Data is generally protected from unauthorized access. Controls such as firewalls keep out external threats, while file and folder permissions and access control lists (ACLs) lock down data and keep it within reach of authorized users. Also, encrypted network traffic protects email and data in transit, ensuring only the intended recipient views the information being sent.
But none of these controls address what happens to data once an authorized user obtains it. Authorized users may forward data to unauthorized users, save copies on removable media, or store it outside of the company network. They can email it to competitors, print documents and spreadsheets, and remove it from the protective custody of the network.
Suffice it to say that not all authorized users are created equally, and leaving users to their own discretion exposes the organization to undue risk.
Windows IT shops have a tool in Microsoft Windows Rights Management Services (RMS) that expands the granularity with which access can be granted and extends control of how data is protected and used beyond the borders of the network. With Microsoft Windows RMS, midmarket companies can exercise control over data inside and outside of their network, manage what actions authorized users are able to perform with the data, or even set an expiration to limit the amount of time authorized access is valid.
There are three main components required for Microsoft Windows RMS:
- Windows RMS server: Windows RMS server software for Windows Server 2003 or Windows Server 2008 provides the Web service that handles enrollment of servers and users, licensing of protected data, and the XrML trust certificates.
- Windows RMS client software: Windows RMS APIs (application program interface) enable client machines to activate the RMS service with the Windows RMS server(s) and allow RMS-enabled applications to function in cooperation with the Windows RMS server(s).
- RMS-enabled applications: The Windows RMS SDK (software development kit) provides the tools developers need to customize existing tools or create new applications capable of leveraging Windows RMS data protection.
HOW TO WORK WITH WINDOWS RMS PROTECTED DATA
The first time a client machine attempts to restrict access to a file using Windows RMS, it obtains a client license certificate from the Windows RMS server. This initial certification needs to be done online, but once the certificate is obtained, the client machine can continue to provide protection for data even offline.
With the Windows RMS client certificate, and a Windows RMS-enabled application, the user can define the file's rights and restrictions. The application encrypts the file with a symmetric key that is subsequently encrypted to the public key of the Windows RMS server. The key is included in the publishing license which is bound to the file.
At this point, the file can only be decrypted by the servicing Windows RMS server. The first time a recipient attempts to open a Windows RMS protected file it will communicate with the Windows RMS server to obtain an account certificate that includes the recipient's public key. When access to the file is initiated, a request is sent to the Windows RMS server, which includes the account certificate and the publishing license from the file being accessed.
The Windows RMS server verifies the individual is a named user in the system authorized to open the file. If both of these are true, the Windows RMS server issues a use license. The Windows RMS server re-encrypts the symmetric key from the issuing client using the public key of the recipient and includes the encrypted key information with the use license. The use license also includes the conditions or restrictions on use for the recipient, including whether or not the file can be forwarded or printed, or if it has a defined expiration for access.
Whether the recipient is part of the same organization or network domain as the original client, or an external partner or customer, the process for protecting and accessing Windows RMS-protected data is essentially the same. A system must be in place however to ensure that external recipients have credentials that can be validated by the Windows RMS server. There are essentially three options for providing these credentials:
- Create internal user accounts within the Active Directory domain for external users that need access to Windows RMS-protected data.
- Establish a trust between the internal network domain and the external recipient's network domain to enable the Windows RMS server to validate the recipient's credentials.
- Establish a trust between the Windows RMS server and the public Microsoft .NET Passport authentication service so external users can be validated using their .NET Passport credentials.
As more information is created, transmitted and stored digitally, new controls are necessary to ensure it is protected. The traditional approach of perimeter security and file and folder permissions only provide partial protection, but implementing additional security controls using Windows RMS can help organizations ensure data is only used by authorized individuals for authorized purposes for as long as the organization deems them to be authorized.
Tony Bradley is the Director of Security for Evangelyze Communications and a Microsoft MVP in Windows security for the past three years.
Send comments on this technical tip to firstname.lastname@example.org.
This was first published in May 2009