Rights Management Services RMS Paul Cullimore paulcumicrosoft com

Rights Management Services (RMS) Paul Cullimore paulcu@microsoft. com Graham Calladine grahamca@microsoft. com Security Solutions Team, MCS, UK

What is RM? “RMS is a technology that works with enabled applications to help protect digital information from unauthorised use. ” Relies on a system of trust • Trusted user (using a) • Trusted application (installed on a) • Trusted computer

Defining Rights Management Expansion of client support, usage scenarios and value to the enterprise Existing Rights Management technologies Windows Media Rights Manager v 1, v 7, 9 Series (1997 ff) Digital Asset Server (2000) Greater flexibility for corporate scenarios, new business opportunities Windows Rights Management Services for Windows Server 2003 User experience Windows Media® Player & licensees of Windows Media Format SDK Microsoft Reader Users engage rights-protected content via a browser or with RM-enabled applications. Rights Management Category: Digital Rights Management Enterprise benefits: Enterprise benefits: Protection of both live and ondemand streamed audio and video files (e. g. sensitive internal or external audio/video communications, on-demand training, and corporate meetings Not an enterprise-focused solution Allows for flexible and persistent policy expression and enforcement for information: material drawn from database or content management queries, e-mail messages, documents, spreadsheets, other Web content Rights Management Category:

e. Book v v v Known reader software Must be activated for protected content Digital Asset Server (DAS)

Windows Media v v Series 9 Secure Audio Path Live broadcast Commercial n n n Napster v 2 i. Tunes OD 2 (MSN, Ministry of Sound)

Windows Media

Windows Rights Management Services v v v Persistent protection Policy enforcement Template based administration Who can access And, what they can do n n Cut, Copy & Paste Print, Print Screen Forward Expire

Where does RMS fit technologically? v v v EFS – prevents stolen laptops from having their information compromised ACLs – Protects the integrity of files on a network share. S/MIME – provides over-the-wire information security for e-mail Document Protection – Strongly encrypts Office documents. RM – Stops accidental abuses of Office content

What RM is NOT! v v RM is NOT a security solution Also, users with malicious intent may circumvent RM policies. Restrict MP 3 usage so you can’t play them the way you want Provide unbreakable, hacker-proof security v Technology alone cannot stop the inappropriate spread of information: n n n Screen capture utilities work Digital cameras Read over the phone

RM Components v v Windows Rights Management Services (RMS) - Windows Server 2003 Updates to Windows client n n v Software Development Kit n v RM client APIs for Windows 98 SE+ RM Add-on for Internet Explorer For both client-based & server-based development RM-enabled applications n n Any application which has utilized the RM SDK Office 2003 is the first set of apps to implement RM = Information RM

RMS Architecture v RMS is an ASP. NET Web service n SOAP over HTTP/HTTPS n IIS 6 only n Stateless for most requests – all processing on front end n Database used for configuration & logging v Requests n Machine Activation: One time process to create and download secure trusted root per machine n Certification and Client Enrollment: Binding a user key pair to a specific machine. n Licensing: requesting a license to use a piece of content.

Deployment Prerequisites v v P 3 800 / 256 MB / 20 GB (Rec: P 4 Dual / 512 MB / 40 GB) Windows Server 2003 n n v v v Internet Information Services 6. 0 ASP. NET MSMQ client for logging MSDE or SQL server 2000 Active Directory (AD): Windows 2000 SP 3 or later Test users must have accounts with mail attribute in the AD RM client bits installed on client test machines RM-enabled application RM server must have access to the Internet

IRM Features in Office 2003 v “Do Not Forward” e-mail n v “Do Not Distribute” documents n n n v v v Includes optional expiration Provides more granularity Access can be Read, Change, or Full Control Additional options include Printing and Expiration Specifying recipients uses e-mail addresses Support for Exchange DLs makes it easy to manage access control as group membership changes “Company Confidential” policies n n Supports “permission policies” in enterprises Admins control policies, even after content is protected

Office versions Application Create Content Consume Content Office 2003 Professional Yes Office 2003 Standard No Yes Standalone Office 2003 Applications Yes Office XP (all versions) No No Office 2000/97 (all versions) No No Rights Management Add-on for Internet Explorer No Yes

Deployment Blockers v AD deployment is #1 blocker n n v Office 2003 deployment is #2 blocker n v v Office 2003 is only RMS-enabled authoring tool at present Exchange is a big bonus, but not required Deploying Windows Server 2003 n v Not all customers have appeared to have deployed AD yet. No AD schema extensions required Only need one server at minimum Air-gapped networks can’t talk to MSN n RMS SP 1 and Churchill – more later.

Summary v v RM extends the control users and IT have over sensitive communications No user can claim “they didn’t know” when they are caught abusing RM protected content RMS is an enterprise class service – plan accordingly Think early about roaming use and collaboration needs