5.1.2 SubEnrollServiceSoap Security Considerations

The SubEnrollServiceSoap port type does not communicate any sensitive information. However, it is strongly recommended that access to the SubEnrollServiceSoap port type be restricted by requiring authentication and using restrictive access control lists so that the deployment of RMS servers inside a given organization can be controlled and planned. Otherwise, an attacker might be able to deploy a sub-enrolled server that appears legitimate but is actually not sanctioned by the organization. If an attacker can lure a victim to use this untrustworthy server, protected content published by that victim could be disclosed to the attacker. Sub-enrolled servers do not have the capability to license content that has been published against the root RMS server.

Responding to a SubEnroll request results in multiple asymmetric cryptography operations, making it a potential target for denial of service attacks. Restricting access to the port type as described will reduce this risk.

It is also recommended that communication be performed over HTTPS instead of HTTP to mitigate any man-in-the-middle attacks that might allow an attacker to use an untrustworthy server to issue SLC chains to legitimate sub-enrolled servers. Although this attack will not result in any information disclosure, it can result in confusion and create an administrative burden to correct the situation.