• Article

How IT Works Windows Rights Management Services

Randy Muller

In today's competitive business environment, information is a crucial commodity that requires proper security. With the numbers and types of external storage media available, it is even more critical for you to protect your data from accidental or intentional disclosure. There are an increasing number of

government initiatives to protect information that might be accessed or stored by companies. The Health Insurance Portability and Accountability (HIPAA) Act was passed to ensure the protection of personal health information. The Gramm-Leach-Bliley Act was passed to provide more security for consumers' financial privacy. In addition to these government actions, corporations are being held increasingly responsible for the safeguarding of information they hold on their own employees as well as on their customers. The loss or compromise of this data could result in expensive legal action and loss of confidence by consumers.

Windows® Rights Management Services (RMS) can help. RMS can provide the protection for digital information required by your organization or by government regulation. RMS is fully compliant with the Federal Information Processing Standard (FIPS) 140-1., and therefore transactions from private business can be conducted with the government.

Compromise of data can occur through malicious intent or unintentional actions. The ease with which data can be copied and moved to external storage media (CDs, flash drives, external hard drives, and so on) makes it difficult to protect. In many cases, accepted security practices are not able to adequately protect this information any longer. A person may have access to a document, but you may not want this person to be able to save it to the external storage devices. Controlling how a document can be handled is a key element of RMS, as is protecting it while crossing the network.

RMS Resources

Today it's common to view security as a means of providing protection for networks and the data contained within the network. The first line of defense for networks is the perimeter, which is protected through firewalls, allowing only traffic you approve to enter or leave the network. While a firewall will allow authorized traffic to exit, it doesn't know if what is contained in the authorized traffic is of a compromising nature and should be prevented from leaving the network.

The next layer in network security is the use of NTFS permissions and Access Control Lists (ACLs). Together these are used to limit who can access what resources and, to a certain extent, what they can do with these resources. But once a user has accessed a file, she can save it to another location, thereby bypassing the security measures enforced with permissions and ACLs.

RMS can control what a user can do with a document after it has been accessed. This control will last regardless of where the user might store the document and you can even have time limits associated with the document so that, after a specified period of time, the document is no longer accessible.

When trying to stem the flow of potentially compromising information, you have to take into account e-mail messages. While you may mark e-mail messages "confidential," there haven't been any built-in mechanisms to restrict the forwarding of these messages. Sensitive information that is contained within e-mail is just as susceptible to dissemination as it is within a document. RMS allows for the control of e-mail messages and will prevent the inadvertent forwarding of messages that may contain sensitive data.

RMS Components

There are three essential components that comprise RMS: the RMS server, the RMS client, and RMS-enabled applications and SDKs. The RMS server is responsible for the proper certification of trusted entities, provides licensing of content that is rights-protected, and enrolls any users and servers. It also serves as the administrative point for RMS (see Figure 1).

Figure 1 Rights Management Components

Figure 1 Rights Management Components

The RMS client must be installed to work with a RMS server. The client software allows applications that are RMS-enabled to communicate with a server. The client requests licenses to consume (access and use) content and allows for the publishing of content.

The final element is the actual application that can use RMS. Applications can be made RMS-aware by using the Rights Management Services SDK.

RMS applies persistent usage policies to ensure consistent and reliable control over content. A trusted entity (an application, computer, group, or user) has been granted permission to use RMS. Since it is trusted, that entity is allowed to make use of RMS. Trusted entities can apply usage rights and conditions to content. They can specify what rights, permissions and actions are applied to a document. A trusted entity can specify that a document cannot be printed or saved, that an e-mail message cannot be forwarded, and even when access to the message will expire, thus eliminating further maintenance of the resource.

RMS-enabled resources are protected with encryption. A user wanting to access a resource must first be validated. This validation determines if the user is allowed access to the resource and, if so, what kind of usage rights are permitted. This usage requirement is maintained for the document.

How RMS Works

RMS is involved in three areas to ensure proper utilization: the actual creation of rights-protected resources, licensing and distributing these rights-protected resources, and decryption and usage of rights-protected resources. A trusted entity (one that has been granted access to make use of RMS) can create resources that are protected. When a resource has been protected, an XrML certificate identifies who is allowed access and what usage requirements are imposed on the resource.

The RMS server will issue a publishing license that delineates who is allowed to access the resource. Once this is done, the protected resource can be sent. When a trusted entity, say a user, wants to access a resource, the user will be validated by the RMS server which holds the public key for the encrypted resource and will issue a use license to the user. This use license specifies how the resource can be used and actions that can be taken with it. So these licenses are employed as the actual control mechanisms. The publishing license is created when a document is RMS-enabled and has been encrypted. The use license is required when a document is consumed.

Encrypting and Securing Content

Exactly how does RMS direct the process whereby control is maintained over documents, e-mail messages, and applications? RMS employs Public Key Infrastructure (PKI) as the basis for controlling access to documents. PKI uses asymmetric encryption in which two keys are used for the encryption/decryption process: one public key and one private key. In a typical PKI environment, a user will encrypt a document that can only be unencrypted by the recipient. In an RMS environment, the document is encrypted by the user and is maintained by the server. Any requests to access the document are made to the server, which will validate the request and its purpose, to include printing, forwarding, and even the saving a document.

The keystone of RMS is in using a standardized rights expression language (REL) to provide a common framework for interoperability. The language that is used to provide this commonality is XrML version 1.2.1. The XrML language can be used to apply rights and security to digital information in the form of a license. This XrML license is attached to the resource and is used to specify the permissions and usage applied to it.

XrML provides a universal method for securely specifying and managing rights and conditions associated with all kinds of resources including digital content and services. It is fully compliant with XML namespaces using XML schema technology.

Now let's see how the process of using RMS on a document works. The IT hero in this scenario has been tasked with coming up with the raises and salary information for the next fiscal year. Let's assume that he has the appropriate RMS client software installed on his machine. He creates a spreadsheet containing the new financial figures (something any company would want to keep under tight control!) and wants to apply RMS security to this confidential document.

Our hero uses an RMS-enabled application—in this case Microsoft Office 2003—to contact the RMS server through the application to apply for a publishing license for this document. The RMS server issues the publishing license which is applied to the document. The document has been encrypted, has a publishing license attached, and has suitable usage restrictions applied due to this process. The document has now been made more secure than simply using NTFS permissions and ACLs.

The IT guy sends the document to his manager for final review and comments. Before the manager can access the document, she will need to contact an RMS server to receive a use license for the document. The request for a use license is performed through the RMS-enabled application and, once complete, allows the manager to access the document according to the usage restrictions that were applied by the author of the document (see Figure 2).

Figure 2 Using RMS to Protect Documents and E-Mail

Figure 2 Using RMS to Protect Documents and E-Mail (Click the image for a larger view)

Requirements and Installation

The base requirements for RMS are Active Directory®, IIS 6.0, the .NET Framework and ASP.NET, and Microsoft® Message Queue Server (MSMQ). You'll also need RMS server software (RMS will only run on Windows Server 2003), RMS client software and RMS-aware applications, as well as a SQL Server™ 2000 SP3 (or greater) database.

Once you have the requisite software installed on the RMS server, you will need to provision the server. Provisioning simply means getting the server to communicate and respond as an RMS server on your network. The first RMS server you install will need to contact a Microsoft RMS enrollment server and request a Server Licensor Certificate (SLC). Once the SLC has been received from the enrollment server and installed, you will need to register the RMS Service Connection Point (SCP). RMS-enabled applications search SCP when trying to contact an RMS server. The actual SCP is stored as an entry in the Active Directory Configuration container.

The next step after configuring the RMS server is to configure the client machines for use with RMS. There are three distinct steps associated with configuring client machines for RMS, a process called Client Machine Activation. You need to install the RMS client software package on each machine; then you will go through the machine activation process that will create a lockbox (which holds the cryptographic keys) on each client machine. The final step involves getting a user certificate, which is used to generate an association between the user and a particular computer.

To take the RMS process a step further, you can create and deploy a Rights Policy Template to ensure that users who request a publish license receive a standard template that matches your requirements. This template will have the permissions listed that you can choose to apply.

RMS has a valuable place in a network where securing information from improper dissemination is vital. While there is a certain amount of effort required to install and provision an RMS solution, the end result more than justifies that effort.

Randy Muller, MCT, MCSE, MCSA, MCDST, teaches a variety of networking, security, and other computer classes. He is a former Army Signal Corp Officer and has been teaching since 2000. You can contact Randy at randy@randymuller.org.

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.