Active Directory Rights Management Services

Last updated

Active Directory Rights Management Services (AD RMS, known as Rights Management Services or RMS before Windows Server 2008) is a server software for information rights management shipped with Windows Server. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations authorized users can perform on them. Companies can use this technology to encrypt information stored in such document formats, and through policies embedded in the documents, prevent the protected content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time. Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied en masse.

Contents

RMS debuted in Windows Server 2003, with client API libraries made available for Windows 2000 and later. The Rights Management Client is included in Windows Vista and later, is available for Windows XP, Windows 2000 or Windows Server 2003. [1] In addition, there is an implementation of AD RMS in Office for Mac to use rights protection in OS X and some third-party products are available to use rights protection on Android, Blackberry OS, iOS and Windows RT. [2] [3]

Attacks against policy enforcement capabilities

In April 2016, an alleged attack on RMS implementations (including Azure RMS) was published and reported to Microsoft. [4] [5] The published code allows an authorized user that has been granted the right to view an RMS protected document to remove the protection and preserve the file formatting. This sort of manipulation requires that the user has been granted rights to decrypt the content to be able to view it. While Rights Management Services makes certain security assertions regarding the inability for unauthorized users to access protected content, the differentiation between different usage rights for authorized users is considered part of its policy enforcement capabilities, which Microsoft claims to be implemented as "best effort", so it is not considered by Microsoft to be a security issue but a policy enforcement limitation. Previously the RMS SDK enforced signing of code using the RMS capabilities in order to provide some level of control on which applications interacted with RMS, but this capability was later removed due to its limited ability to restrict such behaviors given the possibility to write applications use the web services directly to obtain licenses to decrypt the content. [6]

In addition, using this same technique, a user that has been granted rights to view a protected document can manipulate the content of the document without leaving traces of the manipulation. Since Azure RMS is not a non-repudiation solution and, unlike document signing solutions, does not claim to provide anti-tampering capabilities, and since the changes can only be made by users that are granted rights to the document, Microsoft does not consider the later issue to be an actual attack against the claimed capabilities of RMS. [7] The researchers provide a proof of concept tool, to allow evaluation of the results, via GitHub. [8]

Software support

RMS is natively supported by the following products:

Third-party solutions, such as those from Secure Islands (acquired by Microsoft), GigaTrust and Liquid Machines (acquired by Check Point) can add RMS support to the following:

See also

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

<span class="mw-page-title-main">Microsoft Outlook</span> Email, notes, task, calendar software and contact management

Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft Office and Microsoft 365 software suites. Though primarily being popular as an email client for businesses, Outlook also includes functions such as calendaring, task managing, contact managing, note-taking, journal logging and web browsing.

<span class="mw-page-title-main">Adobe Acrobat</span> Set of application software to view, edit and manage files in Portable Document Format (PDF)

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage Portable Document Format (PDF) files.

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.

Microsoft Configuration Manager (ConfigMgr) is a systems management software product developed by Microsoft for managing large groups of computers providing remote control, patch management, software distribution, operating system deployment, and hardware and software inventory. Configuration Manager supports the Microsoft Windows and Windows Embedded operating systems. Previous versions also supported macOS (OS X), Linux or UNIX, as well as Windows Phone, Symbian, iOS and Android mobile operating systems.

<span class="mw-page-title-main">Microsoft Forefront Threat Management Gateway</span>

Microsoft Forefront Threat Management Gateway, formerly known as Microsoft Internet Security and Acceleration Server, is a discontinued network router, firewall, antivirus program, VPN server and web cache from Microsoft Corporation. It ran on Windows Server and works by inspecting all network traffic that passes through it.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

Microsoft Forefront is a discontinued family of line-of-business security software by Microsoft Corporation. Microsoft Forefront products are designed to help protect computer networks, network servers and individual devices. As of 2015, the only actively developed Forefront product is Forefront Identity Manager.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

An NTFS reparse point is a type of NTFS file system object. It is available with the NTFS v3.0 found in Windows 2000 or later versions. Reparse points provide a way to extend the NTFS filesystem. A reparse point contains a reparse tag and data that are interpreted by a filesystem filter driver identified by the tag. Microsoft includes several default tags including NTFS symbolic links, directory junction points, volume mount points and Unix domain sockets. Also, reparse points are used as placeholders for files moved by Windows 2000's Remote Storage Hierarchical Storage System. They also can act as hard links, but are not limited to pointing to files on the same volume: they can point to directories on any local volume. The feature is inherited to ReFS.

<span class="mw-page-title-main">Adobe LiveCycle</span> Java EE server software

Adobe LiveCycle Enterprise Suite (ES4) is a service-oriented architecture Java EE server software product from Adobe Systems used to build applications that automate a broad range of business processes for enterprises and government agencies. LiveCycle ES4 is an enterprise document and form platform that allows capturing and processing information, delivering personalized communications, and protecting and tracking sensitive information. It is used for purposes such as account opening, services, and benefits enrollment, correspondence management, requests for proposal processes, and other manual-based workflows. LiveCycle ES4 incorporates new features with a particular focus on mobile devices. LiveCycle applications also function in both online and offline environments. These capabilities are enabled through the use of Adobe Reader, HTML/PhoneGap, and Flash Player clients to reach desktop computers and mobile devices.

<span class="mw-page-title-main">Windows Home Server</span> Home server operating system by Microsoft released in 2007

Windows Home Server is a home server operating system from Microsoft. It was announced on 7 January 2007 at the Consumer Electronics Show by Bill Gates, released to manufacturing on 16 July 2007 and officially released on 4 November 2007.

<span class="mw-page-title-main">SharePoint</span> Web application platform

SharePoint is a web-based collaborative platform that integrates natively with Microsoft 365. Launched in 2001, SharePoint is primarily sold as a document management and storage system. However the product is highly configurable, and its usage varies substantially among organizations, from sharing information through intranets to internal apps implementing business processes through workflows.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

O3Spaces is a document management system developed by O3Spaces B.V.. It is built by a team of software engineers based in the Netherlands using OpenOffice.org, StarOffice, and ODF-centric applications as enterprise office and collaboration solutions. The product is written in Java, and based on the Tomcat server with a PostgreSQL backend. O3Spaces works by providing users a single web-based team environment, with built-in search capabilities and an optional Desktop Assistant. Its search functionality is said to work across PDF, ODF, and Microsoft Office document formats. Currently Firefox, Internet Explorer and Safari are supported.

Marlin is a DRM platform, created by an open-standards community initiative called the Marlin Developer Community (MDC). The MDC develops the necessary technology, partners, and services for enabling the creation of interoperable digital content distribution services.

<span class="mw-page-title-main">GroupWise</span> Messaging and collaborative software platform

GroupWise is a messaging and collaboration platform from Micro Focus that supports email, calendaring, personal information management, instant messaging, and document management. The GroupWise platform consists of desktop client software, which is available for Windows,, and the server software, which is supported on Windows Server and Linux.

ownCloud Free software for cloud computing

ownCloud is an open-source software product for sharing and syncing of files in distributed and federated enterprise scenarios. It allows companies and remote end-users to organize their documents on servers, computers and mobile devices and work with them collaboratively, while keeping a centrally organized and synchronized state. ownCloud supports extensions like online document editing and synchronization of calendars and contacts. Users can work with documents from a browser, and there are clients for a variety of operating systems as well as mobile clients for Android and iPhone.

<span class="mw-page-title-main">MaaS 360</span>

IBM MaaS360 is a SaaS Unified Endpoint Management (UEM) solution offered by IBM that manages and protects any existing endpoint including laptops, desktops, mobile devices and apps, wearables, IoT and purpose built devices and allow protected, low risk access to company resources. IBM Security MaaS360 with Watson integrates with current security platforms owned by different companies. It’s AI powered analytics removes friction by reducing actions required from the device user.

References

  1. Microsoft Windows Rights Management Services Client with Service Pack 2 - x86
  2. "RMS Viewer | Mobile Rights Management for iPhone, iPad, Android and Blackberry". Archived from the original on 2013-10-16. Retrieved 2013-10-14.
  3. "GigaTrust for iOS Devices – Expanding the Security for Smart Mobile Devices". Archived from the original on 2012-10-31. Retrieved 2013-10-14.
  4. Mainka, Christian; Grothe, Martin (2016-08-01). "How to Break Microsoft Rights Management Services". On Web-Security and -Insecurity. Network and Data Security Chair Ruhr-University Bochum. Retrieved 2016-08-04.
  5. Mainka, Christian; Grothe, Martin (2016-08-04). "How to Break Microsoft Rights Management Services". WOOT '16 - 10 USENIX Workshop on Offensive Technologies. USENIX Security Symposium. Retrieved 2016-08-04.
  6. "Creating a Rights Management Manifest". Microsoft Development Network. Microsoft. Retrieved 2017-10-06.
  7. "AD RMS FAQ". MicrosoftDocs. Microsoft. 29 July 2013. Retrieved 2017-10-06.
  8. Mainka, Christian; Grothe, Martin (2016-07-07). "MS-RMS-Attacks". MS-RMS-Attacks. GitHub. Retrieved 2016-08-04.
  9. "Plan Information Rights Management in Office 2013". TechNet . Retrieved 2015-11-24.
  10. 1 2 "Secure Islands - Home". Archived from the original on 2013-02-02. Retrieved 2010-07-13.
  11. "Secure Islands - SharePoint Classification and Protection". Archived from the original on 2013-02-16. Retrieved 2013-01-31.
  12. 1 2 3 "GigaTrust Announces Availability of Adobe® Rights-Management Protector for Microsoft® Office SharePoint Server 2007 (MOSS 2007)". Archived from the original on 2008-05-17. Retrieved 2009-02-18.
  13. "Secure Islands - IQProtector for Files". Archived from the original on 2013-02-16. Retrieved 2013-01-31.
  14. "GigaTrust Launches New RMS Desktop PDF Client for Adobe with Comprehensive Reporting, Auditing and Compliance Capability" (Press release).
  15. "PDF Editor Download - Edit Files Online for Free".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.