1 WHITE PAPER Microsoft Windows (RMS) provides authors and owners the ability to control how they use and distribute their digital content when using rights-enabled applications, including Microsoft Office 2003 and 2003 Professional or the Internet Explorer Plug-in. Windows RMS provides certification, licensing, and publishing services that can be used with clients that are enabled for Windows Rights Management (RM).
2 2 Table of Contents Technology Overview...4 Technology Requirements...4 Technology Components...5 RMS Server...5 RMS Client...6 RM-enabled Applications...6 RM Machine Certificates...6 RM Account Certificates...6 Lock Box...7 Server Licensor Certificates...7 Use License...8 RMS Licensing...8 Tracking Licenses...9 Rights Policy Templates...9 Concepts...9 Creating Content...9 Licensing and Distribution...9 Acquiring Licenses...10 Encryption...10 Server Keys...11 Machine Keys...11
3 3 Client Licensor Keys...11 User Keys...11 Content Keys...12 Publishing and Consumption Workflow...13 Glossary...15 RMS Trial Deployment Checklist...21
4 4 Technology Overview Microsoft Windows (RMS) provides authors and owners the ability to control how they use and distribute their digital content when using rights enabled applications including Microsoft Office 2003 and 2003 Professional or the Internet Explorer Plug-in. Windows RMS provides certification, licensing, and publishing services that can be used with clients that are enabled for Windows Rights Management (RM). Technology Requirements The following information pertains to how RMS can be integrated into an organization s existing infrastructure from the perspective of a pilot implementation. Organizations well suited to employ Windows possess, and are comfortable using, the requisite technologies associated with RMS including: Active Directory Services Internet Information Server with ASP.NET enabled SQL Server 2000 Message Queuing Windows 2003 Server for RMS Server Windows RMS client software Microsoft Office 2003 Internet Explorer IRM plug-in SMS or other software deployment mechanism Group Policy Objects RMS Solution Requirements Hardware Required P3, 800Mhz or better / Recommended P4 1.5Ghz or better Required 256 MB RAM / Recommended 512 MB RAM Required 20 GB disk space / Recommended 40 GB disk space Software Windows Server 2003 Message Queuing included in Server 2003 for logging and AD integration
5 5 IIS 6.0 with ASP.Net enabled Infrastructure Microsoft SQL Server 2000 sp3 or greater Active Directory running Windows 2000 sp3 or greater An RMS-enabled application or browser Updated APIs will be required for Windows clients and will be made available via Microsoft Windows Update. RMS Client Software System Requirements Supported Operating Systems: Windows 2000 Service Pack 3, Windows 98 Second Edition, Windows ME, Windows Server 2003, Windows XP Microsoft Windows 98 Second Edition and Microsoft Windows Millennium Edition require the Active Directory Client Extension, commonly referred to as the DSClient. The DSClient for Windows 95 and Windows 98 is available on any Windows 2000 Server, Advanced Server, or DataCenter CD-ROM. Please reference the Microsoft Knowledge Base Article: Microsoft Windows 98 Second Edition and Microsoft Windows Millennium Edition users without the DSClient installed can still use the Windows Rights Management Client, but the Service Discovery through Active Directory feature will be unavailable. Technology Components RMS Server RMS has a number of dependencies related to infrastructure including, but not limited to, Microsoft Active Directory, Microsoft IIS and Microsoft SQL Server. A full list is provided in the Technology Requirements section of this document. In addition to these dependencies, there is RMS Server software. The RMS 1.0 Server software can be downloaded from Microsoft directly. Since this server component is provided as a premium service for Windows Server, a Windows RMS Client Access License (CAL) is required for each user publishing and/or viewing rights-protected content.
6 6 RMS Client The Windows RM client component is a set of application interfaces that can be used to develop RM-enabled applications. RM-enabled application can be used to both publish and consume RM-protected content. Each client computer that is in an RM system must have the Windows RM client component installed. The Windows RM client component is a prerequisite for machine activation, and is required for using RM-enabled applications. RM-enabled Applications RM-enabled applications allow content authors to attach usage rights, in the form of publishing licenses, to files that they create. This allows for control over the way that content is consumed. RM-enabled applications also process the encrypted file information and allow users to consume the content according to the permissions that are defined in the publishing license. Microsoft Office 2003 is an RM-enabled application. There is also an RM Add-on for Internet Explorer. By using the Windows RM client SDK, developers can build RM-enabled applications that license, publish, and consume RM-protected content. RM-enabled applications can be developed for computers that are running Microsoft Windows 98 Second Edition or later. RM Machine Certificates An RM machine certificate identifies a computer or device that is trusted by the Windows RMS system. During the activation process, a computer or device receives an RM machine certificate from the root certification server. This server acts as a proxy to the Microsoft RM Activation Service, which actually issues the certificate. An RM machine certificate contains the public key of the activated computer. It is signed by the private key of the Microsoft RM Activation Service. There is no requirement for computers to be members of an Active Directory domain to receive a machine certificate. RM Account Certificates Organizations must identify the users who are trusted entities in their RM system. To do this, Windows RMS issues RM account certificates that associate user accounts with specific computers. The user's RM account certificate must be included with the request for client licensor certificates and use licenses. A client
7 7 licensor certificate allows an author to publish RM-protected content, such as files and , while offline. A use license allows a user to consume RMprotected content. Each RM account certificate contains the user's public key, which is used to encrypt data that is intended for that user. There are two types of RM account certificates: standard and temporary. The validity period for both types can be specified. Standard certificates have a duration that is specified in days (365 days, by default). Temporary account certificates have a duration that is specified in minutes (15 minutes, by default). Temporary account certificates allow users to temporarily consume content, for example at a kiosk, when they cannot gain access to the computer that they usually use. This prevents another user from consuming the content from this computer at a later time. Lock Box RM Lockboxes reside on client computers. An RM Lockbox is an integral part of identifying a computer or device that is trusted by Windows RMS. A computer or device receives a Lockbox from the Microsoft Activation Service during the same machine-activation process that produces an RM machine certificate. Each Lockbox is built on a hardware identifier, making the Lockbox unique and binding it to a specific computer. A Lockbox contains the private key of the activated computer. Clients that are running on the corporate network submit machine activation requests to the Windows RMS activation proxy service. The activation proxy service acts as an Internet proxy to the Microsoft Activation Service, which issues the Lockbox. There is no requirement for computers to be members of an Active Directory domain to receive a Lockbox. Server Licensor Certificates A server licensor certificate grants to a Windows RMS server the right to issue certificates and licenses. During provisioning, the first root certification server that is in a deployment receives a server licensor certificate from the Microsoft Enrollment Service in a process called enrollment. This certificate contains the public key of the root certification server, and it is signed by the private key of the Enrollment Service. Other servers that are added to the root certification cluster share this certificate. During provisioning, the first licensing server that is in a cluster receives a server licensor certificate from the Windows RMS root certification server or cluster in a
8 8 process that is called sub-enrollment. This certificate contains the public key of the licensing server, and it is signed by the private key of the root certification server or cluster. Other servers that are added to the licensing cluster share this certificate. Client Licensor Certificates A client licensor certificate grants an author permission to publish RM-protected content without being connected to the corporate network. To obtain a client licensor certificate, an author initiates a client enrollment request to the root certification server or to a licensing server from a client computer. The server then returns a client licensor certificate for that computer. A client licensor certificate contains the client licensor public key, along with the client licensor private key that is encrypted by the public key of the author who requested the certificate. It also contains the public key of the server that issued the certificate, which is signed by the private key of the server that issued the certificate. The client licensor private key is used to sign publishing licenses that the author creates. Use License To use RM-protected content, a use license is required. A use license specifies the permissions that a particular user has for the RM-protected content. A use license is issued by the server that issued the corresponding publishing license. Users named in a publishing license receiving RM-protected content, can request a use license. RM-enabled applications use XrML based technology to read, interpret and enforce usage permissions packaged with protected content. A use license contains the symmetric content key for decrypting the content, and it is encrypted with the public key of the user. This ensures that only the requesting user can consume the RM-protected content. A use license is signed by the private key of the server that issues the use license. RMS Licensing Since this server component is provided as a premium service for Windows Server, a Windows RMS Client Access License (CAL) is required for each user who will publish or view rights-protected content. Up to two users may simultaneously access or use the RMS solely for administration of the software without a CAL. For more details on licensing requirements, please review the End User License Agreement when downloading this premium service.
9 9 Tracking Licenses Windows RMS tracks the total number of users that have received RM account certificates from a Windows RMS installation. This number is an approximation of the total number of RM account certificates that have been issued. If the databases have not been updated to delete users who are no longer active, this number will not be correct. Also, if there are users who have been issued multiple licenses in multiple forests, the additional licenses are not included in the number that is shown. Rights Policy Templates Rights policy templates describe a standard set of users, rights, and conditions that can be applied to RM-protected content. When a user applies a rights policy template to a piece of content, the rights that it describes become part of the publishing license. Concepts Creating Content Users who are trusted entities in a Windows RM system can easily create and manage protected files by using applications and tools that incorporate the features of Windows RM technology. In addition, RM-enabled applications can use centrally defined and officially authorized rights policy templates to help users efficiently apply a predefined set of corporate usage policies. RM-enabled applications are developed by Microsoft and other third-party developers to be used with a Windows RMS installation. Licensing and Distribution Certificates that are issued by the servers that are in an RM system identify the trusted entities that can publish and consume RM-protected content. Users who are trusted entities in an RM system can assign usage rights and conditions to content that they author and want to protect. These usage policies specify who can use the content and what they can do with it. Authors can request publishing licenses, which bind the usage policies to the specified content. They can then distribute the content, for example, by sending it to other users who are in their organization, posting it to internal servers for company use, or distributing it to trusted external partners. In a process that is transparent to users, the RM system validates the trusted entities in a publishing licensing request, and then issues a license that contains
10 10 the specified usage rights and conditions for the content. The RM-enabled application then generates electronic keys and uses them to encrypt the content. The encrypted content includes the certificates of the trusted entities. After the content is locked by this mechanism, only the users who are specified in the publishing licenses can unlock and consume that content. Those users must also be trusted entities in the RM system. Acquiring Licenses Users who are trusted entities can consume RM-protected content by using trusted clients. These clients are RM-enabled computers and applications that allow users to view and work with RM-protected content, to preserve that content's integrity, and to enforce usage policies. When users attempt to gain access to RM-protected content, requests are sent to Windows RMS to issue use licenses for the user to consume that content. In a process that is transparent to users, the Windows RMS server, which has the public key that is used to encrypt the content, issues unique use licenses that read, interpret, and enforce the usage rights and conditions that are specified in the publishing license. The RM-enabled application then decrypts the content by using the electronic keys that are from the content and applications, as well as the certificates of the trusted entities. The usage rights and conditions are persistent and can be enforced wherever the content goes. Encryption Protected content is always encrypted. The certificates and licenses that are used by Windows RMS may also contain encrypted content, which can be decrypted only by an appropriate entity. An RM-enabled application uses a content key to encrypt the data. All Windows RMS servers, client computers, and user accounts have a key pair of 1024-bit RSA keys, except for the 512-bit RSA machine key pairs. Windows RMS uses these keys to encrypt the content key that is in publishing and use licenses, and to sign RM certificates and licenses. This process ensures that the server allows access only to authorized users and computers.
11 11 Server Keys A Windows RMS server has a key pair of 1024-bit RSA keys. The server public key is used to encrypt the content key contained in a publishing license so that only the Windows RMS server can retrieve the content key and issue use licenses against that publishing license. The server licensor certificate contains the server public key. The server private key is used to sign all certificates and licenses that are issued by the server. Machine Keys A Windows RMS client computer or device has a key pair of 512-bit RSA keys, called machine keys. The machine public key is used to encrypt an RM account certificate private key. The RM machine certificate contains the machine public key. The RM Lockbox contains the machine private key, which is used to decrypt the RM account certificate to allow the use of the user private key. Client Licensor Keys Authors may acquire client licensor certificates to publish RM-protected content while they are not connected to the Windows RMS-enabled network. A client licensor certificate has a key pair of 1024-bit RSA keys. The Windows RM client component uses the client licensor certificate public key when issuing a publishing license to accomplish the following tasks: Encrypt the symmetric content key. Sign publishing licenses that are issued locally while the user is not connected to the network. User Keys A Windows RMS user has a key pair of 1024-bit RSA keys. The user key pair is stored in the Windows RMS configuration database so that a given user always has the same key pair throughout the Windows RMS system. An RM account certificate contains the user public key. This key is used to encrypt the content key contained in a use license so that only a particular user can consume RM-protected content by using that license. The same RM account certificate also contains the user private key, which is encrypted with a client machine public key. This assures that an RM account certificate can be used only on the computer for which it was issued, but that
12 12 every RM account certificate for a given user will contain the same key pair. The user private key is required to consume any content that has been protected by using Windows RMS. Content Keys When an author publishes RM-protected content, an RM-enabled application creates a symmetric content key and uses it to encrypt the content. Windows RMS supports applications that use Data Encryption Standard (DES) or Advanced Encryption Standard (AES) to create the content key. The content key is included in the publishing license, and the content key is encrypted with the public key of the Windows RMS server that issued the license. When that server receives a request for a use license, it decrypts the content key with the server's private key and then re-encrypts the content key with the user's public key (which it received as part of the request). The content key is then contained in the use license.
13 13 Publishing and Consumption Workflow SQL Server Active Directory 1. Author receives a client licensor certificate (CLC) the first time he/she protects information. RMS Server 2. Author defines a set of usage rights and rules for the file; Application creates a Publishing License and encrypts the file. 3. Author distributes file. 2 1 Information Author The Recipient 4. Recipient clicks file to open it, and the application calls to the RMS server to validate the user and issue a Use License. 5. Application renders file and enforces rights.
15 Glossary Account certification - The process that associates user accounts with key pairs. Account certification service A Windows RMS Web service that creates and distributes RM account certificates. Activation proxy service A Windows RMS Web service that forwards machine activation requests to the Microsoft Activation service, which returns a custom-generated RM Lockbox and a matching RM machine certificate unique to the specific computer. The activation proxy service then forwards these items back to the requesting client. Administration service - A Windows RMS Web service that hosts the Administration Web site, allows the management of Windows RMS, and updates the configuration database for the cluster. Application manifest - An XML document that describes the modules of an associated RM-enabled application and what may run in the application environment. Any application that runs with the RM client component must provide a manifest at run time. Attribute - A name-value data pair. Binding - The mechanism that exercises rights in an RM system, where the RM client component validates the conditions of a use license against the rights that are being requested. If these conditions are met, the rights are granted. Certificate - A signed statement that associates an identity with a pair of electronic keys that can be used to encrypt and sign digital information. Client enrollment - The process of creating the client licensor certificate. This certificate enables the user's computer or device to create publishing licenses that will be honored by a licensing server. Client licensor certificate - The certificate created by a Windows RMS server and placed on Windows RM client computers. The certificate enables users to publish protected content offline without being connected to the Windows RMenabled network. Condition - A set of specified constraints and parameters that are part of the rights group bundled into a publishing license. These are enforced at the time of consumption.
16 16 Configuration database - The database containing Windows RM configuration information for a server or cluster. Consuming content - Exercising usage rights to a piece of protected content. Content key - The key used to both encrypt and decrypt protected content during publishing and consumption. This is also known as symmetric key. Content owner - The person or organization that controls access to protected content. Decrypt - To convert encrypted content back into its original form. DRMRemote service - A Windows RMS Web service that exposes services through.net Remoting, which is used for communication between different Windows RMS servers. Encrypt - To encode (scramble) information in such a way that it is unreadable to all but those individuals possessing the key to the code. Enrollment - The process by which the root certification server obtains a server licensor certificate signed by the Microsoft root of trust. Enrollment request - A request sent by the root certification server to the Microsoft Enrollment Service for a server licensor certificate. Exclusion - The process used to deny a use license to a client based on exclusion policy. Exclusion list - The list of principals that are to be denied licenses by the Windows RMS licensing service. Exclusion policy - Settings in the Windows RMS configuration database that control the manner in which exclusion is applied in the organization. Extensible Rights Markup Language - The XML-based specification for licenses documents that specify the RM policy applied to protected content. License - Data that specifies the RM policy applied to protected content. Licensing cluster - One or more servers running the Windows RMS licensing and publishing services outside of the root certification cluster. These servers use a common database and connection URL, and should be deployed behind either a software or hardware load balancer.
17 17 Licensing server - A server running the Windows RMS licensing and publishing services outside of the root certification cluster. Licensing service - A Windows RMS Web service that issues use licenses. Logging service - A Windows RMS listener service that transfers logged data from the message queue to the logging database for the Windows RMS server or cluster. Machine activation - The process of obtaining a unique RM Lockbox for a computer. Manifest - The signed XML document that identifies the libraries or programs that can, cannot, and may be loaded into the application's processing space. Microsoft Activation Service - A Microsoft-hosted Web service that issues RM machine certificates and RM Lockboxes in response to RM client requests. Microsoft Enrollment Service - A Microsoft-hosted Web service that issues a server licensor certificate to the root certification server in a Windows RMS deployment. Pre-certification - A feature of the Windows RMS certification service that allows an RMS server to request an RM account certificate on behalf of a user. RM account certificates obtained using pre-certification contain only the user's public key. Principal - An entity (such as a user, group, or protected content manager) that has an established role in the Windows RM security scheme, and to which objects can be secured. Private key - The secret half of a public/private key pair used in cryptography. Private keys are typically used to digitally sign a message or to decrypt a message that has been encrypted with the corresponding public key. Provision - To configure a Windows RMS server to work in an organization. Public key - The non-secret half of a public/private key pair used in cryptography. Public keys are typically used to encrypt sessions, files, and messages, which are then decrypted using the corresponding private key. Public key cryptography - A method of cryptography in which two different keys are used: a public key for encrypting data and a private key for decrypting data. Public key cryptography is also called asymmetric cryptography.
18 18 Publishing license - The license created when publishing the content that allows a user to request a use license. This is also known as issuance license. Publishing service - A Windows RMS service that signs publishing licenses and issues client licensor certificates. Revocation - A process by which entities are listed as having invalid licenses. Revocation list - An XrML-based document that lists the certificates and licenses that have been revoked by the issuer. Right - An action permitted to specified users for content protected by Windows RM technology. These rights can be further constrained by using conditions. Rights management - A technology that provides persistent protection to digital data using encryption, certificates, and authentication. Authorized recipients or users must acquire a license in order to consume the protected files, according to the rights, or business rules, set by the content owner. Rights policy template - Describes a standard set of users, rights, and conditions that can be applied to RM-protected content. When a user applies a rights policy template to a piece of content, the rights and conditions it describes become part of the publishing license. RM account certificate - The certificate that uses the machine certificate from RM activation to bind user accounts to specific computers or groups of computers. The certificate's components are used to enable consumers to use protected content. This is also known as a group identity certificate (GIC). RM activation - The process of placing an RM Lockbox on an end-user's computer. This can only be provided by the RM activation service and is essential when using the Windows RM technology. This is also known as activation. RM client component - A set of RM APIs that each client computer in an RM system must install. It is a prerequisite for machine activation, and is required for using RM-enabled applications. RM Lockbox - The software module responsible for authenticating the valid use of protected content and protecting trusted software processing from modification and observation. This is also known as a secure repository.
19 19 RM machine certificate - The certificate placed on an end-user's computer during RM activation. This certificate is used to create RM account certificates required for end users to publish and consume protected content. RM-enabled application - An application that has been extended by using the Windows RM client SDK to allow users to specify the rights attached to content that they create. RM-enabled computer - A computer that has the RM client component installed and has undergone RM machine activation so that it can process content protected by Windows RMS. RM-protected content - Digital information that is protected by Windows RM technology. Root certification cluster - One or more servers in a Windows RMS deployment running administration, enrollment, account certification, activation proxy, licensing, and publishing services. These servers use a common database and connection URL, and should be deployed behind either a software or hardware load balancer. There can only be one root certification cluster per Active Directory forest. Root certification server - The primary server in a Windows RMS deployment running administration, enrollment, account certification, activation proxy, licensing, and publishing services. There can only be one root certification server per Active Directory forest. Root of trust - A trusted entity that provides the basis for the certificates in the certificate trust list (CTL). All the certificate providers and the ultimate user must trust the destination. Security ID - A numeric value that identifies a user or group. For each access control entry (ACE), a SID exists that identifies the user or group for whom access is allowed, denied, or audited. Server licensor certificate - The certificate that establishes the credentials of the RMS server, making it a valid certification and licensing service, and enabling it to run. Server service - A Windows RMS Web service that allows another service to request a server licensor certificate and the service location URL.
20 20 Service connection point (SCP) - An Active Directory object that references the root certification cluster URL of a Windows RMS deployment. The client component uses this information to locate Windows RMS services. Signature - Data that results when content authors or owners of a message, file, or other digitally encoded information bind their identity to the information. Sub-enrollment - Part of the provisioning process for a licensing server, by which the licensing server obtains a server licensor certificate from the root certification cluster. Sub-enrollment request - A request sent by a licensing server to the root certification cluster for a server licensor certificate. Sub-enrollment service - A Windows RMS Web service on the root certification server that responds to requests for server licensor certificates that are submitted by licensing servers during provisioning. Super user - A member of the super user group. Super user group - An administratively defined user group for each Windows RMS cluster that will be granted owner licenses by the Windows RMS server when opening content published by that server. Use license - The license that enables end users to consume protected content. This is also known as an end-user license (EUL). Windows RM Certification Service - A Microsoft-hosted Web service that issues RM account certificates to users based on their Microsoft.NET Passport credentials.