How RMS Works

About This Presentation

Title:

How RMS Works

Description:

Store user accounts, DLs, provide directory of email addresses, SCP location. ... Directory for finding the MSN RMS services. Trust. RM Production Root. Trust ... – PowerPoint PPT presentation

Number of Views:1962

Avg rating:5.0/5.0

Slides: 62

Provided by: grahamca

Category:

more less

Transcript and Presenter's Notes

Title: How RMS Works

1
How RMS Works

Graham Calladine
(grahamca_at_microsoft.com)

2
Agenda

Morning
Architecture
Server Installation
Server Enrollment
Machine activation
User Enrollment
Offline publishing Enrollment
Content Creation/Consumption
Revocation
Afternoon
Templates
Architectures
Trusts
Deployment/Scalability
SDK Server/Client

3
Components

RMS Root Server and Sub Servers
RM clients
RM Apps
RM users
What does it look like?

4
Technologies supporting Windows Rights Management
Services

AD LDAP
Store user accounts, DLs, provide directory of
email addresses, SCP location
.NET Framework ASP.NET
Application environment for all critical RMS
server application code
MSMQ SQL
Stores RMS configuration information, user
keypairs, activity logs, cache of AD groups for
expansion
XrML
standard in which all the licenses, certificates
are structured
SOAP
Protocol standard for all message exchanges
between client and server, server and MSN, client
and MSN
UDDI
Directory for finding the MSN RMS services

5
Trust
RM Production Root Trust Anchor
RM App signing CA
RM CA
Intermediary CAs
Account Certification CA
Machine Activation CA
Server Enrollment CA
RM Manifest Signing Key CA
Licensing CA
MS Exposed Internet Services
License Service
Account Certification
Machine Activation
Server Enrollment
6
RMS Server Installation

Join Windows Server 2003 to AD domain
Log on to the Windows Server 2003 as a domain
user which has local Admin authority
Add IIS, ASP.NET and MSMQ components
Install a DB such as SQL 2000 SP3 on a separate
server (or the same one)
Install RMS (rmssetup.exe) as a local
Administrator

7
RMS Configuration

RMS checks AD for existing RMS URL (SCP)
Determines whether to provision a Certification
or Licensing server
Set location of database
different server
Choose RMS service account
Standard user account
Configure URL where RMS will be found
http//myrms/_wmcs
Select the protection method for the servers
private key software or HSM
Configure a proxy server address (if needed)
Add the email address of the RMS administrator

8
RMS Provisioning Actions

During the Root Certification server
provisioning
RMS creates application pool
RMS configures IIS
RMS configures MSMQ
RMS creates database instances on SQL Server (or
MSDE)
RMS creates public/private keypair
RMS requests root licensor certificate from MSN
service, sends public key in request
During Licensing server provisioning
RMS performs AD lookup to find the root
certification cluster, and sub-enrolls to get
licensor certificate

9
Post Provisioning Step

Need enterprise admin to set SCP in AD from Admin
page
Verify SSL certs and connections if used
No schema changes in AD
RMS uses an existing Service Connection Point
object class
RMS adds one record to the Config container in AD

10
RMS Server

RMS server is an ASP.NET Web service
Protocol is SOAP over HTTP/HTTPS
Internet Information Server (IIS) 6 only
Single request/response transaction model
Stateless for most requests all processing on
front end
DB such as SQL (or MSDE) used for configuration
logging
Requests
Machine Activation One time process to create
and download secure trusted root per machine
Certification and Client Enrollment Binding a
user key pair to a specific machine. One time
per user per machine
Licensing requesting a license to use a piece of
content (Use License) One time per content per
user
XrML-based input/output

11
RMS Server

Quick Demo of Server

12
RMS Keys and Certs

Server Enrollment
Server Licensor Certificate
Client Activation
The lockbox
User Enrollment
The Account Certificate
Offline publishing
The client licensor certificate
Content Creation and Consumption
Publishing licenses and Use Licenses

13
RMS Keys Server provisioning
MSN Enrollment Private Key
MSN Server Enrollment Server
RMS Server
2) Provisioning Request
1) Generate server keypair
3) Embed public key in SLC
4) Sign Server Licensor certificate
5) Provisioning Response
Includes chain of trust
14
RMS Keys Server provisioning

RMS Server provisioning uses Enrollment servers
at MSN
But RMS server generates its keypair private
key never leaves server
RMS Server sends provisioning request to MSN
Sends servers public key to MSN Enrollment
server
MSN Enrollment server generates SLC
Puts public key in Server Licensor Certificate
Signs SLC with MSN Enrollment servers private
key
SLC sent to Enterprise RMS server

15
SLC

SLC is stored in the RM config database.
The private key is encrypted using HSM or DPAPI
where the encryption key is based upon the
complex password entered during the configuration
stage.
The certificate contains the servers public key,
version and URL of the enrolled server. The
certificate gives the server the right to issue
Server Licensor Certificates to other licensing
servers
RM account Certificates
Client Licensor Certificates
Publishing and Use Licenses.

16
Activating client machine
MSN Activation Service
MSN ActivationPrivate Key
RMS Client
1) Activation Request
HWID
HWID
2) Generate client keypair
RMS Root Server
3) Embed keys in files
4) Sign certificate
5) Activation Response (as CAB)
17
Activating client machine

RMS Client APIs calculate hardware ID, sends HWID
hash in Activation request to server
MSN Activation server creates Lockbox machine
certificate
Creates RSA key pair
Puts private key in lockbox DLL
Puts public key in Machine certificate
HWID hash stored in machine cert, and used as an
input into lockbox
Files sent to client machine or RMS Activation
Proxy on Enterprise RMS Server
Packaged into CAB file for delivery
Nothing is stored at Microsoft

18
RMS Client Lockbox (secrep.dll)

A unique, per-machine, Microsoft-generated DLL
(by servers at MSN)
Contains private key for machine, bound to HWID
for that machine
HWID is based on computer parameters such as
Disk geometry, network card address, processor
type
Performs critical RMS functions on the client
Encryption/decryption (has own DES AES128
implementations)
Validate applications (manifest check)
Validate machine against HWID
Authenticate validate users
Tamper resistant, private key is obfuscated

19
What do we have?

We now have the Root server enrolled with a valid
Server licensor Certificate
We have a activated client with is public key
stored in machine cert and its private key stored
in the Lockbox
Next we need users and applications

20
What is a RAC

Associates a windows user account with a specific
computer and allows the user to consume/create
RM-protected content from that computer.

21
Certifying Users (RAC)
RMS Client

RAC Request
Inc machine Pub key

Server Private Key
RMS Server
2) Generate user keypair
Client Machine Certificate
Windows Authentication
3) Encrypt user private key with Machine public
key
4) Sign certificate
5) RAC Response
6) Store copy of user keypair in SQL Private
key enc with server public key
22
Certifying Users

RMS Client sends a Certification request to RMS
Server
Includes Machine certificate, authentication
credentials
Certification service checks for an existing key
pair for the user in the database if none
RMS Certification server a creates RSA keypair
Server extracts client machines public key from
Machine certificate
Server encrypts users private key with client
machines public key and embeds in RAC
Server embeds public key in RAC in plaintext
Server sends with RAC to client

23
Publishing and Consuming

Publishing Licenses (PL)
Use Licenses (UL)
Office performs offline publishing by default
Client Licensor Certificate (CLC)
Just two many licenses

24
RMS Keys Publishing Content (generic
server-side publishing)

RM app generates symmetric content key
AES 128-bit or DES
Application encrypts Content Key with servers
public key and sends to Publishing server as
unsigned PL
RMS Publishing server creates Signed Publishing
License
encrypts Content Key with servers public key
embeds encrypted Content Key in Publishing
License
Signs Publishing License with servers private
key
Client application receives Publishing License
and adds to rights-protected document

25
Offline publishing

Client Licensor Certificate
Allows client applications to sign PLs

26
CLC request (Office 2003)
Server Licensor Cert
RMS Client
RMS Server
2) Extract User public key
Server Private Key
1) CLC Request
3) Generate CLC keypair
4) Encrypt CLC private key
5) Add server client public keys
6) Sign CLC
7) CLC Response
27
How do we get a CLC?

RMS Client APIs make CLC request to RMS Licensing
Server
Sends RAC to server
RMS Licensing server creates CLC
Server creates RSA keypair
Server signs CLC as a subordinate licensing key
Server extracts users public key from RAC
Server encrypts users publishing private key
with users RAC public key and embeds in CLC
Server embeds users publishing public key in CLC
Server embeds servers public key (as Licensor
certificate) in CLC
Server sends CLC to client

28
RMS Keys Publishing Content(Office 2003)
RMS Client
1) Generate symmetric key (128 AES)
4) Embed encrypted key in PL along with server
URL from CLC
3) Encrypt symmetric with server public key
2) Extract server public key from CLC
5) Decrypt CLC private key with RAC private key
7) Embed PL in document
6) Sign PL with CLC private key
Content
29
Offiline Publishing Content(Office 2003)

Office 2003 application generates content Key
AES 128-bit
Application creates Publishing License
Application extracts servers public key from
local CLC
Application encrypts Content Key with servers
public key and CLC public key
Application embeds encrypted Content Keys in
Publishing License
Application signs Publishing License with client
CLCs private key
Application uses CLC protected key to generate an
Owner License so the author can access the
content
Application encrypts content and adds Publishing
License to rights-protected document

30
Rights-protected information
a
Created when file is protected
Publishing License
Content Key
Encrypted with the servers public key
Rights Info w/ email addresses
Encrypted with the servers public key
The Content of the File (Text, Pictures, etc)
Encrypted with Content Key, a cryptographically
secure 128-bit AES symmetric encryption key
31
RMS Keys Consuming Content(Office 2003, RMA)
RMS Server
RMS Client
Server Private Key
1) UL Request
2) Decrypt symmetric key with server private key
PL
3) Encrypt symmetric with user public key
4) Embed encrypted key in UL
5) Sign UL
6) UL Response
32
Rights-protected information
a
Created when file is protected
Only added to the file after server licenses a
user to open it
Publishing License
End User Licenses
Content Key
Rights for a particular user
Encrypted with the servers public key
Encrypted with the users public key
Rights Info w/ email addresses
Content Key (big random number)
Encrypted with the servers public key
The Content of the File (Text, Pictures, etc)
Encrypted with the users public key
Encrypted with Content Key, a cryptographically
secure 128-bit AES symmetric encryption key
E-mail ULs are stored in the local RM license
cache, not in the e-mails directly
33
RMS Keys Consuming Content(Office 2003, RMA)

RM-enabled application makes Licensing request to
server(s) listed in Publishing License sends
PL, RAC to server
Application extracts PL from rights-protected
document
Sends users RAC, docs PL to RMS Enterprise
Server
Server creates Use License
Server extracts encrypted Content Key from PL
Server decrypts Content Key using servers
private key
Server extracts Users public key from RAC
Server encrypts Content Key with Users public
key
Server signs Use License with Servers private
key
Client receives UL, Lockbox decrypts content
Client extracts users encrypted private key from
RAC
Lockbox decrypts users private key with
machines private key from lockbox DLL
Lockbox decrypts Content Key with Users private
key
App decrypts rights-protected information with
Content Key

34
RMS Keys Consuming Content for author (Office
2003)

Author has a per-user keypair in CLC
Uses CLC private key for signing PL
Embeds CLC public key in PL for validation
Author can self-license for their own documents
Client decrypts symmetric key from PL with CLC
private key
Client encrypts symmetric key with RACs public
key
Client embeds encrypted symmetric key in UL
Client signs UL with CLCs public key
Client uses UL to access protected information as
usual

35
Keys Summary (FYIO)

Server keys
Public key Encrypts the content key that is in a
publishing license so that only the Windows RMS
server can retrieve the content key and issues
use licenses against that publishing license.
Private keySigns all certificates and licenses
that are issued by the server.
Machine keys
Public key Encrypts an RM account certificate
private key. Private keyDecrypts an RM account
certificate.
Client licensor keys
Public key Encrypts the symmetric content key in
the publishing licenses that it issues.Private
keySigns publishing licenses that are issued
locally while the user is not connected to the
network.
User keys
Public key Encrypts the content key that is in a
use license so that only a particular user can
consume RM-protected content by using that
license. Private keyAllows a user to consume
RM-protected content.
Content keys
Encrypts RM-protected content when the author
publishes it.

36
Demo

Getting a RAC and CLC
Publishing a DOC

37
Revocation

Plan carefully
Specified in Templates by Admin
Revocation point (URL)
Granular down to UL
Works on client
Once enabled, is in effect every time content is
consumed
Note Owner Licenses do not check revocation
Use when exclusion is not appropriate

38
Questions

Questions and Recap

39
The Afternoon Slot
40
Agenda

Templates
Architectures
Trusts
Deployment/Scalability
SDK Server/Client

41
Rights Policy Templates Creation

Templates simplify selection of rights by users
Templates allow you to configure policies that
sometimes arent possible to configure in the
application itself
E.g. Outlook doesnt allow the user to set email
expiration policy
But if you configure a policy that e.g. sets
expire in 10 days, access to Outlook emails
protected with that template will expire 10 days
after theyre sent
Templates must be created in the RMS Admin web
page
Templates allow you to combine rights such as
Read, Copy, Print with restrictions like
expiration and renewal
The files are stored on the RMS server as .xml
files

42
Examples of use

Anyone can view, only the author can modify
Anyone can view content for only a month
Anyone can view, external partners or clients
cannot
Only specified user can view the content.
Only a specified user can view or modify the
content.

43
Template conditions

Users or DLs
Use license duration
Document life
Revocation
Custom attributes for RM apps

44
Template Deployment

File share
Send to Client
Management
Updates

45
Demo

Templates

46
Potential Deployment Architectures

These are NOT prescriptive architectures or the
only prescribed way to do this
Single server (or single cluster)
Single certification, single license
Single certification, multiple license
Multiple certification, single license
Multiple certification, multiple license
Example Microsoft OTG deployment architecture

47
Architecture Single Server or Cluster

Simplest design host all Certification and
Licensing on one server
Often accompanied by a SQL (or MSDE) install on
the same server
Easy install doesnt even need a service
account (can use Local SYSTEM)
Best Practice use this for initial testing, but
not for production deployments
Does not provide defense in depth if RMS host
is compromised, SQL is also compromised

48
Single Server or Cluster
AD
AD
RMS SQL
SQL
RMS
Clients
49
Architecture Single Certification, Multiple
License

This architecture provides for a single point of
authentication
Requires inter-forest trusts for the account
domains
Requires override for most clients to find the
certification server in another forest
HKLM\Software\Microsoft\Office\11.0\Common\DRM\Cor
pCertificationServer, REG_SZ http//server/_wmcs
/certification
Requires override for clients to get CLC from
target Licensing server
HKLM\Software\Microsoft\Office\11.0\Common\DRM\Cor
pLicenseServer, REG_SZ http//server/_wmcs/licen
sing
Could be considered for customers with multiple
domains in a single forest worldwide

50
Single Certification and Multiple License
RMS Root Cluster
AD
Sub Licensing
Sub Licensing
England
Wales
Clients
Clients
51
Architecture Multiple Certification, Single
License

This architecture provides for single point of
content access, simplifies administration
Requires the licensing server trusts additional
Certification Servers
Requires override for most clients to find
publishing server in another forest
HKLM\Software\Microsoft\Office\11.0\Common\DRM\Cor
pLicenseServer, REG_SZ http//server/_wmcs/licen
sing
Should be considered for customers with multiple
forests
This architecture mirrors OTGs deployment at
Microsoft

52
Mul Certification and single License
RMS Root Cluster For A
RMS Root Cluster For B
RMS Root Cluster For C
Sub Licensing
All
Clients
Clients
53
Trusts Policies User Domains

Trusted user domains RMS server accepts RACs
that werent issued by your RMS server
Trust Passport Server trusts all RACs from
Microsofts Passport RMS servers
Trust another RMS Server Licensor Certificate
Server trusts RACs from another enterprises RMS
server
Identities can be excluded as well
Best practice exclude your own email domains
from trusted servers

54
Business CommunitiesCross-certification

2 peer organizations need to exchange sensitive
information with each other

Contoso Pharma
Fabrikam Corp
55
Trust Policies Publishing Domains

Trusted publishing domains Server can issue
Use Licenses using another servers private key
Gives your RMS server the ability to grant access
(decrypt publishing licenses) that were not
generated with its public key
Usually only used when merging companies and
consolidating servers (i.e. providing access to
legacy content from a decommissioned server)
Also requires that you redirect the
decommissioned servers URL to the new server
(DNS entry of server)

56
Demo

Quick walk through of Trusts

57
Deployment - Client Installation

Windows Update for users who are local Admins
or for unmanaged systems
AD Group Policy for environments where users ?
admin
Cannot modify the command line for deployment
SMS for complex deployments where users ?
admin
Can modify the command line, schedule, group
targeting for deployment
Can perform upgrades to previous client versions
Does not require AD
This step is combined with Client Activation
activation is attempted at end of install

58
Deployment ConsiderationsScalability

Basic requirements similar to Win2K3
Minimum P3-800, 256MB RAM, 20GB disk
Recommended Dual P4-1.5, 512MB RAM, 40GB disk
RMS is generally CPU-bound
RMS services are stateless
Easy to add more servers to cluster if needed
MS has found dual CPU servers in a cluster are
usually sufficient
RMS can take advantage of additional memory
RMS caches directory lookups on the RMS server as
well as in the SQL DirectoryServices database

59
Deployment ConsiderationsScalability Example

Fabrikam Corporation RMS use
Peak of messages / hour 273,000
of mail that is rights-protected 60
Peak of document Use License requests/hour
7500
Peak of Use License requests per second 47.6
Testing 2.4Ghz P4 dual proc front end 82
licenses / second
1 front-end satisfies performance requirements
Peak predicted load is 58 of servers capacity

60
Deployment Considerations Reliability Example

Fabrikam Corporation RMS use
1 front-end meets scalability requirements
1 additional front-end NLB meets reliability
requirements
No SQL clustering
Nightly SQL backup policy
Microsoft Operations Manager for RMS monitoring
(included with setup)

61
Deployment PrerequisitesLarge Enterprise

Multiple forests
Require a root cluster per forest
For user certification and group expansion
Easy to scale for redundancy or performance
Add servers to a cluster, or CPU to a server
Load balance behind one virtual IP DNS record
Option to centralize licensing functions to
single forest
Reduces hardware / operations requirements
Dedicate more hardware and higher availability on
org-wide licensing cluster

62
Database Considerations

SQL will generally be disk and memory bound
Configuration database impact is minimal
SQL Logging database can grow incredibly fast
MS sees linear scaling on their logging database
Production deployment shows 20k logs 4.4GB
The most-active day MS has seen in beta is 11k
logs
One company-wide email could create 50-100,000
logs
We scrub the logs into a secondary db every 24
hours
All RMS implementations must include a database
strategy
RMS Toolkit includes a database log analysis tool
Back-up/recovery strategy
Log shipping database records to an analysis
server for reporting

63
Disaster Recovery

Backups
RMS Configuration database (Certification)
required for recovery
RMS Logging database for reporting or audit
purposes
DirectoryServices database does not need backup
Steps to restore RMS
Restore RMS configuration database
Install RMS
Provision RMS
Remove existing SCP from AD if restoring root
certification server
Use same Service Account and Password
Use same private key password (or HSM module)
Use same URLs (to preserve access to existing
content)
Content lives on!

64
SDK

Trusted Applications
Manifests for clients apps
Client SDK
Consumption/creation
Server SDK
Creation, PL, UL

65
Trusted Applications

What is a trusted application?
Why should I want my application to be trusted?
What restrictions does being trusted place on my
application?

66
What Is Trusted?

An application is trusted by the RMSsystem if
It has a manifest
XML document that lists the contents of the
executable, with hashes of each component
The manifest is signed by a valid key
You must be a trusted application to initialize
the lockbox

67
Pros And Cons Of Trust

Why Be Trusted?
Your application must be trusted to consume
content or to publish content offline
Why Not Be Trusted?
Upgrading a trusted application is more
complicated, because the manifest must be updated
as well
Trusted applications cannot use dynamically
modified code
This includes .Net (managed) code
The lockbox isnt suitable for server
environments
Initializing the lockbox has a significant
performance impact

68
Examples

A desktop application that is used to create and
edit documents will need to be trusted
Create with Client SDK
A server application that protects documents that
have been placed into a drop folder will usually
not need to be trusted
Create with Server SDK

69
RMS Client SDK