DOC

RMSSP1

By Kenneth Murphy,2014-07-26 11:49
9 views 0
RMSSP1

    ?Microsoft? Windows Server 2003 White Paper

Microsoft Windows Rights Management Services with

    Service Pack 1

Microsoft Corporation

    Published: April 2005

Abstract

    Microsoft? Windows? Rights Management Services (RMS) for Windows Server? 2003 is information protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized

    useboth online and offline, inside and outside of the firewall.

    RMS augments an organization's security strategy by protecting information through persistent usage policies,

    which remain with the information, no matter where it goes. Organizations can use RMS to help prevent sensitive

    informationsuch as financial reports, product specifications, customer data, and confidential e-mail

    messagesfrom intentionally or accidentally getting to the wrong recipient.

    RMS Service Pack 1 (SP1) allows higher security environments that are isolated from other networks and the

    Internet to be enabled for RMS. Servers in these environments can now secure digital information using RMS,

    without the requirement of a working connection to the internet. RMS SP1 also allows information technology

    vendors to integrate information protection into server-based applications for a comprehensive platform solution.

    This paper presents these enhancements, plus improvements to RMS deployment and usability.

    For a technical overview of the processes and steps involved with RMS implementation, please see Technical Overview of Windows Rights Management Services for Windows Server 2003 on www.microsoft.com/rms.

    ?Microsoft? Windows Server 2003 White Paper

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

    This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

    Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

    Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

    The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

    ? 2005 Microsoft Corporation. All rights reserved.

    Microsoft, Outlook, SharePoint, the Windows logo, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

    ?Microsoft? Windows Server 2003 White Paper Contents

    Overview ......................................................................................................................................... 1 Better Safeguard for Sensitive Information .................................................................................. 1 Persistent Protection .................................................................................................................... 1 Flexible and Customizable Technology ....................................................................................... 1 Usage Scenarios ............................................................................................................................ 2

    Scenario 1: Do-Not-Forward E-Mail ......................................................................................... 2

    Scenario 2: Protect Sensitive Information ................................................................................ 2

    Scenario 3: Safeguard Intranet Content ................................................................................... 2 RMS SP1 Enhancements .............................................................................................................. 3 Operational Needs for Higher Security, Isolated, or Sensitive Environments ............................. 3 Enterprise Rights Management Integration with IT Infrastructure ............................................... 3 Better Usability and Easy Deployment ........................................................................................ 4 Meeting the Needs of Higher-Security, Isolated, or Sensitive Environments ......................... 5 Offline Server Enrollment ............................................................................................................. 5

    How it works ............................................................................................................................. 5 RMS SP1 Client Computer Activation.......................................................................................... 5 FIPS Certification ......................................................................................................................... 6 Smartcard Authentication ............................................................................................................. 6 Integration with Third-Party, Server-Based Applications ......................................................... 7 Business Process Automation ..................................................................................................... 7 Records and Document Management ......................................................................................... 7 E-Mail Archiving ........................................................................................................................... 7 Content Inspection ....................................................................................................................... 8 Easier Deployment and Enhanced Usability .............................................................................. 9 Ease of Client Deployment .......................................................................................................... 9 Dynamic Role-Based Security ..................................................................................................... 9 Improved Tools and Guidance ..................................................................................................... 9

    Quicklook .................................................................................................................................. 9

    Active Directory Extensions .................................................................................................... 10

    Extensive, Online Documentation .......................................................................................... 10

    ?Microsoft? Windows Server 2003 White Paper

    Overview

    Microsoft? Windows? Rights Management Services (RMS) for Windows Server? 2003 is information

    protection technology that works with RMS-enabled applications to help safeguard digital information

    from unauthorized useboth online and offline, inside and outside of the firewall. Organizations and

    information workers can define exactly how recipients can use the information, such as who can open,

    modify, print, forward, and/or take other actions. Organizations can create custom usage policy

    templates, such as “Confidential - Read Only,” that can be applied directly to information, such as

    financial reports, product specifications, customer data, and e-mail messages. RMS augments an

    organization’s security strategy by providing protection of information through persistent usage policies, which remain with the information, no matter where it goes.

    Better Safeguard for Sensitive Information

    RMS enables organizations to achieve critical information security goals through better safeguarding of

    sensitive information. Programs, such as word processors, e-mail clients, and line-of-business

    applications, can be RMS-enabled to help safeguard sensitive information. Document content is

    encrypted with industry standard Advance Encryption Standard (AES) cryptography. Workers can

    choose from a variety of usage rights to define exactly how the recipient can use the information and for

    how long. When a recipient attempts to access rights-protected information, an entry is made into a

    database that records the attempt. This allows organizations to audit that log to identify approvals and

    denials by employees.

    Persistent Protection

    RMS augments existing perimeter-based security solutions, such as firewalls and access control lists

    (ACLs), for better information protection by binding the usage rights to the document itself, controlling

    how information is used even after it has been opened by intended recipients. The publishing license,

    which defines the rights, is encrypted and placed into the file. This means that the protection travels

    with the information, wherever it goes.

    Flexible and Customizable Technology

    Using the Windows RMS software development kit (SDK) and industry standard extensible rights

    Markup Language (XrML) (www.xrml.org), independent software vendors and developers can make

    almost any application RMS-enabled to work with RMS to help safeguard sensitive information (for

    example, document management systems or portal servers).

    Microsoft? Windows? Rights Management Services with Service Pack 1 1

    ?Microsoft? Windows Server 2003 White Paper

    Usage Scenarios

    Some common usage scenarios include preventing e-mail from being forwarded, protecting sensitive

    files, and safeguarding intranet content.

    Scenario 1: Do-Not-Forward E-Mail

    The Do-Not-Forward E-Mail scenario prevents an e-mail message (using Microsoft? Office Outlook?

    2003) from being forwarded by the recipient. Messages sent with this restriction feature a disabled

    forward button and lack the capability to copy, paste, print, export, save, and/or other functions, as

    necessary, to enforce the policy. This helps lower the risk that executive e-mail messages will appear

    on the Internet or other unintended places, limits access to confidential communications to only the

    intended employees, and is easy-to-use because it ships integrated with Microsoft Office Outlook 2003

    Professional. RMS makes it easy to create customized templates for unique business groups and

    policies as well, such as “Sales Team Confidential” or “HR Confidential.”

    Scenario 2: Protect Sensitive Information

    Sensitive information (for example, plans, proposals, and reports) must be protected to mitigate the risk

    of leakage to unintended parties. The author can maintain more control over this content by limiting who

    can view these sensitive files and limiting recipients to only selected application functions; for instance,

    the author can prevent the printing, saving, forwarding, and copying of the information. The author can

    even set a date when those rights expire, so if a group of employees is collaborating on a plan and

    frequently updating it, expiration of previous drafts ensures that outdated information will not be

    accessible and all involved parties are using only the latest information.

    Scenario 3: Safeguard Intranet Content

    Many of the most sensitive files in an organization today are stored in databases and viewed through

    intranet portals. An organization can have rights applied to intranet content, which employees would

    access through an RMS-enabled browser, such as Microsoft Internet Explorer with the Rights

    Management Add-On. This enables departments, such as finance or human resources, to ensure that

    sensitive information available on the intranet is only accessible by authorized staff and can not be

    copied, printed, or exported to other programs for unintended viewing. If printing or copying is

    necessary and a worker doesn’t currently have permissions to do so, the worker can contact the

    designated data owner and request additional rights.

    Microsoft? Windows? Rights Management Services with Service Pack 1 2

    ?Microsoft? Windows Server 2003 White Paper

    RMS SP1 Enhancements

    Customers who have deployed RMS 1.0 have identified several requirements to further enhance their

    RMS infrastructure. The following are the key requirements that have been addressed with RMS SP1.

    Operational Needs for Higher Security, Isolated, or Sensitive Environments

    Isolation. Some organizations (for instance, military groups), with a requirement for a great deal of

    isolation, have networks with no Internet connectivity (also known as “air-gap networks”). Also, many

    organizations have policies prohibiting any operational dependencies on third-party organizations.

    Because the initial version of RMS required customers to have a working Internet connection from their

    RMS Server to complete server enrollment and client machine activation, they were unable to use RMS.

    RMS SP1 eliminates the requirement for networks to have Internet connectivity.

    Sensitive environments. The United States Federal Government agencies require encryption

    solutions that meet the Federal Information Processing Standard (FIPS) certification standard. RMS

    SP1 uses FIPS-140 validated cryptographic modules available in Windows, accessible through the

    standard Windows CryptoAPI (CAPI) interface.

    Higher security. Customers have asked for an enhanced level of authentication, including two-factor

    authentication methods. Users can use smartcards to authenticate to RMS SP1 services, providing a

    stronger authentication mechanism to RMS-protected content than simple username and password.

    Enterprise Rights Management Integration with IT Infrastructure

    Many organizations would like to be able to apply rights-protection policies to information in a more

    consistent and centralized way, for instance, at the server or network level. Some examples include the

    following.

    Business process automation: The ability to apply rights protection to a variety of business processes through integration with workflow and collaboration tools, so that employees do not have to

    remember or understand where they need to apply rights protection.

    Records and document management: The ability to apply rights protection policies automatically to sensitive documents and records, and to have those protection policies travel with the documents

    outside of the repository as end users check them out. This type of policy enforcement is often required

    by compliance regulations or to secure intellectual property.

    E-mail archiving: The ability to archive RMS-protected e-mail messages, and still allow them to be

    readable for searching and indexing engines, in order to provide consistent application of an

    organization’s e-mail retention policies.

    Content inspection: The ability to integrate with content-inspection gateways (such as A/V scanners),

    so that an organization can consistently apply scanning or quarantine rules to RMS-protected content.

    To meet these requests and more, RMS SP1 extends the range of possible RMS solutions to include

    server applications. Server applications (such as Microsoft Office SharePoint

    ? Portal Server and

    Microsoft Exchange Server), as well as partner applications (for instance, records management,

    workflow, archiving, and content inspection solutions) can apply rights protection in a centralized and

    consistent manner.

    Microsoft? Windows? Rights Management Services with Service Pack 1 3

    ?Microsoft? Windows Server 2003 White Paper

    Better Usability and Easy Deployment

    In RMS version 1.0, customers deploying RMS clients across the network required “touching” desktops, requiring more time to deploy. In addition, end-users were required to have administrator privileges to

    activate RMS on their computers, which sometimes conflicted with companies’ policies. RMS SP1 can

    easily be deployed with standard tools including group policy, Microsoft Windows Software Update

    Services (WSUS), and Microsoft Systems Management Server (SMS), and does not require that users

    have administrator privileges for the client computers to be activated.

    Many organizations have the requirement to restrict information to a group whose members are

    constantly changing, and they do not want to keep updating group definitions each time a person enters

    or leaves the group. RMS SP1 includes support for query-based groups, which allow a user’s directory attributes to determine group membership and therefore dynamically grant or deny access to RMS

    protected content.

    Microsoft? Windows? Rights Management Services with Service Pack 1 4

    ?Microsoft? Windows Server 2003 White Paper

    Meeting the Needs of Higher-Security, Isolated, or Sensitive Environments

    RMS version 1.0 required customers to have a working Internet connection. This was required because two steps in the RMS setup process, server enrollment and client computer activation, required a connection from the customer’s RMS server to services hosted on the Internet by Microsoft.

    With SP1, RMS can be operated in networks with no Internet connection, sometimes known as “air-

    gap” networks. This has been accomplished through two changes.

    Offline Server Enrollment

    The server enrollment step, in which the RMS server obtains the Server Licensor Certificate (SLC) required for operation, has been modified so that it can be executed in either an offline or an online fashion. Customers choosing the offline option will be able to obtain the SLC and import it into the RMS server in two steps, transporting the SLC on physical media between an Internet-connected computer and a non-Internet-connected network.

    How it works

    Server Enrollment is part of the RMS Server Provisioning process. This is a one-time step, executed by the RMS administrator after installing the first RMS root cluster. With the “offline provisioning” option, the RMS administrator first completes a server provisioning step similar to v1.0, selecting “offline” enrollment. Then, from the RMS Administration interface, the administrator then exports an enrollment request file and saves it to removable media, such as a USB device or floppy disk. The enrollment request file contains the public key and URL of the RMS server, the RMS version, and revocation information. No other data is collected or required to complete the server enrollment request. In addition, the XML enrollment request file is human readable in clear text, so the customer can verify what information is included.

    The enrollment request is then physically moved to an Internet-connected computer, from which the administrator browses to a Microsoft-hosted Web site and uploads the request file. The service returns a certificate file, which can then be physically transported back to the offline RMS server and imported via the RMS Administrative interface. After the first server is enrolled, additional servers can be added to the environment without reconnecting to the Microsoft-hosted Web site.

    RMS SP1 Client Computer Activation

    The client computer activation step is now a self-activation model. The RMS component that performs most encryption, decryption, signing, and validation steps necessary to publish and consume rights-protected information is called the “lockbox.” Client computer activation is the process in which the

    lockbox is installed and activated. Previously, the machine activation step required the client machine to connect, via the RMS server, to an Internet activation service hosted by Microsoft.

    Instead of obtaining a lockbox from an activation service hosted by Microsoft, the RMS SP1 client ships with the lockbox already included, and it will generate the necessary credentials and key material upon activation. With SP1, the client activation step no longer requires a connection to Microsoft nor to the Internet. The RMS SP1 client will self-activate upon first use by any user, including non-administrators.

    Microsoft? Windows? Rights Management Services with Service Pack 1 5

    ?Microsoft? Windows Server 2003 White Paper

    The lockbox uses Crypto API (CAPI) for machine activation as well as for all cryptographic operations, in order to access Federal Information Processing Standard (FIPS) 140 validated cryptographic modules available in Windows. The use of CAPI also leverages existing Windows platform technology, such as the Microsoft Data Protection API (DPAPI) to secure credentials.

    FIPS Certification

    The FIPS 140-1 was published in 1994 and immediately became a requirement for cryptographic products sold to the U.S. Federal Government. Subsequently other governments, such as the Canadian Federal Government, through the Communications Security Establishment, recommended that applicable products purchased be FIPS certified. The standard is now being considered in the financial industry. All companies wishing to do business with the U.S. Federal Government must use FIPS-validated cryptographic modules. FIPS 140-2 became official in May 2002 and continues the strong cryptographic evaluation program developed under FIPS 140-1.

    RMS SP1 uses FIPS-validated cryptographic modules available in Windows, accessible through Windows CAPI. The cryptographic algorithms used include AES for symmetric encryption of content and RSA for asymmetric encryption of content keys and other credentials. Microsoft DPAPI is used for securing secret key material. RMS SP1 uses cryptographic modules that are validated for FIPS 140-1 Level 1

    1 on Microsoft Windows XP and later, and FIPS 140-2 level 1 on Windows Server 2003.

    Smartcard Authentication

    With RMS SP1, organizations with requirements for stronger authentication are able to enforce two-factor authentication with smartcards or x.509 soft certificates for end users to obtain an RMS user credential. This is done by placing an access control list on the RMS service that grants user credentials to allow only those users with the proper X.509 certificate. If a user is mapped to an x.509 certificate on a smartcard, Windows will then prompt them for their smartcard and PIN in order to authenticate, before granting them RMS credentials.

    RMS administrators for organizations can also place access-control lists on the licensing service of RMS. These access-control lists can require users to present network credentials and/or smartcards each time they receive or publish RMS-protected content.

    1 FIPS-140-2 became official in May 2002. By then, Windows 2000 and Windows XP had already achieved their official FIPS-140-1 status. FIPS 140-1 is still a valid and recognized certification level

    Microsoft? Windows? Rights Management Services with Service Pack 1 6

    ?Microsoft? Windows Server 2003 White Paper

    Integration with Third-Party, Server-Based Applications RMS SP1 extends the range of possible RMS solutions to include server applications. Server applications from Microsoft as well as partner applications such as records management, workflow, archiving, and content inspection solutions, can apply rights protection in a centralized and consistent manner.

    For example, document storage repositories can be protected so that document from the repository, the documents are automatically rights protected and the information can be controlled even after a user checks out a document.

    The RMS SP1 administrative interface allows administrators to choose to use the client lockbox, the server lockbox, or both. New controls have been added to the RMS administrative interface to allow administrators to manage the server lockbox and keep environments locked down. Because not every organization will need to use them, server lockboxes are excluded by default, and the administrator can specify the user contexts under which server lockboxes are allowed to run. This provides another layer of protection for an RMS environment.

    The following are some of the most common business scenarios in which RMS SP1 server-lockbox-enabled solutions can help organizations protect sensitive information consistently, comprehensively, and effectively.

    Business Process Automation

    Business processes and workflow applications that manage secure information can be enhanced to use RMS information protection automatically. For example, a company developing new products could integrate RMS with a workflow solution to allow design engineers the ability to update documents, while allowing quality assurance staff read only access to documents. Limiting the rights of documents in the workflow greatly reduces the risks of intentional or accidental information leaks. Individuals who need to view documents can be granted that ability, while at the same time being restricted from forwarding, cutting, pasting, or saving documents. These restricted rights can be applied automatically by server processes based on policies.

    Records and Document Management

    Records and document management systems can be enhanced to apply RMS protection automatically to documents when they are removed from the document repository. Documents can be stored within the repository in plain text to provide for full indexing and text search capabilities, but the documents can be encrypted and protected, for example with a “read only” policy and an expiration date, when a

    user downloads a document. The rights that are associated with the user can be centrally controlled through policy and travel with the document itself, once it leaves the repository. Controlling access to data in this manner helps organizations meet regulatory compliance regulations and helps to protect intellectual property.

    E-Mail Archiving

    Many corporate and regulatory policies require that all e-mail communications be archived so that they can be searched and retrieved later by company officials or auditors. Any e-mail encryption solution

    Microsoft? Windows? Rights Management Services with Service Pack 1 7

Report this document

For any questions or suggestions please email
cust-service@docsford.com