DOC

Windows Rights Management Services Protecting Content in Legal

By Billy Peterson,2014-07-11 09:28
6 views 0
Windows Rights Management Services Protecting Content in Legal ...

Windows Rights Management Services:

    Protecting Electronic Content in Legal Organizations

Microsoft Corporation

    Published: October 2003

    Updated: April 2005

Abstract

    This white paper discusses the role of Microsoft? Windows? Rights Management Services (RMS) for Windows

    TMServer 2003 in the legal environment. Windows RMS is information protection technology that works with RMS-enabled applications to help legal organizations better control and protect their digital information from

    unauthorized use.

    TMMicrosoft? Windows? Rights Management Services (RMS) for Windows Server 2003 White Paper

This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.

    The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

    This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

    Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

    Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

    The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

    ? 2005 Microsoft Corporation. All rights reserved.

    Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

    TMMicrosoft? Windows? Rights Management Services (RMS) for Windows Server 2003 White Paper

Contents

    Introduction ............................................................................................................................... 1 Situation .................................................................................................................................. 1

    Scenario 1 Ensuring Attorney-Client Privilege .................................................................... 1

    Scenario 2 Ensuring the Secrecy of Negotiations ............................................................... 1 Extending Protection Beyond the Firewall ................................................................................ 2 What Is Windows Rights Management Services (RMS)? .......................................................... 2 Flexible Information Protection ................................................................................................. 3 Creation, Enforcement, and Consumption of Protected Information ..................................... 5 Creating Rights-Protected Information...................................................................................... 5 Enforcing RMS Protections ...................................................................................................... 5 Consuming Rights-Protected Documents ................................................................................. 5 Protecting Your Organization’s Interests .................................................................................. 6 Benefits ................................................................................................................................... 6 What Can RMS Do for Legal Organizations? ........................................................................... 7

    Increased Confidentiality ...................................................................................................... 7

    Increased Productivity .......................................................................................................... 8

    Improved Time Control ......................................................................................................... 8

    Streamlined Court Documentation ........................................................................................ 8 Reduced Risk .......................................................................................................................... 8 Improved Audit Capabilities...................................................................................................... 9 Summary ................................................................................................................................. 10 System Requirements: ........................................................................................................... 10 Related Links ........................................................................................................................... 11

    TMMicrosoft? Windows? Rights Management Services (RMS) for Windows Server 2003 White Paper

Introduction

    Today there exist countless ways to protect physical networks and information assetsfrom perimeter

    firewalls and intrusion detection systems to data encryption and sophisticated password protection

    systems. While each of these systems plays an important part in preventing unauthorized access to

    information, they are limited to controlling access to a file inside the network or the secure transport of a

    file to a recipient outside the network. They do not protect a file from unauthorized usage by an

    authorized recipient. A Microsoft Office Word 2003 document containing information protected by

    attorney-client privilege may be housed in a highly secure data repository, but there is no protection for

    that document if someone distributes a copy of it to an external recipient via e-mail, removable media,

    or by printing it out. While secure Web access can prevent unauthorized users from accessing Web-

    based information, current security features do not prevent that user from unauthorized copying of the

    information and sharing it with others. And once that informationbe it a document, a utility, or an

    executable filemoves outside the protection of the secure network, anyone can do with it what they

    will, and the owner’s ability to control that information is lost. RMS protects a file from unauthorized

    access and unauthorized usage both inside and outside of the firewall.

    Situation

    Legal firms constantly work with sensitive and privileged information. Trial lawyers prepare strategies

    for the defense or prosecution of cases, and they do not want unauthorized individuals obtaining

    information that could prejudice the trial. Other lawyers prepare wills and trusts, documents that need to

    be kept private until such time the instrument must be exercised. Still other lawyers create contracts,

    mediate complex business deals, and provide advice to individuals and businesses about the legal

    ramifications of an action.

    Scenario 1 Ensuring Attorney-Client Privilege Many businesses will route documents for review to their legal team. Once the team has received the

    document, it is protected under the laws governing attorney-client privilege. But that protection is largely

    a formality. If someone were to obtain an electronic copy of the document, it is likely that that person

    could open the file, read, and even revise the document. That person could print the file and or send it

    as an e-mail attachmentand soon the contents of the document are no longer private at all. This

    could have disastrous consequences for the business that created the document and for many others

    as well.

    The need to protect documents covered by attorney-client privilege can hardly be limited to documents

    created in a business setting. This same need pertains to settings where an attorney’s client is in prison,

    working through plans for a trust, setting up a new business venture, or virtually any other setting

    involving an attorney and a client. These materials must be protected, but there are many ways in

    which this protected information can fall into unauthorized hands.

    Scenario 2 Ensuring the Secrecy of Negotiations Consider the case where a law firm is working on a merger or an acquisition for a company. Both sides

    in the deal need access to sensitive financial and business information, but each side needs to be able

    to control the degree to which this sensitive information is shared. While the legal team from the

    acquisition target may prepare a Word document containing sensitive financial and business details,

    Windows Rights Management Services: Protecting Electronic Content in Legal Organizations 1

    TMMicrosoft? Windows? Rights Management Services (RMS) for Windows Server 2003 White Paper

they want to make sure that these details stay within a narrow circle of business managers and legal

    advisors at the company considering the acquisition. Yet if the document is sent in a hardcopy form,

    they can be sure that a secretary within the acquiring company will make copies of it to distribute to the

    appropriate executives. Those copies could later end up in an recycling bin that is not headed

    immediately for the shredderand could then end up in the hands of any number of individuals who

    have no business seeing this information. If the legal team sends the document by e-mail or on a floppy

    disk, there are opportunities for the recipient of the document to forward it to the appropriate readers

    as well as to others who may not be authorized to view the content. The file on a disk could simply end

    up somewhere outside the organization, where the acquisition target has no control over the

    information whatsoever.

    Extending Protection Beyond the Firewall

    RMS changes all that. RMS helps organizations protect digital content (business files such as e-mail,

    documents, etc.) from inappropriate access, even after it is shared or distributed. Applications that are

    RMS-enabled allow the author to stipulate a set of rulesor policy rightsthat govern how the

    information may be used, by whom, for how long, and so forth. Protection is achieved through industry

    security technologies, including encryption, XrML-based certificates, and authentication.

    Simply put, RMS gives organizations a mechanism for protecting electronic information even when it

    leaves the confines of the secure network. Information can be rights-protected so that only individuals

    with specific credentials named by the file author can view it, and no one, inside or outside the

    organization, can view or manipulate that information without the author’s permission. This greatly

    reduces the risk of an information leak. It gives IT administrators and information owners a level of

    protection that extends beyond the perimeter of the secure network. It brings control to an area that has

    historically been beyond their control.

    What Is Windows Rights Management Services (RMS)?

    Windows RMS is information protection technology that works with RMS-enabled applications to help

    safeguard digital information from unauthorized use. RMS combines Windows Server 2003 features,

    developer tools, and industry security technologiesincluding encryption, XrML-based certificates, and

    authenticationto help organizations create reliable information protection solutions for their valuable and sensitive business file content.

    The Windows RMS solution requires:

    ? Windows RMS for Windows Server 2003

    ? RMS client application programming interface (API) for Windows clients (Windows 98 Second Edition

    and later)

    ? eXtensible rights Markup Language (XrML), a powerful rights expression implementation of the

    eXtensible Markup Language (XML) for the integration of powerful digital rights technology

    ? RMS client and server software development kits (SDKs) that enable Windows-based client and server

    applications to become ―rights-enabled‖

    RMS is a premium information protection service of Windows Server 2003 and is responsible for all

    machine activation, licensing, enrollment, and other administration-related activities. The creation and

    consumption of RMS-enabled documents is the responsibility of RMS-enabled client software such as

    Windows Rights Management Services: Protecting Electronic Content in Legal Organizations 2

    TMMicrosoft? Windows? Rights Management Services (RMS) for Windows Server 2003 White Paper

the Microsoft Office 2003 Editions, or an RMS-enabled browser such as Microsoft Internet Explorer with

    the Rights Management Add-on (RMA). RMS allows users to apply information protection with great

    ease and efficiency from within their customary software environment. Any Windows platform

    application can work with the API in the SDK to support RMS. RMS must establish a trust ecosystem,

    where a PC, user, application, and server are all integral and trusted components. This trust is

    established and validated through the use of XrML certificates for each component. Every PC must

    receive a ―Machine Certificate‖ and RMS ―lockbox‖ to become ―trusted‖ and each user must receive a

    Rights Management Account Certificate (RAC) to be recognized by RMS. Additionally, each user must

    have a Client Licensor Certificate (CLC) if they wish to publish rights-protected content on their machine

    without a connection to RMS.

    1RMS-enabled client software also works closely with Microsoft’s Active Directory? directory services

    technology, a component of the Microsoft Windows Server operating system, to identify users and

    distribution groups and to assist in assigning/enforcing access and usage rights. Through the use of

    Active Directory roles and group policies, information managers can create a wide range of distinct user

    communities, each of which can have different information access rights.

    RMS deployment is straight-forward and demands minimal resources. Organizations can roll out RMS

    across the network by using, for example, Microsoft Systems Management Server. Users do not need

    to have administrative privileges to active RMS on their desktops, nor do they need access to the

    Internet.

    Flexible Information Protection

    RMS capabilities can also be employed at a much more granular level. For example, an organization

    may create a report that contains both sensitive and non-sensitive information. Non-sensitive sections

    of the report could be rights-protected to be accessible to a broad audience, while sensitive sections 2could be made accessible only to a select group of users. RMS even enables an organization to create

    documents with multiple authorized user communitiesso different recipients of the same document

    file can be assigned different usage rights.

    Information managers can use RMS to control which recipients can view a file and what they can and

    cannot do with the information they are authorized to view. For example, an individual may be

    authorized to view a Word document. However, because of the way that the author has defined the

    rights, one individual may be unable to cut, copy, print, e-mail, or save/save as from a document, while

    another has only the rights to save and print. The familiar Alt+PrtScn capability is also disabled by RMS,

    although an authorized user with malicious intent could capture and reproduce the essence of the

    information through the use of an ―analog attack, such as the use of a digital camera, pen and paper,

    or voice recorder. Of course, those users must first be authorized with at least ―View‖ privileges by the

    author of the file in order to open it. This risk highlights that RMS is not intended to be a 100-percent

    bulletproof solution, although it will help to eliminate accidental leaks of information. Rights-protected e-

    mail messages may be non-forwardable and non-printable if the author so chooses. Rights-protected

    documents of any kind can even be set up for time-restricted accessand after that author-defined

    period of time has elapsed, the files can no longer be opened as the ―use license‖ will have expired.

1 RMS requires Active Directory 2000 or later. 2 The Rights Management Client SDK offers this section-specific Rights Management capability; however the implementation must be done by the ISV or the Solutions Integrator. It will not be available with Microsoft Office 2003 Editions.

    Windows Rights Management Services: Protecting Electronic Content in Legal Organizations 3

    TMMicrosoft? Windows? Rights Management Services (RMS) for Windows Server 2003 White Paper

This helps assure that only the latest version of a document is available since all of the older versions

    will have expired and cannot be opened any longer.

    Windows Rights Management Services: Protecting Electronic Content in Legal Organizations 4

    TMMicrosoft? Windows? Rights Management Services (RMS) for Windows Server 2003 White Paper

Creation, Enforcement, and Consumption of Protected Information

    The creation, enforcement, and consumption of rights-protected information involve separate but

    related steps and technologies.

    Creating Rights-Protected Information

    Using RMS-enabled application softwaresuch as Microsoft Office 2003 Editionsto create rights-protected information is as easy as clicking the new ―Permissions‖ button in the toolbar. It is also

    possible to create rights policy templates in which usage rights are pre-defined and published as

    templates by your RMS administrator. Templates make it very easy for authors to assign rights to their

    files. Users simply choose the correct template (for example, ―Company Confidential‖ or ―Project Team-

    Only‖) from the File/Permissions drop-down menu, and the appropriate access and usage rights are

    automatically assigned to the authorized users in the background. Template creation will be done by

    the RMS administrator and is a simple process of checking boxes, choosing individuals and/or Active

    Directory distribution groups, and naming and saving the templates. Templates are stored at the RMS

    server for easy updating by the RMS administrator and are distributed to the client applications via

    group policy, a script in Microsoft Systems Management Server 2003, or a similar method. Each RMS-

    enabled application will display the list of templates available to the authors.

    Enforcing RMS Protections

    Applications using the RMS SDK become ―RMS-enabled applications‖ and can communicate with RMS servers. An RMS-enabled application can publish rights-protected information using a publishing

    license that the application binds into the document file via either 128-bit AES encryption or 56-bit DES 3encryption. Microsoft Office 2003 Editions use 128-bit AES encryption. If the author has the Client

    Licensor Certificate (CLC) on their PC, they may publish rights-protected information offline, without a

    connection to their RMS server. The recipient merely double-clicks to open the file, and a request for a

    use license is made to RMS. RMS checks the publishing license to see if the recipient requesting a use

    license has been granted rights and, if so, which rights were granted. It uses Windows authentication to

    validate the user, issues the use license, and the RMS-enabled application enforces the rights

    expressed in the publishing license as defined by the content author. If the entity to which the rights are

    granted is an Active Directory distribution group, RMS will call upon Active Directory to do group

    expansion and validate that the individual requesting a use license is a current member of the named

    group. If so, the license will be granted and the rights will be enforced according to the author’s wishes. If the user is not a group member, then the request will be denied and no use license will be granted.

    The file will not open.

    Consuming Rights-Protected Documents

    To consume rights-protected documents, a user must use applications that have been RMS-enabled,

    such as the Microsoft Office 2003 Editions (specifically core programs Microsoft Office Outlook? 2003,

    Microsoft Office Word 2003, Microsoft Office Excel 2003, and Microsoft Office PowerPoint? 2003).

    Earlier versions of Office System programs can neither create nor consume rights-protected content by

    themselves, but users with the Rights Management Add-on can consume protected information with the

3 The RMS SDK offers the application developer a choice of using either 128-bit AES or 56-bit DES encryption.

    Windows Rights Management Services: Protecting Electronic Content in Legal Organizations 5

    TMMicrosoft? Windows? Rights Management Services (RMS) for Windows Server 2003 White Paper

rights enforced. Microsoft is proactively working with independent software vendors (ISVs) and solution

    integrators (SIs) who are interested in RMS-enabling their solutions. Any application that writes to the

    Windows RMS client APIs can publish and enforce rights-protected content. Individuals who attempt to

    access rights-protected information without using RMS-enabled applications will find that they cannot

    access the rights-protected information at all. If they attempt to crack into the file through some other

    means, they will see nothing but screen garbage.

    Protecting Your Organization’s Interests

    It is important to note that, in the event a file author or owner becomes incapacitated or is terminated,

    RMS provides a license safety net through its ―Super Users‖ feature. During deployment, the RMS

    administrator will set-up Super User privileges for a highly-trusted group of people. This group will have

    the highest level of rights and will automatically have full-access use licenses to all files licensed by

    RMS. While this feature would rarely be used, it protects an organization’s intellectual property and

    information integrity when an unexpected situation arises. The Super Users feature is also valuable

    during an audit, when responding to a subpoena, or while conducting an in-house investigation. We

    recommend that organizations use standard security best practices for deciding who should be given

    this level of access.

    Benefits

    RMS provides organizations with an easy-to-use rights management solution, augmenting their security

    strategies by providing protection of information through persistent usage policies, which remain with

    the information no matter where it goes. RMS can be used for all types of digital business information,

    including e-mail, database-backed dynamic content, documents, and presentations. It enables the

    enforcement of policies such as print restrictions, ―do not forward,‖ permissions expiration, the optional requirement of new licenses every time a user opens a rights-protected file, and other corporate

    policies. RMS is designed to leverage existing infrastructure investments by using Windows

    authentication and Active Directory for discovering services within the environment.

    Windows Rights Management Services: Protecting Electronic Content in Legal Organizations 6

    TMMicrosoft? Windows? Rights Management Services (RMS) for Windows Server 2003 White Paper

What Can RMS Do for Legal Organizations?

    In today’s global marketplace, lawyers frequently work across great distances with other lawyers

    outside of their firms or organizationsoften across state lines and country borders. Lawyers are aware

    that when they use the Internet, it is not a secure transmission. In effect, e-mail is a postcard, and the

    attachments are open books.

    Until now, it has been quite difficult to protect electronic information from fallingeither accidentally or

    by designinto inappropriate hands. Law firms around the world are forced to rely on the trustworthiness of the individuals who come in contact with sensitive information. And while it is

    important that a firm be able to trust its employees and those with whom it has a formal legal

    relationship, it is also important that a firm have tools to enforce policies governing access to sensitive

    information.

    Windows RMS provides a mechanism to reduce vulnerabilities throughout the flow of information within

    the legal process. Consider how RMS can reduce the vulnerabilities in the scenarios outlined at the

    beginning of this paper:

    ? Any Word document containing content deemed to be protected by attorney-client privilege can be

    protected using an RMS-enabled application. The author could restrict the document so that no one but

    the attorney and the client could view the sensitive content. If someone outside the firm were to acquire

    the file, they would be unable to view the contenteven if they were to try to open the file on a system

    over which they had complete control. RMS could be used to restrict file access to a small legal team,

    and privileges could be set up so that only certain members of the team could edit or save changes to

    the document. Other members might be able to view the document but not print or share its contents

    with anyone.

    ? RMS could be used in a similar fashion to protect information associated with a proposed acquisition.

    The legal team in the acquisition target could use Microsoft Office 2003 Editions to prepare the Office

    Word and Office Excel documents with all the financial and business details and then use RMS to limit

    access to the content to certain specified executives at the company proposing the acquisition.

    Regardless, then, of whether the document was sent on a disk or through electronic mail, RMS would

    not allow any other users to view the protected content. The legal team at the target company could use

    RMS’ time-expiry functionality to place a time limit on access to the information in the file, expiring the

    use license of a file on a specific future date. Although the file remained in the hands of the executives

    at the company proposing the acquisition, no one at that company could view or use the sensitive

    information after the time expiration of the RMS ―use license.‖

    Increased Confidentiality

    RMS enables attorneys to send confidential documents back and forth via e-mail in a way that reduces

    the risk of the information ending up in the wrong hands. In addition to facilitating work with outside

    4counsel, RMS also enables lawyers to route confidential communications within their organizations and, 5in a limited way, to their external clients. This could be an enormously beneficial security program for

4 Note: There are several RMS deployment issues to work through with inter-organizational RMS support. 5 While RMS is intranet-focused, there will be trusted third-party organizations and individuals who can facilitate Internet-based implementations such as extranet deployments or third-party hosting services. Please contact Microsoft for more information.

    Windows Rights Management Services: Protecting Electronic Content in Legal Organizations 7

Report this document

For any questions or suggestions please email
cust-service@docsford.com