Discussion:
Questions on security
(too old to reply)
Rex
2004-08-04 08:48:12 UTC
Permalink
I've tested our RMS installation internally, and now we're testing
external users-who would connect to the net via dialup on their laptops,
and connect to our RMS website, whose external address etc has been
configured.
Now-my sysadmin has the job of installing the client on each persons'
laptop (all are using Win XP with Office 2000, and will have to use the
IE plugin)
I'm still a little confused on machine activation-doesn't the machine
have to be activated against the corporate RMS server? The help file
says that if that server is unavailable then it will get activated from
Microsoft.
Most of our users are consultants, who would be accessing the system
from outside office, over the internet. Their laptops are also not
members of the company domain.
If a user were to give out his windows password to another external
person, what prevents that person from opening the document on his
laptop after installing RMS on it?
Does it also lock users to computers in some way, so that documents can
only be opened on company authorized PCs, that have been activated
within the premises?
This seems to me still too dependent on password security..
I hope someone can clarify.

Rex"Organic chemistry is the chemistry of carbon compounds.
Biochemistry is the study of carbon compounds that crawl."
-- Mike Adams
John Thomson
2004-08-05 16:50:44 UTC
Permalink
Hi Rex,

You've made some very good points. Comments inline...

John Thomson
www.titus.com/rms
Post by Rex
I've tested our RMS installation internally, and now we're testing
external users-who would connect to the net via dialup on their laptops,
and connect to our RMS website, whose external address etc has been
configured.
Now-my sysadmin has the job of installing the client on each persons'
laptop (all are using Win XP with Office 2000, and will have to use the
IE plugin)
I'm still a little confused on machine activation-doesn't the machine
have to be activated against the corporate RMS server?
No, not necessarily. Machine Activation always occurs against a Microsoft
service called the "Microsoft DRM Machine Activation Service". If there is
no RMS infrastructure present in an organization, then the client machines
will need to be able to communicate with this service directly. If there is
an infrastructure present, the client will proxy the machine activation
request through your local RMS Server.
Post by Rex
The help file
says that if that server is unavailable then it will get activated from
Microsoft.
Most of our users are consultants, who would be accessing the system
from outside office, over the internet. Their laptops are also not
members of the company domain.
If a user were to give out his windows password to another external
person, what prevents that person from opening the document on his
laptop after installing RMS on it?
You could ensure that your roaming users have enrolled in RMS prior to
hitting the road. If the enrollment service is not accessible externally,
then even if your user shared his password, the other user would not be able
to get a new RAC. Without a valid RAC issued by your RMS server, and he
would not be able to acquire a Use License.

(That said, I just re-read your point. You say that they will not be domain
members at all? They don't even have entries in your AD? Hmmm...that
complicates things. I don't think that RMS will work at all, since one
needs to authenticate to AD in order to enroll and access the pipelines in
the first place. RMS is a great inward-facing application, but it currently
is not so great for external, non-domain members. If you are trying to
extend RMS externally to non-domain users/members, you will have some
challenges, such as those you have described.)

Perhaps your external users could enroll with the Passport service. You
could then extend trust to Passport-issued RACs, allowing those users to
acquire a Use License from your License Server. How you secure that request
is up to you, but you could use password, Smartcard, client certificates et
cetera...This would also not work very well for external users protecting
for internal users as Passport-issued RACs can only protect for other
Passport-issued RACs

NOTE: The rest of my answers here were made under the impression that you
have internal, roaming users...not non-doamin users...I left them here
anyways as they may be beneficial to some

If you have internal users that are sharing their logon credentials with
external users, there is nothing that RMS will do to compensate for that.
Remember that RMS uses your defined network authentication mechanism to
authenticate against the licensing pipelines. In that sense, RMS is only as
strong as your network logon. If you are only using username/password and
the requisite services are available externally, then the scenario you
describe could occur. If you have deployed Smartcards, it is much less
likely to occur. There are (of course) other authentication methods, your
policy will dictate which is the most appropriate for your organization.
Post by Rex
Does it also lock users to computers in some way, so that documents can
only be opened on company authorized PCs, that have been activated
within the premises?
It is possible to accomplish what you are describing, but in a round-a-bout
sort of way: You could define a policy template that says that a new
connection to a License Server is required everytime content is consumed.
You could then lockdown the License Server so that it is only accessible
internally, using only Windows Integrated Authentication (the default) and
then using Smartcards to logon to the network. If external access is
required using ISA to publish the license pipelines and using a Smartcard to
authenticate is the way to go.

Remember that once a Use License has been granted, it is bound to that
particular machine by way of encrypting the Use License for the user's
private key in their RAC, which is encrypted with the machine's public key.
If that Use License leaves the laptop, it is useless. So, the document is
bound to that particular user on that particular computer who initially
acquired the Use License. If the user moves to a new workstation, a new Use
License must be acquired.
Post by Rex
This seems to me still too dependent on password security..
Only if your network depends on passwords. ;-)
Post by Rex
I hope someone can clarify.
I hope I did! Let me know if not.

Feel free to contact me directly, Rex. Maybe we can exchange some ideas and
post them here when we are done.

John
Post by Rex
Rex"Organic chemistry is the chemistry of carbon compounds.
Biochemistry is the study of carbon compounds that crawl."
-- Mike Adams
Rex
2004-08-06 09:03:40 UTC
Permalink
Post by John Thomson
Perhaps your external users could enroll with the Passport service. You
could then extend trust to Passport-issued RACs, allowing those users to
acquire a Use License from your License Server. How you secure that request
is up to you, but you could use password, Smartcard, client certificates et
cetera...This would also not work very well for external users protecting
for internal users as Passport-issued RACs can only protect for other
Passport-issued RACs
This is one thing that I have thought of-then again, the Passport
service for RMS is something MS reserves the right to stop supporting at
any time-entrusting an enterprise wide solution to this would be quite
risky. One thing I've thought of goes something like this:
First, I tested the system by opening a protected document on a non
domain member laptop, connected via dialup (so that it's an external
connection, not routed through our LAN). After about 3 minutes, it found
our RMS server, and then i was presented with a login/password/domain
prompt. On entering a valid set of domain credentials, I was authorized,
and the document was opened.
This in turn shows that anyone can share their account information with
an outsider (even using their own laptop, since they're anyway traveling
most of the time), and the outsider would get the same set of privileges
as the intended recipient.
Post by John Thomson
If you have internal users that are sharing their logon credentials with
external users, there is nothing that RMS will do to compensate for that.
Remember that RMS uses your defined network authentication mechanism to
authenticate against the licensing pipelines. In that sense, RMS is only as
strong as your network logon. If you are only using username/password and
the requisite services are available externally, then the scenario you
describe could occur. If you have deployed Smartcards, it is much less
likely to occur. There are (of course) other authentication methods, your
policy will dictate which is the most appropriate for your organization.
The whole RMS system seems laboriously slow over a dialup
connection-on one test it took 5 minutes before the connection was
confirmed, only to be promptly timed out.
Again since most of our users would be offsite, they would not take
too kindly to having to spend so much time to open a document
(Currently, without RMS, sensitive documents are only made available on
an isolated machine in the CEO's room.
Post by John Thomson
It is possible to accomplish what you are describing, but in a round-a-bout
sort of way: You could define a policy template that says that a new
connection to a License Server is required everytime content is consumed.
You could then lockdown the License Server so that it is only accessible
internally, using only Windows Integrated Authentication (the default) and
then using Smartcards to logon to the network. If external access is
required using ISA to publish the license pipelines and using a Smartcard to
authenticate is the way to go.
This is another thing I'm concerned about: How will users from other
locations be able to change their domain account passwords without admin
intervention? Does IIS provide some way to do it? All I've seen is an
SSL secured administrative web console. Are there any scripts provided
by MS to allow changing domain account passwords via web? I've tried
looking for scripts, but no one here is proficient enough in ASP to be
able to use them.
And what do u mean by using ISA to publish the pipelines? what does this
entail?
Post by John Thomson
Remember that once a Use License has been granted, it is bound to that
particular machine by way of encrypting the Use License for the user's
private key in their RAC, which is encrypted with the machine's public key.
If that Use License leaves the laptop, it is useless. So, the document is
bound to that particular user on that particular computer who initially
acquired the Use License. If the user moves to a new workstation, a new Use
License must be acquired.
I hope I did! Let me know if not.
Feel free to contact me directly, Rex. Maybe we can exchange some ideas and
post them here when we are done.
John
Sure! :-)
============
"Science without religion is lame. Religion without science is blind."
-- Albert Einstein
============
John Thomson
2004-08-09 14:46:04 UTC
Permalink
Post by Rex
This is one thing that I have thought of-then again, the Passport
service for RMS is something MS reserves the right to stop supporting at
any time-entrusting an enterprise wide solution to this would be quite
First, I tested the system by opening a protected document on a non
domain member laptop, connected via dialup (so that it's an external
connection, not routed through our LAN). After about 3 minutes, it found
our RMS server, and then i was presented with a login/password/domain
prompt. On entering a valid set of domain credentials, I was authorized,
and the document was opened.
This in turn shows that anyone can share their account information with
an outsider (even using their own laptop, since they're anyway traveling
most of the time), and the outsider would get the same set of privileges
as the intended recipient.
Another thing to keep in mind here is that while your non-domain members
will be able to enroll, they will only recieve a temporary RAC that (by
default) is only good for 15 minutes. You can increase that lifetime to
something more acceptable, or you could make them domain members for the
purpose of enrolling.
Post by Rex
Post by John Thomson
If you have internal users that are sharing their logon credentials with
external users, there is nothing that RMS will do to compensate for that.
Remember that RMS uses your defined network authentication mechanism to
authenticate against the licensing pipelines. In that sense, RMS is only as
strong as your network logon. If you are only using username/password and
the requisite services are available externally, then the scenario you
describe could occur. If you have deployed Smartcards, it is much less
likely to occur. There are (of course) other authentication methods, your
policy will dictate which is the most appropriate for your organization.
The whole RMS system seems laboriously slow over a dialup
connection-on one test it took 5 minutes before the connection was
confirmed, only to be promptly timed out.
Wow...Yep, I haven't played weith this over dial up (thankfully). There
must be a way to increase the timeout though...most likely in one of the
web.config files. I have seen folks increase a seperate timeout when they
had troubles enrolling a server, so there must be a similar workaround for
Use License requests.
Post by Rex
Again since most of our users would be offsite, they would not take
too kindly to having to spend so much time to open a document
(Currently, without RMS, sensitive documents are only made available on
an isolated machine in the CEO's room.
Post by John Thomson
It is possible to accomplish what you are describing, but in a round-a-bout
sort of way: You could define a policy template that says that a new
connection to a License Server is required everytime content is consumed.
You could then lockdown the License Server so that it is only accessible
internally, using only Windows Integrated Authentication (the default) and
then using Smartcards to logon to the network. If external access is
required using ISA to publish the license pipelines and using a Smartcard to
authenticate is the way to go.
This is another thing I'm concerned about: How will users from other
locations be able to change their domain account passwords without admin
intervention?
Hmmm...what about using Terminal Services over a VPN? They could setup an
IPSec tunnel, and then logon to the domain that way. Changing passwords
would be just as though they were on the LAN.

Does IIS provide some way to do it? All I've seen is an
Post by Rex
SSL secured administrative web console. Are there any scripts provided
by MS to allow changing domain account passwords via web? I've tried
looking for scripts, but no one here is proficient enough in ASP to be
able to use them.
I don't know, I haven't had to go down that road myself. I did do a bit of
Googling, and came across these:

http://www.passwordmanager.com/en/Manual/manual.htm
http://support.microsoft.com/support/kb/articles/q184/6/19.asp (a little
dated, but might be helpful)
http://tinyurl.com/4z2fy

Of course, I have not tried any of those solutions, so I can not vouch for
them.
Post by Rex
And what do u mean by using ISA to publish the pipelines? what does this
entail?
If you just used a generic Firewall rule to allow external users to access a
web server on port 80, that's about all the granularity you could achieve.
With ISA you could authenticate your users at that point of entry and then
have only certain URLs available to those users. For example, they could
access the License.asmx, but not certification.asmx.

Good luck, Rex!

John Thomson
www.titus.com/rms

Loading...