Active Directory Rights Management Services

Active Directory Rights Management Services (AD RMS, known as Rights Management Services or RMS before Windows Server 2008) is a server software for information rights management shipped with Windows Server. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations authorized users can perform on them. Companies can use this technology to encrypt information stored in such document formats, and through policies embedded in the documents, prevent the protected content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time. Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied en masse.

RMS debuted in Windows Server 2003, with client API libraries made available for Windows 2000 and later. The Rights Management Client is included in Windows Vista and later, is available for Windows XP, Windows 2000 or Windows Server 2003.[1] In addition, there is an implementation of AD RMS in Office for Mac to use rights protection in OS X and some third-party products are available to use rights protection on Android, Blackberry OS, iOS and Windows RT.[2][3]

Attacks against policy enforcement capabilities

[edit]

In April 2016, an alleged attack on RMS implementations (including Azure RMS) was published and reported to Microsoft.[4][5] The published code allows an authorized user that has been granted the right to view an RMS protected document to remove the protection and preserve the file formatting. This sort of manipulation requires that the user has been granted rights to decrypt the content to be able to view it. While Rights Management Services makes certain security assertions regarding the inability for unauthorized users to access protected content, the differentiation between different usage rights for authorized users is considered part of its policy enforcement capabilities, which Microsoft claims to be implemented as "best effort", so it is not considered by Microsoft to be a security issue but a policy enforcement limitation. Previously the RMS SDK enforced signing of code using the RMS capabilities in order to provide some level of control on which applications interacted with RMS, but this capability was later removed due to its limited ability to restrict such behaviors given the possibility to write applications use the web services directly to obtain licenses to decrypt the content.[6]

In addition, using this same technique, a user that has been granted rights to view a protected document can manipulate the content of the document without leaving traces of the manipulation. Since Azure RMS is not a non-repudiation solution and, unlike document signing solutions, does not claim to provide anti-tampering capabilities, and since the changes can only be made by users that are granted rights to the document, Microsoft does not consider the later issue to be an actual attack against the claimed capabilities of RMS.[7] The researchers provide a proof of concept tool, to allow evaluation of the results, via GitHub.[8]

Software support

[edit]

RMS is natively supported by the following products:

Third-party solutions, such as those from Secure Islands (acquired by Microsoft), GigaTrust and Liquid Machines (acquired by Check Point) can add RMS support to the following:

See also

[edit]

References

[edit]
  1. ^ Microsoft Windows Rights Management Services Client with Service Pack 2 - x86
  2. ^ "RMS Viewer | Mobile Rights Management for iPhone, iPad, Android and Blackberry". Archived from the original on 2013-10-16. Retrieved 2013-10-14.
  3. ^ "GigaTrust for iOS Devices – Expanding the Security for Smart Mobile Devices". Archived from the original on 2012-10-31. Retrieved 2013-10-14.
  4. ^ Mainka, Christian; Grothe, Martin (2016-08-01). "How to Break Microsoft Rights Management Services". On Web-Security and -Insecurity. Network and Data Security Chair Ruhr-University Bochum. Retrieved 2016-08-04.
  5. ^ Mainka, Christian; Grothe, Martin (2016-08-04). "How to Break Microsoft Rights Management Services". WOOT '16 - 10 USENIX Workshop on Offensive Technologies. USENIX Security Symposium. Retrieved 2016-08-04.
  6. ^ "Creating a Rights Management Manifest". Microsoft Development Network. Microsoft. Retrieved 2017-10-06.
  7. ^ "AD RMS FAQ". MicrosoftDocs. Microsoft. 29 July 2013. Retrieved 2017-10-06.
  8. ^ Mainka, Christian; Grothe, Martin (2016-07-07). "MS-RMS-Attacks". MS-RMS-Attacks. GitHub. Retrieved 2016-08-04.
  9. ^ "Plan Information Rights Management in Office 2013". TechNet. Retrieved 2015-11-24.
  10. ^ a b "Secure Islands - Home". Archived from the original on 2013-02-02. Retrieved 2010-07-13.
  11. ^ "Secure Islands - SharePoint Classification and Protection". Archived from the original on 2013-02-16. Retrieved 2013-01-31.
  12. ^ a b c "GigaTrust Announces Availability of Adobe® Rights-Management Protector for Microsoft® Office SharePoint Server 2007 (MOSS 2007)". Archived from the original on 2008-05-17. Retrieved 2009-02-18.
  13. ^ "Secure Islands - IQProtector for Files". Archived from the original on 2013-02-16. Retrieved 2013-01-31.
  14. ^ "GigaTrust Launches New RMS Desktop PDF Client for Adobe with Comprehensive Reporting, Auditing and Compliance Capability" (Press release).
  15. ^ "PDF Editor Download - Edit Files Online for Free".
[edit]