DOC

RMSTechOverview

By Jeanette Hart,2014-07-26 11:50
7 views 0
RMSTechOverview

Technical Overview of Windows Rights Management

    Services for Windows Server 2003

Microsoft Corporation

    Published: November 2003

    Updated: April 2005

Abstract

    This white paper provides a technical overview of Microsoft? Windows? Rights Management Services (RMS) for

    Windows Server? 2003, the reasons for implementing this technology, and the processes and steps involved

    with that implementation. Windows RMS is information protection technology that works with RMS-enabled

    applications to help safeguard digital information from unauthorized use. RMS augments an organization’s

    security strategy by providing protection of information through persistent usage policies, which remain with the

    information, no matter where it goes.

     Microsoft? Windows Server? 2003 White Paper The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

    This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

    Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

    Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

    The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

    ? 2005 Microsoft Corporation. All rights reserved.

    Microsoft, the Windows logo, Windows, Windows Media, Active Directory, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    The names of actual companies and products mentioned herein may be the trademarks of their respective owners

    .

     Microsoft? Windows Server? 2003 White Paper Contents

    Introduction ............................................................................................................................... 1 Overview: Managing Digital Information .................................................................................. 2 Vulnerable Information ............................................................................................................. 2 The Need to Augment an Organization's Security Strategy....................................................... 2 Persistent Protection of Digital Information ............................................................................... 3 Scenarios ................................................................................................................................... 4 Scenario 1: Protecting Confidential E-Mail Messages ............................................................... 4 Scenario 2: Enforcing Document Rights ................................................................................... 4 Scenario 3: Protecting Sensitive Intranet Content ..................................................................... 5 Scenario 4: Protecting Content at the Server Level .................................................................. 5 What Is Windows RMS? ............................................................................................................ 6 The Basics: How Windows RMS Works ................................................................................... 6 Components of Windows RMS Technology .............................................................................. 7

    Windows Rights Management Services Server Software ...................................................... 8

    Windows Rights Management Services SDK ...................................................................... 10

    Windows Rights Management Client Software .................................................................... 10 Benefits of Windows RMS Technology ................................................................................... 11 XrML: The Format for Trusted Information and Services......................................................... 12

    How XrML Works ............................................................................................................... 12

    More Information about XrML ............................................................................................. 12 Windows RMS Technology in Your Organization .................................................................. 13 The Standard RMS System Topology .................................................................................... 13 Enrolling Servers in an RMS System ...................................................................................... 14 Setting Up Client Computers .................................................................................................. 15

    Verifying the client component ............................................................................................ 15

    Client computer activation .................................................................................................. 15 Certifying RMS Users ............................................................................................................ 16 Enrolling Client Computers for Offline Publishing.................................................................... 16 Creating and Viewing Rights-Protected Information ................................................................ 17 Publishing to Anyone ............................................................................................................. 19

     Microsoft? Windows Server? 2003 White Paper Administering an RMS System ............................................................................................... 19

    Usage Rights Policy Templates .......................................................................................... 19

    Revocation Lists ................................................................................................................. 21

    Exclusion Policies ............................................................................................................... 21

    Logging .............................................................................................................................. 22 Integrating with Existing Systems ........................................................................................... 23 Summary ................................................................................................................................. 24 Related Links ........................................................................................................................... 25

     Microsoft? Windows Server? 2003 White Paper

    Introduction

    This white paper describes how digital information may be vulnerable when organizations solely rely on

    perimeter-based security methods. It introduces Microsoft? Windows? Rights Management Services

    (RMS) for Windows Server? 2003 and explains how this technology can enhance an organization's

    overall information protection strategy.

    Read about the features and benefits of Windows RMS technology, how this technology operates within

    an organization's infrastructure, and about scenarios that highlight Windows RMS capabilities. This

    information can help technical staff, technical business decision makers, and solution integrators make

    informed decisions about adopting and using Windows RMS.

    Technical Overview of Windows Rights Management Services for Windows Server 2003 1

     Microsoft? Windows Server? 2003 White Paper

    Overview: Managing Digital Information

    Organizations of all sizes are challenged to protect a growing quantity of valuable digital information

    against careless mishandling and malicious use. The increasing incidences of information theft and the

    emergence of new legislative requirements to protect data underscore the need for better protection of

    digital information.

    This digital information may include dynamic, database-driven reports on an enterprise information

    portal, confidential e-mail messages, strategic planning documents, financial forecasts, contracts,

    military defense reports, and other sensitive information. The growing use of computers to create and

    work with this information, the introduction of extensive connectivity through networks and the Internet,

    and the appearance of increasingly powerful computing devices have made protecting enterprise data

    an essential security consideration.

    Vulnerable Information

    Organizations create and use a broad assortment of valuable data that they want and need to protect.

    This data can include the following:

    ? Traditional digital files and information. Typical examples of traditional digital files and information

    are e-mail communications, project-related documents, confidential reports, marketing plans, and

    product overviews. Information workers share these documents regularly through e-mail messages,

    conferencing applications, disk shares, and server-based or peer-to-peer systems. This category can

    also include other sensitive data, such as job performance reviews and personal records that users

    may need or want to maintain in a secure, readily available state.

    ? Proprietary data. Senior management uses this data to administer, monitor, and direct an

    organization's activities. This proprietary data might include an organization's sales and market share

    reports, financial performance information, and strategic forecasts and overviews. Improper use of this

    data may cause significant damage to an organization.

    The Need to Augment an Organization's Security Strategy

    Protecting digital information is a difficult and ongoing task. Typically, organizations secure digital

    information by using perimeter-based security methods. Firewalls can limit access to the network, and

    Access Control Lists (ACLs) can restrict access to specific data. In addition, organizations may use

    encryption and authentication technologies and products to help secure e-mail while in transit and to

    help ensure that the intended recipients are the first to open the messages.

    These methods help organizations to control access to sensitive data. However, recipients are still free

    to do whatever they want with the information they receive. After access is granted, no restrictions

    control what can be done with the data or where it can be sent. Perimeter-based security methods

    simply cannot enforce business rules that control how people use and distribute the data outside the

    perimeter, or after the perimeter is penetrated.

    Relying on an individual's discretion to determine to the manner in which they use and share digital

    information can introduce an unacceptable degree of risk into an organization’s security model. For

    example, it’s easy for users to mistakenly forward sensitive e-mail messages or documents to recipients

    who have malicious intent.

    Technical Overview of Windows Rights Management Services for Windows Server 2003 2

     Microsoft? Windows Server? 2003 White Paper

    In addition to the threats of theft and mishandling, a growing list of legislative requirements adds to the ongoing task of protecting digital files and information. For example, many organizations must comply with Securities and Exchange Commission (SEC) fair disclosure codes, which address the problem of selective disclosure of certain information to inside investors. Similarly, the financial, government, healthcare, and legal sectors are increasingly taxed by the need to better protect digital files and information due to emerging legislative standards such as the Healthcare Insurance Portability and 12Accessibility Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) in the financial services market.

    Without an end-to-end solution in place to effectively control the use of digital information no matter where it goes, sensitive information can too easily end up in the wrong hands, whether maliciously or accidentally.

    Persistent Protection of Digital Information

    Digital information must be better protected. Although no form of information will ever be completely risk-free from unauthorized use and no single approach will shield data from misuse in all cases, the best defense is a comprehensive solution for safeguarding information.

    As an essential part of an organization's overall security strategy, a solution for better information protection should provide the means to control how data is used and distributed beyond simple access control. It should help protect an organization's records and documents on the company intranet, as well as from being shared with unauthorized users. It should help to ensure that data is protected and tamper-resistant. When necessary, information should expire based on time requirements, even when that information is sent over the internet to other individuals.

1 Passed in 1996, HIPAA relates to healthcare coverage and, for example, how companies may use medical information. 2 Gramm-Leach-Bliley, also known as the Financial Services Modernization Act, was passed in 1999.

    Technical Overview of Windows Rights Management Services for Windows Server 2003 3

     Microsoft? Windows Server? 2003 White Paper

    Scenarios

    Using Windows RMS represents an opportunity to protect and enhance all types of data in intranet and some extranet scenarios. The four scenarios described in the following sections illustrate the functionality and benefits of implementing RMS to help safeguard sensitive and proprietary information in the enterprise.

    Scenario 1: Protecting Confidential E-Mail Messages

    Brian, a company executive, needs to send a confidential e-mail with a document attached on a new project to his team. Using Windows RMS, his company has created a ―Company Confidential‖ usage

    policy template, which automatically applies usage rights that have been centrally defined. Brian selects that template to add usage rights to his e-mail message, which automatically applies the same rights to the attached Microsoft Word 2003 document. The ―Company Confidential‖ template specifies that employees within the organization can only read the information. As employees open the e-mail and the attachment, RMS-enabled Microsoft Outlook 2003 and Word 2003 transparently enforces the usage rights to the information. As specified by ―Company Confidential‖ template, employees cannot copy, print, save, or edit either the e-mail message or the attached document, and they cannot forward the e-mail message. If they attempt to digitally share this information outside of the organization, the unauthorized recipient will be unable to open the information.

    A team member sends a request to Brian asking permission to share the e-mail and attachment to an outside vendor that is working on the project. The vendor, which uses a hosting provider for its RMS solution, is a trusted partner within the company’s RMS environment. Brian applies rights that are appropriate for the vendor and then sends the e-mail to the vendor. The usage rights are again transparently enforced when the vendor receives and opens the e-mail and attachment. Scenario 2: Enforcing Document Rights

    Tom works at a financial services organization that manages the investments of large retirement accounts and leading corporations. From the company’s SAP system, he downloads financial

    information into an RMS-protected spreadsheet in Microsoft Office Excel 2003. After Tom has brought the information into a satisfactory presentation, he uploads the document to an internal file sharing server. Tom sends an e-mail to Julie, one of the company’s analysts, telling her that the information is

    available for her.

    Julie plans to review the information and use it in her reporting. She has three business days to do so. Tom set the usage rights for just that amount of time, and he also made it impossible for Julie to forward or print the information. Julie understands and appreciates these restrictions, because they help remove a liability. The company needs to comply with regulation, including Securities Exchange Commission (SEC) rules that call for information protection. In addition, the company is publicly tradedinappropriate disclosure of financial information could have a negative impact on its stock price.

    However, Julie does not manage to review the information in the time allowed. After three business days, she can no longer open the document, so she requests that Tom grant her more time to review the information. Tom grants the permission by extending the expiration of the document he posted on the internal file sharing server. Julie downloads this updated version and can review the information she needs in her report.

    Technical Overview of Windows Rights Management Services for Windows Server 2003 4

     Microsoft? Windows Server? 2003 White Paper

    Scenario 3: Protecting Sensitive Intranet Content

    Sharon, a sales executive for a large multi-national publishing company, along with her entire sales

    organization needs to view sales results that are stored in the online system on the corporate intranet.

    Because of the sensitive nature of this information, the company has decided to apply usage rights to

    the sales results. In this example, the company has applied ―read-only‖ rights to the information, which allows the sales organization to view the sales results but not modify, copy, export, save, or print the

    information. At the same time, increased rights have been granted to Sharon and her immediate staff

    who will need the ability to copy or print the sales results for presentations and business reviews.

    As a sales representative in Sharon's organization, Bill has access to the online sales system. Bill

    navigates to the past year's sales results, which are displayed on-screen within his RMS-enabled

    browser. "Read only" rights prevent Bill from printing or performing copy and paste functions.

    Scenario 4: Protecting Content at the Server Level

    Bill, a president for a financial services company, is concerned about maintaining the privacy of digital

    information contained in customer files. While company employees know that customer information

    must be protected, Bill doesn’t want to place the responsibility of safeguarding this information on the shoulders of these employees. As a result, Bill decides to implement a third-party workflow solution that

    integrates rights protection technology at the server level.

    With this solution in place, Bill’s employees no longer have to worry about applying protection rights to customer information, as this step is automatically completed during the workflow process. Thus, when

    a new customer is entered into the system and their file work is processed, ―read-only‖ rights are

    automatically applied to this information and only the customer’s account managers (as indicated during

    the setup process) are given this access.

    Technical Overview of Windows Rights Management Services for Windows Server 2003 5

     Microsoft? Windows Server? 2003 White Paper

    What Is Windows RMS?

    Microsoft Windows Rights Management Services (RMS) for Windows Server 2003 is information

    protection technology that works with RMS-enabled applications to help safeguard digital information

    from unauthorized useboth online and offlineinside and outside of the firewall. This product is

    designed for organizations that need to protect sensitive and proprietary information such as financial

    reports, product specifications, customer data, and confidential e-mail messages.

    RMS augments an organization’s security strategy by providing protection of information through

    persistent usage policies (also known as usage rights and conditions), which remain with the

    information, no matter where it goes. RMS persistently protects any binary format of data, so the usage

    rights remain with the information, even in transport, rather than the rights merely residing on an

    organization’s network. This also enables usage rights to be enforced after the information is accessed

    by an authorized recipientboth online and offlineinside and outside of the organization.

    RMS also allows third parties to integrate information protection for a comprehensive platform solution,

    enabling the integration of information protection into other information processing infrastructures, such

    as automated work flows, records and document management, e-mail message archiving, content

    inspection, and more.

    RMS helps protects information through persistent usage policies by establishing the following essential

    elements:

    ? Trusted entities. Organizations can specify the entities, including individuals, groups of users,

    computers, and applications that are trusted participants in an RMS system. By establishing trusted

    entities, RMS can help protect information by enabling access only to properly trusted participants.

    ? Usage rights and conditions. Organizations and individuals can assign usage rights and conditions

    that define how a specific trusted entity can use protected information. Examples of named rights are

    permission to read, copy, print, save, forward, and edit. Usage rights can be accompanied by conditions,

    such as when those rights expire. Organizations can exclude applications and entities (as well as non-

    trusted entities) from accessing the protected information.

    ? Encryption. Encryption is the process by which data is locked with electronic keys. RMS encrypts

    information, making access conditional on the successful validation of the trusted entities. Once

    information is locked, only trusted entities that were granted usage rights under the specified conditions

    (if any) can unlock or decrypt the information in an RMS-enabled application or browser. The defined

    usage rights and conditions will then be enforced by the application.

    The Basics: How Windows RMS Works

    Windows RMS, which includes both server and client components, provides the following capabilities:

    ? Creating rights-protected files and containers. Users who are trusted entities in an RMS system can

    easily create and manage protected files using familiar authoring applications and tools that incorporate

    Windows RMS technology. For example, using common task management procedures within a familiar

    on-screen environment, organizations could assign usage rights and conditions to information, such as

    a dynamic, database-driven sales report on an enterprise information portal. Users could also apply

    usage rights and conditions to e-mail messages and documents using RMS-enabled applications.

    Technical Overview of Windows Rights Management Services for Windows Server 2003 6

Report this document

For any questions or suggestions please email
cust-service@docsford.com