資訊保護的安全性最佳做法Security best practices for Information Protection

資訊保護軟體開發套件 (SDK) 提供一個健全的系統,可用來發佈和取用所有類型的受保護資訊。Information Protection Software Development Kits (SDKs) provide a robust system for publishing and consuming protected information of all types. 若要盡可能強化系統,必須使用最佳做法來建置啟用資訊保護的應用程式。To help a system be as strong as possible, information protection-enabled applications must be built using best practices. 應用程式可分擔協助維護此生態系統安全性的責任。Applications share responsibility in helping maintain the security of this ecosystem. 識別安全性風險並針對在開發應用程式時引發的風險提供緩和措施,可將較不安全軟體實作的可能性降到最低。Identifying security risks and providing mitigations for those risks introduced during application development helps to minimize the likelihood of a less secure software implementation.

這項資訊是用來補充法律合約,必須簽署此法律合約才能使用 SDK 取得應用程式的數位憑證。This information supplements the legal agreement that must be signed, to obtain digital certificates for applications using the SDKs.

未涵蓋的主題Subjects not covered

雖然下列主題是建立開發環境和保護應用程式的重要考量,但不在本文討論範圍內:Although the following subjects are important considerations for creating a development environment and secure applications, they're out of scope for this article:

  • 軟體開發程序管理 - 設定管理、保護原始程式碼、將對已偵錯之程式碼的存取權降到最低,以及為 Bug 指派優先順序。Software development process management — Configuration management, securing source code, minimizing access to debugged code, and assigning priority to bugs. 對某些客戶而言,擁有一個較安全的軟體開發程序極其重要。For some customers, having a more secure software development process is of paramount importance to them. 有些客戶甚至還會規定開發程序。Some customers even prescribe a development process.
  • 常見的編碼錯誤 - 避免緩衝區溢位的資訊。Common coding errors — Information for avoiding buffer overruns. 建議您參閱 Michael Howard 與 David LeBlanc (Microsoft Press 2002 年) 所撰寫的最新版 Writing Secure Code (撰寫安全的程式碼),以檢閱這些一般威脅和緩和措施。We recommend the latest version of Writing Secure Code by Michael Howard and David LeBlanc (Microsoft Press, 2002) to review these generic threats and mitigations.
  • 社交工程 - 包括有關程序性和結構性保護的資訊,這些保護可協助防止程式碼遭到製造商組織內的開發人員或其他人非法利用。Social engineering — Includes information about procedural and structural safeguards, to help protect code against exploitation by developers or others within the manufacturer's organization.
  • 實體安全性 — 包括有關鎖住對程式碼基底的存取及簽署憑證的資訊。Physical security — Includes information about locking down access to your code base and signing certificates.
  • 發行前版本軟體的部署或散佈 — 包括有關散佈 Beta 版軟體的資訊。Deployment or distribution of prerelease software — Includes information about distributing your beta software.
  • 網路管理 — 包括有關您實體網路上之入侵偵測系統的資訊。Network management — Includes information about intrusion-detection systems on your physical networks.

威脅模式與緩和措施Threat models and mitigations

數位資訊擁有者必須要能夠評估將解密其資產的環境。Digital information owners need the ability to evaluate the environments in which their assets will be decrypted. 最低安全性標準聲明提供資訊擁有者一個架構,用以了解和評估應用程式的安全性層級。A statement of minimum security standards provides information owners with a framework for understanding and assessing the security level of the applications.

有些產業 (例如政府和衛生保健) 具有可能適用於您產品的認證及鑑定程序與標準。Some industries, such as government and health care, have certification and accreditation processes and standards that may apply to your product. 達成這些最低安全性建議,並不代表可以取代客戶獨特的鑑定需求。Meeting these minimum security recommendations isn't a substitute for the unique accreditation needs of your customers. 不過,安全性標準是要協助您為目前和未來的客戶需求做好準備,而您在開發週期初期所做的任何投資都將對您的應用程式有所助益。However, the intent of the security standards is to help you prepare for current and future customer requirements, and any investment you make early in the development cycle will benefit your application. 這些指導方針是建議,不是正式的 Microsoft 認證計劃。These guidelines are recommendations, not a formal Microsoft certification program.

版權管理服務系統中有數個主要的漏洞類別,包括︰There are several major categories of vulnerabilities in a rights management services system including:

  • 外洩 — 資訊出現在未經授權的位置。Leakage — Information appears in unauthorized locations.
  • 損毀 — 軟體或資料在未經授權的情況下被修改。Corruption — Software or data is modified in an unauthorized manner.
  • 拒絕 - 計算資源無法供使用。Denial — A computing resource isn't available for use.

這些主題主要著重於外洩問題。These topics focus primarily on leakage issues. API 系統完整性取決於它是否能夠隨著時間的進展,透過只允許存取指定實體的方式來保護資訊。The integrity of an API system depends upon its ability, over time, to protect information, enabling access only to designated entities. 這些主題也會談到損毀問題。These topics also touch upon corruption issues. 拒絕問題則不屬於涵蓋範圍。Denial issues aren't covered.

Microsoft 不會測試或檢閱與符合最低標準相關的測試結果。Microsoft doesn't test or review test results related to meeting the minimum standard. 合作夥伴需負責確保符合最低標準。The partner is responsible for ensuring the minimum standards are met. Microsoft 提供兩個額外層級的建議來協助降低常見威脅的風險。Microsoft provides two additional levels of recommendations to help mitigate common threats. 一般而言,這些建議是附加的。In general, these suggestions are additive. 例如,符合慣用建議是假設您已符合適用的最低標準,除非另有指定。For example, meeting preferred recommendations assumes that you have met minimum standards, where applicable, unless otherwise specified.

標準層級Standard level 描述Description
最低標準Minimum standard 處理受保護資訊的應用程式必須符合最低標準,才能以 Microsoft 所收到的生產環境憑證進行簽署。An application that handles protected information must meet the minimum standard, before it can be signed with the production certificate received from Microsoft. 合作夥伴通常會在軟體的確定發行版本階段使用生產環境階層憑證。Partners generally use the production hierarchy certificate, at the time of final release of the software. 使用了合作夥伴自己的內部測試來驗證應用程式是否符合此最低標準。A partner's own internal tests are used to verify whether the application meets this minimum standard. 符合最低標準並不可 (也不應該) 解釋為是 Microsoft 所做出的安全性保證。Meeting the minimum standard isn't, and shouldn't be construed as, a guarantee of security by Microsoft. Microsoft 不會測試或檢閱與符合最低標準相關的測試結果。Microsoft doesn't test or review test results related to meeting the minimum standard. 合作夥伴需負責確保符合最低標準。The partner is responsible for ensuring the minimum is met.
建議的標準Recommended standard 建議的指導方針不僅詳細地計劃提升應用程式安全性的途徑,也指出 SDK 如何隨著更多安全性準則的實作來演進。Recommended guidelines both chart a path to improved application security, and provide an indication of how the SDK may evolve as more security criteria are implemented. 廠商可能會將其應用程式建置成符合這個較高層級的安全性指導方針,來突顯其應用程式的優勢。Vendors may differentiate their applications by building to this higher level of security guidelines.
慣用標準Preferred standard 此標準是目前已定義的最高安全性類別。This standard is the highest category of security currently defined. 廠商如果開發標榜高安全性的應用程式,就應該以此標準為目標。Vendors who develop applications marketed as highly secure should aim for this standard. 符合此標準的應用程式可能最不易於受到攻擊。Applications that adhere to this standard are likely to be the least vulnerable to attack.

惡意軟體Malicious software

Microsoft 已定義所需的最低標準,您的應用程式必須符合這些標準,才能保護內容不受惡意軟體侵害。Microsoft has defined minimum required standards that your application must meet to protect content from malicious software.

使用位址表格來匯入惡意軟體Importing malicious software by using address tables

資訊保護 SDK 不支援在執行階段修改程式碼,或是修改匯入位址表格 (IAT)。The information protection SDK doesn't support code modification at run time or modification of the import address table (IAT). 針對您處理程序空間中載入的每個 DLL,都會建立一個匯入位址表格。An import address table is created for every DLL loaded in your process space. 它指定了您應用程式所匯入之所有函式的位址。It specifies the addresses of all functions that your application imports. 其中一個常見的攻擊就是修改應用程式內的 IAT 項目,例如,修改成指向惡意軟體。One common attack is to modify the IAT entries within an application to, for example, point to malicious software. SDK 會在偵測到此類型的攻擊時停止應用程式。The SDK stops the application when it detects this type of attack.

最低標準Minimum standard

  • 您無法在執行期間修改應用程式處理程序中的匯入位址表格。You can't modify the import address table in the application process during execution. 您的應用程式會透過使用位址表格,指定許多在執行階段呼叫的函式。Your application specifies many of the functions called at run time by using address tables. 這些表格無法在執行階段期間或之後更改。These tables can't be altered during or after run time. 除此之外,此限制也意謂著您無法在以生產環境憑證簽署的應用程式上執行程式碼分析。Among other things, this restriction means you can't perform code-profiling on an application signed by using the production certificate.
  • 您無法從資訊清單中指定的任何 DLL 內呼叫 DebugBreak 函式。You can't call the DebugBreak function from within any DLL specified in the manifest.
  • 您無法在設定 DONT_RESOLVE_DLL_REFERENCES 旗標的情況下呼叫 LoadLibraryYou can't call LoadLibrary with the DONT_RESOLVE_DLL_REFERENCES flag set. 此旗標會告訴載入器略過與所匯入模組進行繫結的步驟,因而可修改匯入位址表格。This flag tells the loader to skip binding to the imported modules, thereby modifying the import address table.
  • 您無法透過對 /DELAYLOAD 連結器參數進行執行階段變更或後續變更,來更改延遲的載入。You can't alter delayed loading by making run-time or subsequent changes to the /DELAYLOAD linker switch.
  • 您無法透過提供自己的 Delayimp.lib 協助程式函式版本,來更改延遲的載入。You can't alter delayed loading by providing your own version of the Delayimp.lib helper function.
  • 當資訊保護 SDK 環境存在時,您無法卸載由已驗證模組所延遲載入的模組。You can't unload modules that are delay-loaded by authenticated modules, while the information protection SDK environment exists.
  • 您無法使用 /DELAY:UNLOAD 連結器參數來啟用延遲模組的卸載。You can't use the /DELAY:UNLOAD linker switch to enable unloading of delayed modules.

不正確地解譯授權權限Incorrectly interpreting license rights

如果應用程式未正確地解譯及強制執行 SDK 發行授權所表示的權限,可能會導致應用程式以資訊擁有者未預期的方式提供資訊。If your application doesn't correctly interpret and enforce the rights expressed in the SDK issuance license, you may make information available in ways that the information owner didn't intend. 例如,當發行授權僅賦予檢視資訊的權限時,應用程式卻允許使用者將未加密的資訊儲存到新媒體。For example, when an application allows a user to save unencrypted information to new media, when the issuance license only confers the right to view the information.

Azure 資訊保護 (AIP)Azure Information Protection (AIP)

資訊保護系統會將許可權組織成幾個群組。The information protection system organizes rights a few groupings. 如需詳細資訊,請參閱設定 Azure 資訊保護的許可權For more information, see Configuring usage rights for Azure Information Protection.

AIP 可允許或不允許使用者將資訊解密。AIP allows a user to either decrypt information or not. 資訊並沒有任何固有的保護。The information doesn't have any inherent protection. 如果使用者具備解密的權限,API 就會允許解密。If a user has the right to decrypt, the API permits it. 應用程式會在資訊解密後負責管理或保護該資訊。The application is responsible for managing or protecting that information after it is in the clear. 應用程式需負責管理其環境和介面,以防止資訊遭到未經授權的使用。An application is responsible for managing its environment and interface to prevent the unauthorized use of information. 例如,如果授權僅授與「檢視」權限,便停用 [列印] 和 [複製] 按鈕。For example, disabling the Print and Copy buttons if a license only grants the VIEW right. 您的測試套件應確認應用程式會依據它所認可的所有授權類型正確運作。Your test suite should verify that your application acts correctly on all the license rights that it recognizes.

最低標準Minimum standard

  • 客戶的 XrML v.1.2 權限實作應與這些權限的定義一致,如 XrML 規格所述,請參閱 XrML 網站 (http://www.xrml.org) 的相關規格說明。The customer implementation of XrML v.1.2 rights should be consistent with the definitions of these rights, as described in the XrML specifications, which are available at the XrML Web site (http://www.xrml.org). 如果有任何您應用程式特定的權限,則針對對您應用程式感興趣的所有實體,都必須定義這些權限。Any rights that are specific to your application must be defined for all entities that have an interest in your application.
  • 您的測試套件和測試程序應確認應用程式會依據其支援的權限正確執行。Your test suite and test process should verify that your application executes properly against the rights that the application supports. 也應確認「不會」依據不支援的權限運作。It should also verify that it doesn't act upon unsupported rights.
  • 如果您要建置一個發佈應用程式,您就必須提供資訊來說明所使用的內建權限。If you're building a publishing application, you must make information available that explains the intrinsic rights used. 這包括該發佈應用程式支援或不支援的內建權限,以及應該如何解譯這些權限。This includes those that are, and aren't, supported by the publishing application, and how these rights should be interpreted. 此外,使用者介面應該向使用者清楚傳達被授與或拒絕一段個別資訊的每個權限有何含意。In addition, the user interface should make clear to the end user what the implications are of each right granted or denied an individual piece of information.
  • 任何權限只要是透過包含在應用程式所實作的新權限中來提取,就必須對應至新的術語。Any rights that are abstracted, by inclusion in new rights implemented by an application, must be mapped to the new terminology. 例如,稱為 MANAGER 的新權限可能包含提取的權限,例如 PRINT、COPY 及 EDIT 權限。For example, a new right called MANAGER might include as abstracted rights the PRINT, COPY, and EDIT rights.

目前未提供。None at this time.

慣用標準Preferred standard

目前未提供。None at this time.

後續步驟Next steps

使用 AIP SDK 來實作應用程式的最佳做法包括下列文章:Best practices for implementing applications by using the AIP SDK include the following articles: