Best Practices

  • Article

banner art

Previous Next

Best Practices

The following list contains suggestions to help you deploy a Windows Media Rights Manager system. When creating a solution by using the Windows Media Rights Manager SDK, security should be a paramount goal and is not limited to these suggestions.

Security

  • For very secure files, issue only version 7 or later licenses . However, version 7 or later licenses can only be interpreted by players that support Windows Media Rights Manager version 7.1 or later, such as Windows Media Player 7.1.
  • Version 7.1 and later licenses let you use features that increase security such as individualization and Secure Audio Path.

Version 1 Support

  • For backward compatibility, include version 1 and 7 or later information when packaging your files, and then issue version 1 and 7 or later licenses for them.

    However, if you do not have a version 1 process, specify the version 7 key ID in the WMRMProtect.V1KeyID property.

  • Version 1 licenses should be simple (allow play), but you can use more complex features in the version 7 and later licenses.

  • Windows Media License Service version 1 was changed so that you can extract values from the registry (the same values used for version 7.1 of License Service) rather than reading these values from a database. For more information, see Supporting Windows Media Rights Manager 1.

License Key Seed

  • Use the WMRMKeys.GenerateSeed property to generate your license key seed . The format is a 40-character string of random alpha-numeric characters.
  • Ensure that you use strong security when you store your license key seed; if the license key seed is compromised, so is your content. Also, take care not to lose it because there is no way to recover it.
  • Change the license key seed regularly.
  • When exchanging the license key seed between the content packager and license issuer (these functions should be performed on different servers), be extremely careful in not compromising the license key seed by using a secure method of delivery and information exchange.
  • License Services can manage different license key seeds for different content packagers.

Keys

  • Use the WMRMKeys object to generate key IDs and keys .

    Although it is possible to use custom key IDs, issues may arise on the client for various reasons, such as if the custom value is too short, if it includes non-standard characters, or if it is not base64-encoded. These issues can be avoided by generating key IDs using WMRMKeys.GenerateKeyID. If you still want to include a unique identifier that you provide, consider using it as the WMRMHeader.ContentID value.

Rights

  • When packaged Windows Media files are copied to a CD, they are no longer protected. You should not allow the right AllowPlaylistBurn if you do not want your packaged files to be copied to a CD.
  • For any licenses that allow counted operations (Playcount and CopyCount) or set an expiration period, you should not allow the right AllowBackupRestore because restoring the license also restores the original values of the operations and expiration.

Attributes

  • Add attributes to the content headers and licenses. For a list of recommended attributes, see Adding Attributes to the Content Header and Adding Attributes to Licenses.

  • If you want to have the ability to revoke licenses, you must specify an attribute for the license revocation public key to licenses using the WMRMLicGen.Attribute property as follows: 

    WMRMLicGen.Attribute("LGPUBKEY") = YourLicenseRevocationPublicKey

    You can also add a user ID (UID), which allows you to revoke licenses based on the user:

    WMRMLicGen.Attribute("UID") = UserID

  • Because licenses on devices are limited to 5K characters in size, limit the use of license attributes accordingly.

Content IDs

  • Include unique content IDs in content headers. Use the WMRMKeys.GenerateKeyID property object to generate your content IDs.

License Management (Backup and Restore)

  • The license management feature is designed to create a good experience for consumers when backing up and restoring licenses. The Microsoft License Management Service that manages this feature provides business rules to prevent abuse of content. You can implement a different solution for consumers to recover licenses, but it might less appealing to consumers.

Individualization

  • For the latest information about individualization (such as the current individualization version number), see the Microsoft Web site.
  • Do not issue version 1 licenses for packaged files that require individualization.

Secure Audio Path

  • To use this feature, the player that is included with Microsoft Windows Millennium Edition must be upgraded before it can play packaged files requiring Secure Audio Path. Check the challenge to ensure that the player has been upgraded to a version greater than 204, which is determined by checking SUBJECTID1. If the player has not been upgraded, redirect consumers to a download location to obtain a newer player.

Windows Server 2003

  • Use strong network security for servers on the Internet, which might include using firewalls and routers for increased security and scalability.
  • Use strong passwords.
  • Ensure you have physical security for your servers.
  • By default, Internet Information Services (IIS) and Active Server Pages (ASP) are not enabled on Windows Server 2003. These features must be enabled before you can use the sample pages for Windows Media Rights Manager SDK.

Encoded Files

  • If you have digital files that were encoded with an ACM codec, they must be re-encoded using one of the supported codecs. For more information about supported codecs, see Creating Packaged Windows Media Files.

Windows Media License Service

  • The certificates that you obtain to run your Windows Media License Service expire periodically, and these certificates expire at different times from each other.  A license server cannot continue to issue licenses with expired certificates, so it is important to monitor the certificates and to renew them before they expire. For more information, see Checking the Expiration Date on Your Certificates.
  • Verify that the clocks on your licensing servers are accurately set.

See Also

Previous Next

© 2007 Microsoft Corporation. All rights reserved.