RMS FAQ: Security Concerns

  • Article

Applies To: Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

RMS Security Concerns FAQ

  • What is the super user account?

  • Is RMS a security solution?

  • What mechanisms are in place to prevent recipients from rolling back the clock on their client computer to extend access to a rights-protected document after their use license has expired?

  • Is it possible for members of the Domain Admins group to read documents intended for someone in their domain?

  • I understand that every lockbox can authenticate every certificate or license generated within the system, as coming from a service registered with Microsoft. What threat does this protect against?

  • If someone manages to open a document by using a brute force attack does that enable them to open other documents with that key?

  • Due to export restrictions on encryption technologies, are any parts of the keys exposed outside the enterprise that deployed it?

  • How do you prevent malicious attackers from turning on the decommissioning feature remotely?

  • Can a user perform screen captures of rights-protected content?

  • Can administrators who back up files related to RMS gain access to rights-protected content?

  • Does the swap file that Windows uses contain the unencrypted content at any point, potentially leaving content “open”?

  • Is it possible to limit which administrators can access the different administrative features of RMS?

  • Can RMS protect individual documents as soon as they are created, on the user’s hard drive or on a shared folder?

  • When I receive a rights-protected e-mail, it appears that there is an attachment included with the mail. I can save that attachment even though the mail supposedly cannot be saved - is RMS broken?

What is the super user account?

RMS supports a special super users group that has full control over all rights-protected content. Members of the super users group are granted full owner rights in all use licenses that are issued to them by the RMS cluster on which the super users group is configured. This means that members of this group can decrypt any and all protected files and remove protection from them. A member of this group can, for example, remove protection from files that have been published by a terminated employee so that a new owner can publish and manage the files.

Is RMS a security solution?

No, AD RMS is not a security solution. When used with an AD RMS-enabled application, such as Office 2007, AD RMS can be considered a “policy enforcement solution.” For this reason, if a user of AD RMS protected content is not authorized to view the data, the encryption used by AD RMS is strong enough to effectively counter and avoid all cryptographic attacks presently known. But AD RMS encryption is tightly coupled to user identity, so any compromise to a user’s identity, password or network account will potentially lead to a compromise of the encrypted data. On the policy enforcement front, if the user has the right to view the data, the user could copy it by hand or take a digital picture of it and provide the information to unauthorized users.

What mechanisms are in place to prevent recipients from rolling back the clock on their client computer to extend access to a rights-protected document after their use license has expired?

RMS will detect if the clock on a client system has been rolled backward or forward, and prevent the user from consuming content. In addition, RMS will detect if there is a measurable clock differential between the RMS server and client.

Is it possible for members of the Domain Admins group to read documents intended for someone in their domain?

Members of the Domain Admins group can read content protected to a user account if they are a member of the RMS super user group or if they are impersonating the user’s account. Because members of the Domain Admins group have control over the user accounts in the domain, there is no mitigation for the scenario of an untrustworthy member of the Domain Admins group.

As a best practice, only add members of the Domain Admins group to the super user group when they need to access rights-protected content. When a license is granted to a member of the super user group, an event ID 49 is logged in the Application event log of the RMS server. Event ID 49 states “A license was granted to a user belonging to the super users group. The user has the following e-mail address: <Users Alias>” where Users Alias is replaced with the e-mail account of the user.

Important

Event ID 49 is logged only by Windows RMS; it is not logged by Active Directory Rights Management Services (AD RMS).

As with other groups used to limit access to resources, you should define alerts and perform security checks to help prevent someone from joining the super user group without authorization.

I understand that every lockbox can authenticate every certificate or license generated within the system, as coming from a service registered with Microsoft. What threat does this protect against?

Without being able to verify the integrity of certificates, a user could spoof a rights account certificate (RAC) issued to another user and get a use license for content, or create an application that removed protection from a document.

If someone manages to open a document by using a brute force attack does that enable them to open other documents with that key?

Each piece of rights-protected content is encrypted with a different randomly-generated symmetric key. Therefore, the key to each document is unique and not useful for decrypting other documents.

Due to export restrictions on encryption technologies, are any parts of the keys exposed outside the enterprise that deployed it?

Applications signed into the Microsoft root are subject to the Microsoft key signing root, but from that point forward, no other keys are either disclosed by Microsoft or disclosed by a customer’s deployment.

How do you prevent malicious attackers from turning on the decommissioning feature remotely?

The attacker would need the credentials of a user account that has administrative rights to the RMS cluster. By default, the RMS administration interface is available only locally on the RMS server. Ensuring that this remains the case, that Remote Desktop Protocol (RDP) is disabled, and that the server is physically secure will help mitigate the risk.

Can a user perform screen captures of rights-protected content?

No. If the RMS rights are set to disallow copy functionality, Windows Alt+PrtSc is disabled by RMS. The RMS client also uses Windows Desktop Windows Manager to prevent third-party products from capturing content.

Can administrators who back up files related to RMS gain access to rights-protected content?

No, they can perform the backup but do not have access.

Does the swap file that Windows uses contain the unencrypted content at any point, potentially leaving content “open”?

Once the RMS client sends decrypted content back to the application, it could appear in the swap file. Part of RMS application development recommendations in the Rights Management Services (RMS) Software Development Kit (SDK) includes steps to prevent this occurrence, but the burden of doing so rests on the RMS-enabled application.

Is it possible to limit which administrators can access the different administrative features of RMS?

Yes, you can create a different RMS Admin groups in Active Directory, add users, and then create the appropriate access control list (ACL) for the administration pages. For example, the default configuration of the RMS administration Web page ACLs specifies that the Security settings page is accessible only by the user that provisioned the server.

Can RMS protect individual documents as soon as they are created, on the user’s hard drive or on a shared folder?

Although RMS can be used to protect documents stored on a user’s local computer, Encrypting File System (EFS) would be the preferred option. EFS transparently protects documents, whereas RMS requires manual intervention (a couple of mouse clicks) to protect a document.

When I receive a rights-protected e-mail, it appears that there is an attachment included with the mail. I can save that attachment even though the mail supposedly cannot be saved - is RMS broken?

No. This is expected behavior. The attachment you see is the encrypted message before the RMS client has decrypted it. It is still rights-protected and cannot be saved once decrypted.