Data Centric Security using DRM infrastructure

Data Centric Security using DRM infrastructure

Andrea Covello
by Andrea Covello
time to read: 18 minutes

When it comes to DRM, for me, it feels like Morpheus words told to Neo in the legendary movie The Matrix: “Unfortunately, no one can be told what The Matrix is. You have to see it for yourself”. And just like that, there is little that can be told unless you don’t experience it first-hand. That’s why I’ll take you to a short journey into installing and configuring Microsoft Digital Right Management Framework. The framework is composed of several components that need to be installed or a at least to be configured:

Component Description
FSRMFile Services Resource Manager on Windows Server
FCIFile Classification Infrastructure for FSRM
ADRMSActive Directory Rights Management Services on Windows Server
RMS ClientClient component to allow consuming of DRM protected content

The principle of the architecture got discussed in our article DRM/RMS – The next generation of rights management.

In the windows universe we basically have three ways to secure digital data with cryptographic mechanisms:

Let’s apply it to some common scenarios to protect our data as shown in the table below:

Scenario BitLocker® EFS RMS
Remote document policy enforcement- - x
Protect content in transit- - x
Protect content during collaboration- - x
Local multi-user & folder protection on a shared machine- x -
Remote file and folder protection- x -
Untrusted network administrator- x -
Laptop protectionx - -
Branch office serverx - -
Local single-user file & folder protectionx - -

Scenario

Let’s get a look on how to implement a typical use case using Microsoft onboard technology. We’ll configure a Windows 2012R2 test environment to fulfill following use case:

  1. Identify confidential office documents on shares (on specific content)
  2. Classify them as restricted (classification: HIGH)
  3. Automatically enforce rights management on classified documents (allow minimal rights)
  4. Open the files with DRM enabled application to view and change the document as allowed by rights permissions

Prerequisites

Before going further, we need to satisfy the following prerequisites:

  1. Install Windows Server 2012R2
  2. Configure it as domain controller and create a domain
  3. Add a domain user to work with
  4. Have a Windows client joining the domain (Windows 7, 8 or 10)
  5. Install Microsoft Word on the client (MS Office 2010, 2013 or 2016)
  6. Optional: a mail server (not necessarily Exchange)

We’ll install Windows Server 2012R2 as a single instance for the whole environment. It will be also used as file server and AD RMS server cluster. Of course a production environment will have all components on separate servers. This means beside the AD environment you’ll need (at least):

Install FSRM

An easy step to install the required File Services is to execute this script in an administrative shell:

Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools -Restart -Confirm

Verify that it was installed with the Get-WindowsFeature command:

[X] File and Storage Services                   FileAndStorage-Services        Installed
[X] File and iSCSI Services                     File-Services                  Installed
[X] File Server                                 FS-FileServer                  Installed
[ ] BranchCache for Network Files               FS-BranchCache                 Available
[ ] Data Deduplication                          FS-Data-Deduplication          Available
[ ] DFS Namespaces                              FS-DFS-Namespace               Available
[ ] DFS Replication                             FS-DFS-Replication             Available
[X] File Server Resource Manager                FS-Resource-Manager            Installed
[ ] File Server VSS Agent Service               FS-VSS-Agent                   Available
[ ] iSCSI Target Server                         FS-iSCSITarget-Server          Available
[ ] iSCSI Target Storage Provider (VDS and V... iSCSITarget-VSS-VDS            Available
[ ] Server for NFS                              FS-NFS-Service                 Available
[ ] Work Folders                                FS-SyncShareService            Available
[X] Storage Services                            Storage-Services               Installed

Afterwards start the File Server Resource Manager under the Server Manager Dashboard Tools menu.

Make sure to share the folder where your test client may have access too:

New-Item S:\group -type directory
New-SmbShare -Name group -Path "S:\group" -Description test

Configure FCI

Now we should be able to configure file classification properties. To identify specific data, we need to define some properties first: in our case at least Confidentiality. Since Windows Server 2012 many properties are already available in the Active Directory and we only need to activate it, therefore start the Active Directory Administrative Center:

DAC

At this point we should be able to see it inside our FCI management interface:

FCI Management GUI

Inside the properties you may change the values but we’ll stick to the defaults.

Get-FsrmClassificationPropertyDefinition -Name Confidentiality_MS


   AppliesTo      : {Files, Folders}
   Description    : The Confidentiality property specifies the level of confidentiality of the resource,
                    and the potential impact of inadvertent access or disclosure.
   DisplayName    : Confidentiality
   Flags          : {Global, Secure}
   Name           : Confidentiality_MS
   Parameters     : 
   PossibleValue  : {MSFT_FSRMClassificationPropertyValue, MSFT_FSRMClassificationPropertyValue, 
                 MSFT_FSRMClassificationPropertyValue}
   Type           : OrderedList
   PSComputerName : 

FCI Property details

Now it’s time to create a rule to enforce our policy:

Step Screenshot
Right-click on the Classification Rules -
Select Create Classification Rule… -
Fill the field values (Confidentiality – High in our case)
Scope: (where to look for) check Group Files and it will automatically set the shared folders
Classification: Select Confidentiality in Properties and select High in Value
Configure the Parameters: Define patterns to search the files for, in our case we’ll search for the string secret (case insensitive) and select Ok.
Select Evaluation Type and check Re-evaluate… / Overwrite… / Clear Automatically…

Let’s review the created rule:

  Get-FsrmClassificationRule -Name "Confidentiality - High"


   ClassificationMechanism    : Content Classifier
   ContentRegularExpression   : 
   ContentString              : {secret}
   ContentStringCaseSensitive : 
   Description                : 
   Disabled                   : False
   Flags                      : 
   LastModified               : 23.02.2016 16:58:44
   Name                       : Confidentiality - High
   Namespace                  : {[FolderUsage_MS=Group Files]}
   Parameters                 : {FSRMClearPropertyInternal=0}
   Property                   : Confidentiality_MS
   PropertyValue              : 3000
   ReevaluateProperty         : Never
   PSComputerName             :

Now the FCI part is almost done, we only need to activate those rules configuring the FSRM properties:

FSRM Options

Here we configure a schedule to run the check job regularly (every day at night), and also activate the options to check every time a file is created. A report can be created and sent to the administrator to log all changes to the files.

FSRM Job Report

By now we’ve accomplished the steps 1 and 2 of our scenario, let’s go further to step 3.

Install and Configure AD RMS

Now it’s time to set up the AD RMS infrastructure. Start the installation procedure using the following command:

Install-WindowsFeature ADRMS-Server -Restart -Confirm -IncludeAllSubFeature -IncludeManagementTools

After the successful installation start the AD RMS administration tool from the Server Manager Dashboard tools:

AD RMS Management GUI

Here are the configuration steps:

Step Screenshot
Select Right Policy Templates and click on Create distributed rights policy template and follow the wizard
Add a template identification and add name and description
Select users and rights as required
You may define a content expiration (for example during a project time range)
Additional condition may be added for specific requirements (for example to disable client-caching)
You may also require content revocation check (just to make sure you can undo publishing mistakes)

Now finish the task-wizard and continue to add tasks as required: In this case we’ve created four different ones.

The last step is to create a schedule job that will look for classified document files and apply one of our AD RMS task. Go back to the FCI management interface and follow these steps:

Step Screenshot
Right-click on File Management Task and select Create File Management Task…
Add a Task name and an optional Description
The scope is just the same as we used to, so let’s go directly to the Action tab and select the RMS template (Restricted Access in this case)
In Notification you can define who and where to notify…
…and what kind of report to deliver
Finally we’re at the core of the Task Configuration where we’ll specify what to do: Add a Condition that is true when the document file Confidentiality is set to High
Last but not least, define the schedule to run the job (daily at 3am in our case)

At this stage you could run the task manually (right-click on the created task and select Run File Task Management Now…) or just wait for its schedule job to run.

Run Task

Step 3 is our scenario is reached. You have plenty of other possibilities to set tasks, just play around with the possibilities and see if you could satisfy your specific requirements. Let’s go to the final step 4.

Configure Clients Applications

Step 4 in our scenario requires us to work with DRM enabled documents. Assuming that you have Office installed on your client workstation, create a document that will trigger our classification and DRM task we’ve created:

Now, let’s follow those steps below:

Step Screenshot
Verify that the file classification settings were changed as supposed (right-click on file and select Properties), and select the Classification tab
Open the classified document with Word (2016 in our case) and you should see this message…
…this ADRMS message should appear with the information about the RMS license server and so on
Word asks for authentication to check the rights permission and your authorization for the document
Once open you’ll see the yellow ribbon stating the RESTRICTED ACCESS on the opened document
As document owner we’re allowed to fully access the file (as defined in the RMS task)
Of course we could now change the permissions and leverage the AD RMS templates that we’ve created earlier
Just as a short reference, in Word 2010 things would look a bit different
Still, the enforcement is equal

Finally, we’ve successful recreated our scenarios and reached the end of our ADRMS tour but, before closing up, let’s take a look under the hood on the DRM enabled document from a file-content perspective.

Analyze a DRM Protected Document

When a document is DRM protected, it will be converted in an encrypted format using the AD RMS integrated crypto services (and it’s not leveraging the AD Certificate Services). Looking inside the file data you’ll discover a structure that has a header giving information on how to get the required information to read the file. So you’ll see an URL location to the License Server, the cryptographic information used to encode the file, application versions supported and so on. Let’s have a look inside:

Header information

Afterwards you’ll get the public certificates (base64 encoded) of the RMS Cluster:

Certificate Chains

Afterwards some information that includes the encryption algorithm used:

<SIGNATURE>
  <DIGEST>
	 <ALGORITHM>SHA256</ALGORITHM>
	 <PARAMETER name="codingtype">
		<VALUE encoding="string">surface-coding</VALUE>
	 </PARAMETER>
	 <VALUE encoding="base64" size="256">12PNjR52sSxGOJKsukG4+fDLR+U4cwbIQLV5xTwikDg=</VALUE>
  </DIGEST>
  <ALGORITHM>RSA PKCS#1-V1.5</ALGORITHM>
  ...
</SIGNATURE>

At the end you’ll find the encrypted document data stream:

Encrypted Payload

As you can see the file is protected and no more accessible as a standard Word docx file (zip container).

Conclusion

In this article we could only scratch the surface of the possibilities available with Microsoft FSRM/FCI & ADRSM. There are enough possibilities to address almost any complex requirements in handling your data to be compliant to the required security level. Just bear in mind that file classification is the key, and this task is easily underestimated.

Having a solid data classification and some degree of Digital Right Management in place should be the prerequisites for a safe and sound data handling that will ease any further Data Leak/Loss Prevention (DLP) implementation.

About the Author

Andrea Covello

Andrea Covello has been working in information security since the 1990s. His strengths are in engineering, specializing in Windows security, firewalling and advanced virtualization.

You need support in such a project?

Our experts will get in contact with you!

×
OTPs as Second Factor

OTPs as Second Factor

Mark Zeman

JWT Issues

JWT Issues

Andrea Hauser

CIS Controls

CIS Controls

Tomaso Vasella

Ransomware Detection, Defense, and Analysis

Ransomware Detection, Defense, and Analysis

Marc Ruef

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here