Protect Your Windows Network: From Perimeter to Data
ACLs usually rely on some external system enforcing the control. For example, NTFS ACLs apply to a file only so long as the file lives within the ACL'ing systemthe share on a file server. When an otherwise -authorized user moves or copies the file to a location outside the ACL'ing system, for instance to a USB drive, the ACLs no longer apply. Suppose Alice has read-only access to a share containing a Word document. When she loads Word and opens the document, a copy of the document lives in the memory on Alice's computer. Alice is free to do whatever she wants to this copyperhaps modify itand save it to a different location where she has write access. Now how will Bob know which version of the document is authoritative ? Or suppose Alice composes a confidential e-mail and in big red letters writes "Do not forward!" at the top. At this point there are no technical controls to prevent Bob from forwarding it to his friends at a competing company. Would you like a way to control this? Mobility demands new forms of controlling access, forms that work regardless of where the data might live.
Windows Rights Management Services [6] (RMS, no W) is an alternative form of access control; that is all. RMS enables creators (" producers ") of content to project a usage policy onto the information they compose, and the policy persists with the information regardless of where it lives: on network shares, on local hard drives , on CD-ROMs, in e-mail attachments, anyplace. A policy describes what other users ("consumers") are allowed to do: view, modify, copy, print, save, forward. Policies can also be time based, prohibiting all access after a certain date and time. RMS does not rely on any external system to impose and maintain rights.
[6] This section is only an introduction to RMS, how it works, and why we like it so much. For more detailed information, including planning and deployment guidance, see http://www.microsoft.com/rms/.
Unlike other forms of access control, RMS truly helps you keep internal information internal. Recall our discussion in Chapter 6, "If You Do Not Have Physical Security, You Do Not Have Security," and Chapter 12, about USB drives and how trying to disable them is really a fruitless effort. If there is a risk of people exporting information from your organization, RMS gives you some level of control because the rights are persisted onto the objects themselvesthe information now takes part in its own protection.
RMS sounds similar to but is not the same thing as digital rights management (DRM), a form of copy protection popular in the entertainment industry. RMS really is not designed for protecting music and video files. RMS gives you a powerful tool for expressing policies on information, but, like all security tools, cannot guarantee unbreakable , attacker-proof security. For instance, RMS cannot protect against analog attacks. An example of such an attack would be someone taking a photocopy of the monitor. Other examples include taking a photograph of the monitor with a digital camera and e-mailing the image, dictating the contents over a telephone, or smuggling away a printout. Of course, ordinary ACLs cannot stop these kinds of attacks, either.
Think of RMS as an ACL'ing system that does not require network administrator involvement, thus allowing producers to set their own levels of access that are followed no matter where users happen to be. [7] We like RMS because it moves the access decision away from the network guys, who are usually disinterested , and puts it directly in the hands of those who care: the creators of the content. Of course, without a security policy (see Chapter 4, "Developing Security Policies") in place to assist the creators in selecting the proper level of protection for their information, RMS will not be particularly helpful. You must have guidance on how to classify information in your policy for the technology to reach its full potential.
[7] And no, RMS is most certainly not the mark of any beast, contrary to the silly bombast in "Office 2003: The mark of the beast ?" by Russ McGuire (http://www.businessreform.com/article.php?articleID=10425). Anyone using the correct rights-enabled application and possesses the necessary permissions can read protected documents.
WARNING: Do Not Use RMS for State Secrets
RMS is designed to protect run-of-the-mill corporate information from casual thieves . It is still basically just a software secret. Software secrets are composed of smoke and mirrors and they can be difficult to break, but they are all breakable by a determined attacker with unlimited resources. RMS is no different. It does not provide unbreakable, attacker-proof security. It simply aids in keeping honest people honest and in keeping some of the less-competent and -resourced attackers at bay.
RMS Workflow
RMS works together with Active Directory to identify users. A user's RMS identity is his or her e-mail address; when producers grant permissions to people for documents, those permissions are granted to an identity represented by a canonical name , typically an e-mail address. The RMS server generates and keeps copies of all encryption keyskey archival is not a separate process you need to worry about. The server also audits all activities of both producers and consumers, so you can know when people create and access protected information and what they have done with it.
The RMS workflow is a five-step process:
1. | A producer receives a client licensor certificate (CLC) the first time he or she protects information. This happens only once and allows this producer to create protected documents.
|
2. | The producer defines a set of usage rights and rules (who can do what) for the file. The application first creates a publishing license that includes a symmetric encryption key (currently DES and AES are supported), and then encrypts the document with that key and encrypts the document key with the RMS server's public key. The application embeds the publishing license into the file.
|
3. | The producer distributes the file.
|
4. | When the consumer opens the file, again using the correct rights-aware application, the application verifies the identity of the user who opened the document against the RMS server and issues a use license. To create a use license, the RMS server first uses its own private key to decrypt the document key, and then it uses the consumer's public key to encrypt both the document key and the details about this consumer's particular rights and restrictions and delivers this encrypted blob to the application.
|
5. | The application uses the consumer's private key to decrypt the blob, thus obtaining information about the consumer's rights and the document key. The application uses the document key to decrypt the file, renders it in the application's window, and enforces the rights. Finally, the application appends the use license to the file and writes it back to its location.
|
Note the implication : RMS files will grow as authorized consumers access them. This allows consumers to access documents again without having to go through the complete authorization process. Rights-protected information, then, will need to live in storage where all authorized users have write access, even if their RMS-granted permission is view only.
RMS Components
RMS is a system composed of an identity and authentication mechanism (Active Directory), an xRML certificate server (the RMS server), a client component and key "lockbox," and applications that are rights-aware. This last component is important: to produce and consume protected information, you must use an application that knows how to participate in the RMS system. At rest, protected information is encrypted; applications that are not rights-aware have no idea how to participate in the system and decrypt the information.
Microsoft Office 2003 includes a technology called "information rights management" (IRM). IRM is Office 2003's interface into RMS. Office 2003 Professional can both produce and consume rights-protected content; Office 2003 Standard can only consume. There is also a rights management client for Internet Explorer that can consume rights-protected content delivered by rights-aware Web applications. When you protect information in Office 2003 Professional, the protection process embeds an HTML version of the content in the encrypted document; for users who do not have either version of Office 2003, they can use the IE RMS client to render the HTML version of protected content. Office 2003 uses 128-bit AES encryption to protect the information.
Third-party software developers can use the Rights Management SDK [8] to develop their own rights management-aware applications. We have a customer who is developing a rights-aware version of a bill-of-lading system used to track contents and locations of shipping containers. By protecting this information with RMS, they can implement the important principle of least privilegebecause most people involved in the movement of shipping containers need nothing more than view access to bills of lading, this customer is eliminating situations in which someone might be tempted to alter bills of lading for individual personal gain.
[8] http://msdn.microsoft.com/library/en-us/drmclsdk/drmclsdk/rights_management_client_sdk.asp