Rights Management Services ( Active Directory Rights Management Services , AD RMS , also known as Rights Management Services, or RMS prior to Windows Server 2008 ) is the server-based information rights management software that ships with Windows Server . It uses encryption and the rejection of selective functionality to restrict access to documents such as corporate emails, Microsoft Word documents and web pages , as well as authorized users working with them.
| Windows Server component | |
| Rights Management Services | |
|---|---|
| Component Type | Server |
| Included in | Windows Server 2003 , Windows Server 2008 , Windows Server 2008 R2 , Windows Server 2012 , Windows Server 2012 R2 , Windows Server 2016 |
| Service name | Active Directory Rights Management Services, RMS |
| Service Description | Access control |
| condition | Active |
Companies can use this technology to encrypt information stored in such document formats, and by using policies embedded in documents, to prevent decryption of protected content, with the exception of certain people or groups, in certain environments under certain conditions and for certain periods of time.
Specific operations, such as printing, copying, editing, forwarding and deleting, may be permitted or prohibited by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied in bulk.
RMS debuted on Windows Server 2003 with client API libraries available for Windows 2000 and later. The rights management client is included with Windows Vista and later; it is available for Windows XP , Windows 2000, or Windows Server 2003 [1] .
In addition, there is an implementation of AD RMS in Office for Mac for using rights protection in OS X , and some third-party products are available for protecting rights for Android , Blackberry OS , iOS, and Windows RT [2] [3] .
Content
Anti-Attack Policy Capabilities
In April 2016, an alleged attack on RMS implementation (including Azure RMS) was published and reported by Microsoft [4] [5] . The published code allows an authorized user with the rights to view a protected RMS document to remove protection and save file formatting. Such manipulation requires that the user be given the right to decrypt the content for later viewing. Although rights management services make certain security claims regarding the inability of unauthorized users to access protected content, the division between different usage rights for authorized users is considered part of the policy enforcement capabilities that Microsoft claims are implemented as “best efforts,” which is why the corporation It does not address the issue of security, but only limits the application of the policy. Previously, the RMS SDK provided code signing using RMS features to provide some level of control over the interaction of applications with RMS, but this feature was subsequently removed due to the limited ability to limit this behavior, given the ability to write applications using web services directly to obtain licenses to decrypt the contents [6] .
In addition, using the same technique, a user who has been granted the right to view a protected document can manipulate the contents of the document without leaving traces of manipulation. Since Azure RMS is not a failure-free solution and, unlike document signing solutions, does not claim to provide protection against unauthorized access, and since changes can only be made by users who are granted rights to the document, Microsoft does not consider the latter problem as an actual one attack on the declared capabilities of RMS [7] Researchers provide evidence of a conceptual tool to evaluate results through GitHub . [8] .
Supported Software
RMS is supported by the following products:
- Microsoft Office 2003 and later: Word , Excel , PowerPoint, Outlook, InfoPath [9]
- and later: Word, Excel, PowerPoint , Outlook
- SharePoint 2007 and later
- Exchange Server 2007 and later
- XML Paper Specification (XPS)
Third-party solutions such as Secure Islands (acquired by Microsoft ), GigaTrust, and Liquid Machines (acquired by Check Point ) can add RMS support for the following software :
- SharePoint 2003 [10] [11] [12]
- Microsoft visio
- Microsoft Project [13] [12]
- Adobe Acrobat [14] [15] [12] [16]
- Internet explorer
- IIS 6.0
Notes
- ↑ Microsoft Windows Rights Management Services Client with Service Pack 2 - x86 . Microsoft Download Center. Date of treatment December 28, 2017.
- ↑ RMS Viewer | Mobile Rights Management for iPhone, iPad, Android and Blackberry . www.rmsviewer.com. Date of treatment December 28, 2017.
- ↑ GigaTrust - iPhone and iPad (unavailable link) (October 31, 2012). Date of treatment December 28, 2017. Archived October 31, 2012.
- ↑ How to Break Microsoft Rights Management Services . web-in-security.blogspot.de. Date of treatment December 28, 2017.
- ↑ How to Break Microsoft Rights Management Services | USENIX www.usenix.org. Date of treatment December 28, 2017.
- ↑ Creating an Application Manifest (Windows ) . msdn.microsoft.com. Date of treatment December 28, 2017.
- ↑ RMS FAQ: Security Concerns . msdn.microsoft.com. Date of treatment December 28, 2017.
- ↑ MS-RMS-Attacks: Breaking the security of Microsoft's RMS . - 2017-12-21.
- ↑ Plan Information Rights Management in Office 2013 . technet.microsoft.com. Date of treatment December 28, 2017.
- ↑ Active Directory Rights Management Services (English) // Wikipedia. - 2017-10-06.
- ↑ http://www.secureislands.com/solutions/sharepoint-classification-and-protection.html (inaccessible link) . Date of treatment December 28, 2017. Archived February 16, 2013.
- ↑ 1 2 3 https://web.archive.org/web/20080517125543/http://www.gigatrust.com/news/rms_protect_pdf_files.shtml (inaccessible link) . Archived on May 17, 2008.
- ↑ http://www.secureislands.com/ (unavailable link) . Date of treatment December 28, 2017. Archived February 2, 2013.
- ↑ http://www.secureislands.com/products/iqprotector-file-protection.html (inaccessible link) . Date of treatment December 28, 2017. Archived February 16, 2013.
- ↑ http://www.prnewswire.com/news-releases/gigatrust-launches-new-rms-desktop-pdf-client-for-adobe-with-comprehensive-reporting-auditing-and-compliance-capability-277422531.html .
- ↑ http://www.foxitsoftware.com/products/rms/ .
Links
- Windows Rights Management Services
- RMS Client downloads
- Download Rights Management Service SDK 2.1 from Official Microsoft Download Center
- Windows Rights Management Services (RMS) Troubleshooting - Single Root Server Warning
- Active Directory Rights Management Overview
- Microsoft Rights Management SDKs (Windows) - MSDN
- Active Directory Rights Management Services SDK (Windows) - MSDN
- Active Directory Rights Management Services - TechNet
- Active Directory Rights Management Services SDK (Windows) - MSDN
- Secure Islands IQProtector - Protect and manage information with Microsoft RMS
- Windows RMS 18/5000 Technical Overview