Isn’t business continuity part of security?
Andrea Covello
When it comes to DRM, for me, it feels like Morpheus words told to Neo in the legendary movie The Matrix: “Unfortunately, no one can be told what The Matrix is. You have to see it for yourself”. And just like that, there is little that can be told unless you don’t experience it first-hand. That’s why I’ll take you to a short journey into installing and configuring Microsoft Digital Right Management Framework. The framework is composed of several components that need to be installed or a at least to be configured:
Component | Description |
---|---|
FSRM | File Services Resource Manager on Windows Server |
FCI | File Classification Infrastructure for FSRM |
ADRMS | Active Directory Rights Management Services on Windows Server |
RMS Client | Client component to allow consuming of DRM protected content |
The principle of the architecture got discussed in our article DRM/RMS – The next generation of rights management.
In the windows universe we basically have three ways to secure digital data with cryptographic mechanisms:
Let’s apply it to some common scenarios to protect our data as shown in the table below:
Scenario | BitLocker® | EFS | RMS |
---|---|---|---|
Remote document policy enforcement | - | - | x |
Protect content in transit | - | - | x |
Protect content during collaboration | - | - | x |
Local multi-user & folder protection on a shared machine | - | x | - |
Remote file and folder protection | - | x | - |
Untrusted network administrator | - | x | - |
Laptop protection | x | - | - |
Branch office server | x | - | - |
Local single-user file & folder protection | x | - | - |
Let’s get a look on how to implement a typical use case using Microsoft onboard technology. We’ll configure a Windows 2012R2 test environment to fulfill following use case:
Before going further, we need to satisfy the following prerequisites:
We’ll install Windows Server 2012R2 as a single instance for the whole environment. It will be also used as file server and AD RMS server cluster. Of course a production environment will have all components on separate servers. This means beside the AD environment you’ll need (at least):
An easy step to install the required File Services is to execute this script in an administrative shell:
Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools -Restart -Confirm
Verify that it was installed with the Get-WindowsFeature
command:
[X] File and Storage Services FileAndStorage-Services Installed [X] File and iSCSI Services File-Services Installed [X] File Server FS-FileServer Installed [ ] BranchCache for Network Files FS-BranchCache Available [ ] Data Deduplication FS-Data-Deduplication Available [ ] DFS Namespaces FS-DFS-Namespace Available [ ] DFS Replication FS-DFS-Replication Available [X] File Server Resource Manager FS-Resource-Manager Installed [ ] File Server VSS Agent Service FS-VSS-Agent Available [ ] iSCSI Target Server FS-iSCSITarget-Server Available [ ] iSCSI Target Storage Provider (VDS and V... iSCSITarget-VSS-VDS Available [ ] Server for NFS FS-NFS-Service Available [ ] Work Folders FS-SyncShareService Available [X] Storage Services Storage-Services Installed
Afterwards start the File Server Resource Manager under the Server Manager Dashboard Tools menu.
Make sure to share the folder where your test client may have access too:
New-Item S:\group -type directory New-SmbShare -Name group -Path "S:\group" -Description test
Now we should be able to configure file classification properties. To identify specific data, we need to define some properties first: in our case at least Confidentiality. Since Windows Server 2012 many properties are already available in the Active Directory and we only need to activate it, therefore start the Active Directory Administrative Center:
At this point we should be able to see it inside our FCI management interface:
Inside the properties you may change the values but we’ll stick to the defaults.
Get-FsrmClassificationPropertyDefinition -Name Confidentiality_MS AppliesTo : {Files, Folders} Description : The Confidentiality property specifies the level of confidentiality of the resource, and the potential impact of inadvertent access or disclosure. DisplayName : Confidentiality Flags : {Global, Secure} Name : Confidentiality_MS Parameters : PossibleValue : {MSFT_FSRMClassificationPropertyValue, MSFT_FSRMClassificationPropertyValue, MSFT_FSRMClassificationPropertyValue} Type : OrderedList PSComputerName :
Now it’s time to create a rule to enforce our policy:
Step | Screenshot |
---|---|
Right-click on the Classification Rules | - |
Select Create Classification Rule… | - |
Fill the field values (Confidentiality – High in our case) | |
Scope: (where to look for) check Group Files and it will automatically set the shared folders | |
Classification: Select Confidentiality in Properties and select High in Value | |
Configure the Parameters: Define patterns to search the files for, in our case we’ll search for the string secret (case insensitive) and select Ok. | |
Select Evaluation Type and check Re-evaluate… / Overwrite… / Clear Automatically… |
Let’s review the created rule:
Get-FsrmClassificationRule -Name "Confidentiality - High" ClassificationMechanism : Content Classifier ContentRegularExpression : ContentString : {secret} ContentStringCaseSensitive : Description : Disabled : False Flags : LastModified : 23.02.2016 16:58:44 Name : Confidentiality - High Namespace : {[FolderUsage_MS=Group Files]} Parameters : {FSRMClearPropertyInternal=0} Property : Confidentiality_MS PropertyValue : 3000 ReevaluateProperty : Never PSComputerName :
Now the FCI part is almost done, we only need to activate those rules configuring the FSRM properties:
Here we configure a schedule to run the check job regularly (every day at night), and also activate the options to check every time a file is created. A report can be created and sent to the administrator to log all changes to the files.
By now we’ve accomplished the steps 1 and 2 of our scenario, let’s go further to step 3.
Now it’s time to set up the AD RMS infrastructure. Start the installation procedure using the following command:
Install-WindowsFeature ADRMS-Server -Restart -Confirm -IncludeAllSubFeature -IncludeManagementTools
After the successful installation start the AD RMS administration tool from the Server Manager Dashboard tools:
Here are the configuration steps:
Step | Screenshot |
---|---|
Select Right Policy Templates and click on Create distributed rights policy template and follow the wizard | – |
Add a template identification and add name and description | |
Select users and rights as required | |
You may define a content expiration (for example during a project time range) | |
Additional condition may be added for specific requirements (for example to disable client-caching) | |
You may also require content revocation check (just to make sure you can undo publishing mistakes) |
Now finish the task-wizard and continue to add tasks as required: In this case we’ve created four different ones.
The last step is to create a schedule job that will look for classified document files and apply one of our AD RMS task. Go back to the FCI management interface and follow these steps:
Step | Screenshot |
---|---|
Right-click on File Management Task and select Create File Management Task… | |
Add a Task name and an optional Description | |
The scope is just the same as we used to, so let’s go directly to the Action tab and select the RMS template (Restricted Access in this case) | |
In Notification you can define who and where to notify… | |
…and what kind of report to deliver | |
Finally we’re at the core of the Task Configuration where we’ll specify what to do: Add a Condition that is true when the document file Confidentiality is set to High | |
Last but not least, define the schedule to run the job (daily at 3am in our case) |
At this stage you could run the task manually (right-click on the created task and select Run File Task Management Now…) or just wait for its schedule job to run.
Step 3 is our scenario is reached. You have plenty of other possibilities to set tasks, just play around with the possibilities and see if you could satisfy your specific requirements. Let’s go to the final step 4.
Step 4 in our scenario requires us to work with DRM enabled documents. Assuming that you have Office installed on your client workstation, create a document that will trigger our classification and DRM task we’ve created:
Now, let’s follow those steps below:
Step | Screenshot |
---|---|
Verify that the file classification settings were changed as supposed (right-click on file and select Properties), and select the Classification tab | |
Open the classified document with Word (2016 in our case) and you should see this message… | |
…this ADRMS message should appear with the information about the RMS license server and so on | |
Word asks for authentication to check the rights permission and your authorization for the document | |
Once open you’ll see the yellow ribbon stating the RESTRICTED ACCESS on the opened document | |
As document owner we’re allowed to fully access the file (as defined in the RMS task) | |
Of course we could now change the permissions and leverage the AD RMS templates that we’ve created earlier | |
Just as a short reference, in Word 2010 things would look a bit different | |
Still, the enforcement is equal |
Finally, we’ve successful recreated our scenarios and reached the end of our ADRMS tour but, before closing up, let’s take a look under the hood on the DRM enabled document from a file-content perspective.
When a document is DRM protected, it will be converted in an encrypted format using the AD RMS integrated crypto services (and it’s not leveraging the AD Certificate Services). Looking inside the file data you’ll discover a structure that has a header giving information on how to get the required information to read the file. So you’ll see an URL location to the License Server, the cryptographic information used to encode the file, application versions supported and so on. Let’s have a look inside:
Afterwards you’ll get the public certificates (base64 encoded) of the RMS Cluster:
Afterwards some information that includes the encryption algorithm used:
<SIGNATURE> <DIGEST> <ALGORITHM>SHA256</ALGORITHM> <PARAMETER name="codingtype"> <VALUE encoding="string">surface-coding</VALUE> </PARAMETER> <VALUE encoding="base64" size="256">12PNjR52sSxGOJKsukG4+fDLR+U4cwbIQLV5xTwikDg=</VALUE> </DIGEST> <ALGORITHM>RSA PKCS#1-V1.5</ALGORITHM> ... </SIGNATURE>
At the end you’ll find the encrypted document data stream:
As you can see the file is protected and no more accessible as a standard Word docx file (zip container).
In this article we could only scratch the surface of the possibilities available with Microsoft FSRM/FCI & ADRSM. There are enough possibilities to address almost any complex requirements in handling your data to be compliant to the required security level. Just bear in mind that file classification is the key, and this task is easily underestimated.
Having a solid data classification and some degree of Digital Right Management in place should be the prerequisites for a safe and sound data handling that will ease any further Data Leak/Loss Prevention (DLP) implementation.
We are going to monitor the digital underground for you!
Andrea Covello
Our experts will get in contact with you!