – but not create – rights- protected content. Rights Management Add-on (RMA) for Internet Explorer 6.0 Allows users to view rights-protected content in IE Enables down-level viewing support for content protected by Office 2003 RMS Solution Components Server RMS Server Runs on Windows Server 2003 (Standard, Enterprise, Web or Datacenter Editions) Provides certification and licensing Active Directory ® directory service Windows Server 2000 or later Provides a well-known unique identifier for each user E-mail address property for each user must be populated Database Server Microsoft SQL Server™ (recommended) or MSDE Stores configuration, user keys, and logging data Client

62. AD SQL Scaling an RMS Deployment Balancer RMS SSL Firewall

63. 79,000 unique users 23,000 unique users per week 71,000 content licenses issued per week 10 RMS-related helpdesk calls per week Overall helpdesk volume is 11,000 calls per week 20% escalated to Tier 2 client support Median time to certify <1 second Over 1,000,000 use licenses served RMS at Microsoft FY05 Deployment Statistics

64. RMS does not protect against analog attacks…

65. RMS Product Roadmap Key Scenarios Platform Enhancements RMS-enabled Microsoft Apps Today Enterprise information policy expression and enforcementEnterprise information policy expression and enforcement Intra-company content exchangeIntra-company content exchange Integration with server- based, centrally managed solutionsIntegration with server- based, centrally managed solutions Active Directory integrationActive Directory integration FIPS complianceFIPS compliance Smartcard supportSmartcard support Office 2003: Outlook, Word, PowerPoint, ExcelOffice 2003: Outlook, Word, PowerPoint, Excel FY07 Additional client and server applicationsAdditional client and server applications Broader external collaboration scenariosBroader external collaboration scenarios Increased security while maintaining ease of useIncreased security while maintaining ease of use Improved deployment and managementImproved deployment and management Modified trust infrastructureModified trust infrastructure Expanded authentication supportExpanded authentication support FY06 Access protected content on Windows Mobile devicesAccess protected content on Windows Mobile devices RMS Version RMSv1 with SP1 RMS for Windows Mobile RMSv2 (Longhorn) Windows Mobile supportWindows Mobile support Pocket InboxPocket Inbox

66. Resources RMS Website: http://www.microsoft.com/rmshttp://www.microsoft.com/rms RMS Blog: http://blogs.msdn.com/rmshttp://blogs.msdn.com/rms RMS TechNet Virtual Lab: http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx Microsoft Security: http://www.microsoft.com/securityhttp://www.microsoft.com/security Microsoft IT’s RMS deployment: http://www.microsoft.com/technet/itsolutions/msit/infowork/depr mswp.mspx http://www.microsoft.com/technet/itsolutions/msit/infowork/depr mswp.mspx RMS SDK on MSDN: http://msdn.microsoft.com/library/en- us/dnanchor/html/rm_sdks_overview.asphttp://msdn.microsoft.com/library/en- us/dnanchor/html/rm_sdks_overview.asp

67. We invite you to participate in our online evaluation on CommNet, accessible Friday only If you choose to complete the evaluation online, there is no need to complete the paper evaluation Your Feedback is Important!

69. © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.