Professor Windows - June 2004

Managing Rights – Security from Within

Written By:

  • Professor Windows
  • Tal Sarid, Solutions Security and Infrastructure Architect, Microsoft Israel

Reviewed By:

Mark Hervol, Windows Rights Management Services Support Team

Introduction – Where is Your Perimeter?

When we hear about systems defense, lately more and more, we hear about security layers, boundaries or circles. You might have heard this phrased "Defense in Depth". Defending networks and systems today, takes everything that we have, focusing on every layer from the perimeter, the network, the server, the client, the application and the data.

But wait a minute: Hmm... What about the data? Think about it for a moment. Let's say you send me an encrypted file. Encryption is good as it provides confidentiality, privacy and integrity, but it solves only a part of the problem. Once I have that file, I can pretty much do anything I want with it. I can print it out, forward it to someone, or even decrypt and post it somewhere out in the Wild Wild Web (read: your company's sensitive information just left your perimeter, wherever that perimeter may be).

Managing Information Rights

What if I, as the author, creator or owner of the information, could manage the rights / policy on my individual files? What if I, as a technology officer, could provide this type of empowerment on an enterprise scale? Windows Server 2003 Rights Management Services does just this.

Microsoft Windows Rights Management Services (RMS) for Windows Server 2003 is defined as information protection technology which safeguards sensitive and proprietary information from unauthorized use. This sensitive and proprietary information is usually in the form of financial reports, product specifications, customer data and confidential e-mail messages.

RMS empowers organizations to define persistent usage policies that prevent recipients from forwarding or printing data, or even to view it if they are not authorized. By persistent we mean that RMS binds the usage policy to the binary format of the data. So in this age where everyone is connected to everything, wherever that piece of information may end up, the usage policy remains with it.

A Look Inside

Let's take a look at how users publish and consume rights-protected information:


Figure 1 Workflow of creating and viewing rights-protected information

  1. Using an RMS-enabled application such as Office Professional 2003, an author creates a file and defines a set of usage rights and conditions for that file along with a list of authorized users. A publishing licensing is then generated that contains the usage policies. The publishing license also includes the URL of the RMS server that can issue a use license for that content.

  2. The application then encrypts the file contents with a symmetric key which is then encrypted to the public key of the author's Windows RMS server. The encrypted symmetric key is then inserted into the publishing license and the publishing license is bound to the file. Only the author's Windows RMS server can issue use licenses to decrypt this file.

  3. The author distributes the file.

  4. A recipient receives a protected file through a regular distribution channel and opens it using an RMS-enabled application or browser.

    If the recipient does not have an RMS machine account certificate on the current computer, this is the point at which one will be issued by the RMS server.

  5. The application sends a request for a use license to the server that issued the publishing license for the protected data. The request includes the recipient's account certificate (which contains the recipient's public key) and the publishing license (which contains the symmetric key that encrypted the file).

  6. The Windows RMS licensing server validates that the recipient is authorized, checks that the recipient is a named user, and creates a use license.

    During this process, the server decrypts the symmetric key using the private key of the server, re-encrypts it using the public key of the recipient, and adds it to the use license. The server also adds any relevant conditions to the use license, such as the expiration or an application or operating system exclusion. By doing this step only the intended recipient can decrypt the symmetric key and thus decrypt the protected file.

    When the validation is complete, the licensing server returns the use license to the recipient's client computer.

  7. After receiving the use license, the application examines both the license and the recipient's account certificate to determine whether any certificate in either chain of trust requires a check against a revocation list.

    If so, the application checks for a local copy of the revocation list. If it has expired , the application retrieves a current copy. The application then applies any revocation conditions that are relevant in the current context. If no revocation condition blocks access to the file, the application renders the data, and the user may exercise the rights they have been granted.

Encrypted to the Server

One of the main advantages of a system like this is that the data is encrypted to the server - meaning that the server can always decrypt and re-encrypt the information if necessary. Imagine a scenario using a different technology such as Public Key Infrastructure (PKI), where information is encrypted to a specific user, and that user loses his/her keys. That information is lost. On the other hand, if the information is encrypted to the server, we still have the option to "repackage" the data to an authorized entity.

Leveraging XML for Rights Management

Some of you might be thinking but I already have a PKI. We can clearly see more and more x.509 v3 PKI projects, but there is an evolving standard that might someday replace these "legacy" systems.

XRML 2.0, Xml Rights Markup Language is a language specification and schema that provides a universal method for securely specifying and managing rights and conditions. RMS leverages this extensible and flexible language. Moving forward we should be seeing the Microsoft PKI solution evolving to better serve both x.509 and XRML.

So, is your information protected from within? RMS can help protect your organizations information through persistent usage policies, which will remain with the information, no matter where it goes.

May the source be with you.

Related Links

For a list and additional information on all Professor Windows columns, click here.

For any feedback regarding the content of this column, please write to Microsoft TechNet. Please be aware that this is not a support alias and a response is not guaranteed.