Active Directory Rights Management Services (AD RMS, known as Rights Management Services or RMS before

Windows Server 2008 Windows Server 2008 is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on F ...

) is a server software for

information rights management Information rights management (IRM) is a subset of digital rights management (DRM), technologies that protect sensitive information from unauthorized access. It is sometimes referred to as E-DRM or Enterprise Digital Rights Management. This can ca ...

shipped with

Windows Server Windows Server (formerly Windows NT Server) is a group of operating systems (OS) for servers that Microsoft has been developing since July 27, 1993. The first OS that was released for this platform was Windows NT 3.1 Advanced Server. With the r ...

. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate

e-mail Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic (digital) version of, or counterpart to, mail, at a time when "mail" meant ...

Microsoft Word Microsoft Word is a word processor, word processing software developed by Microsoft. It was first released on October 25, 1983, under the name ''Multi-Tool Word'' for Xenix systems. Subsequent versions were later written for several other pla ...

documents, and web pages, and the operations authorized users can perform on them. Companies can use this technology to encrypt information stored in such document formats, and through policies embedded in the documents, prevent the protected content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time. Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied ''en masse''. RMS debuted in

Windows Server 2003 Windows Server 2003 is the sixth version of Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2 ...

, with client API libraries made available for

Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was officiall ...

and later. The Rights Management Client is included in

Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...

and later, is available for

Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...

, Windows 2000 or Windows Server 2003. In addition, there is an implementation of AD RMS in Office for Mac to use rights protection in OS X and some third-party products are available to use rights protection on Android,

Blackberry OS BlackBerry OS is a discontinued proprietary mobile operating system developed by Canadian company BlackBerry Limited for its BlackBerry line of smartphone handheld devices. The operating system provides multitasking and supports specialized i ...

iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also include ...

and

Windows RT Windows RT is a mobile operating system developed by Microsoft. It is a version of Windows 8 or Windows 8.1 built for the 32-bit ARM architecture (ARMv7). First unveiled in January 2011 at Consumer Electronics Show, the Windows RT 8 operat ...

Attacks against policy enforcement capabilities

In April 2016, an alleged attack on RMS implementations (including Azure RMS) was published and reported to

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...

. The published code allows an authorized user that has been granted the right to view an RMS protected document to remove the protection and preserve the file formatting. This sort of manipulation requires that the user has been granted rights to decrypt the content to be able to view it. While Rights Management Services makes certain security assertions regarding the inability for unauthorized users to access protected content, the differentiation between different usage rights for authorized users is considered part of its policy enforcement capabilities, which Microsoft claims to be implemented as "best effort", so it is not considered by Microsoft to be a security issue but a policy enforcement limitation. Previously the RMS SDK enforced signing of code using the RMS capabilities in order to provide some level of control on which applications interacted with RMS, but this capability was later removed due to its limited ability to restrict such behaviors given the possibility to write applications use the web services directly to obtain licenses to decrypt the content. In addition, using this same technique, a user that has been granted rights to view a protected document can manipulate the content of the document without leaving traces of the manipulation. Since Azure RMS is not a non-repudiation solution and, unlike document signing solutions, does not claim to provide anti-tampering capabilities, and since the changes can only be made by users that are granted rights to the document, Microsoft does not consider the later issue to be an actual attack against the claimed capabilities of RMS. The researchers provide a proof of concept tool, to allow evaluation of the results, via

GitHub GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continu ...

Software support

RMS is natively supported by the following products: *

Microsoft Office 2003 Microsoft Office 2003 (codenamed Office 11) is an office suite developed and distributed by Microsoft for its Windows operating system. Office 2003 was released to manufacturing on August 19, 2003, and was later released to retail on October 21, ...

and later:

Word A word is a basic element of language that carries an objective or practical meaning, can be used on its own, and is uninterruptible. Despite the fact that language speakers often have an intuitive grasp of what a word is, there is no conse ...

Excel ExCeL London (an abbreviation for Exhibition Centre London) is an exhibition centre, international convention centre and former hospital in the Custom House area of Newham, East London. It is situated on a site on the northern quay of the ...

PowerPoint Microsoft PowerPoint is a presentation program, created by Robert Gaskins and Dennis Austin at a software company named Forethought, Inc. It was released on April 20, 1987, initially for Macintosh computers only. Microsoft acquired PowerPo ...

Outlook Outlook or The Outlook may refer to: Computing * Microsoft Outlook, an e-mail and personal information management software product from Microsoft * Outlook.com, a web mail service from Microsoft * Outlook on the web, a suite of web applications ...

InfoPath Microsoft InfoPath is a software application for designing, distributing, filling and submitting electronic forms containing structured data. Microsoft initially released InfoPath as part of the Microsoft Office 2003 family. The product features ...

Microsoft Office for Mac 2011 Microsoft Office for Mac 2011 is a version of the Microsoft Office productivity suite for macOS. It is the successor to Microsoft Office 2008 for Mac and is comparable to Office 2010 for Windows. Office 2011 was followed by Microsoft Office 20 ...

and later: Word, Excel, PowerPoint, Outlook *

SharePoint SharePoint is a web-based collaborative platform that integrates natively with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system, but the product is highly configurable and its usage v ...

2007 and later *

Exchange Server Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems. The first version was called Exchange Server 4.0, to position it as the successor to the related ...

2007 and later *

XML Paper Specification Open XML Paper Specification (also referred to as OpenXPS) is an open specification for a page description language and a fixed-document format. Microsoft developed it as the XML Paper Specification (XPS). In June 2009, Ecma International adopte ...

(XPS) Third-party solutions, such as those from

Secure Islands Secure Islands Technologies Ltd. was an Israeli privately held technology company headquartered in Beit Dagan which was subsequently acquired by Microsoft. The company develops and markets Information Protection and Control (IPC) solutions. Secu ...

(acquired by

), GigaTrust and Liquid Machines (acquired by Check Point) can add RMS support to the following: *

2003 *

Microsoft Visio Microsoft Visio ( ) (formerly Microsoft Office Visio) is a diagramming and vector graphics application and is part of the Microsoft Office family. The product was first introduced in 1992, made by the Shapeware Corporation, later renamed Visio ...

Microsoft Project Microsoft Project is a project management software product, developed and sold by Microsoft. It is designed to assist a project manager in developing a schedule, assigning resources to tasks, tracking progress, managing the budget, and anal ...

* Adobe Acrobat *

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical web browsers developed by Microsoft which was used in the Windows line of operating systems ( ...

* IIS 6.0

References

External links

Windows Rights Management Services

RMS Client downloads

RMS SDK for RMS-enabling applicationsTroubleshooting Windows Rights Management Services (RMS) - One Root Certification Server Warning

Active Directory Rights Management - In Summary

Active Directory Rights Management Services SDK 2.0

Active Directory Rights Management Services - TechNet

Active Directory Rights Management Services - MSDNSecure Islands IQProtector - Information Protection and Control using Microsoft RMSWindows RMS Technical Overview
{{Windows Components Microsoft server technology Microsoft Windows security technology Windows components Digital rights management

Attacks against policy enforcement capabilities

Software support

See also

References

External links