運用權(quán)管理服務(wù)實現(xiàn)文件控管稽核

運用版權(quán)管理服務(wù)實現(xiàn)文件控管稽核

主講人：精誠公司恆逸教育訓(xùn)練中心資深講師：張書源大綱版權(quán)管理服務(wù)架構(gòu)版權(quán)管理服務(wù)的設(shè)定與部署如何利用版權(quán)管理服務(wù)保護文件安全性TheU.S.DeptofJusticeestimatesthatintellectualpropertytheftcostenterprises$250billionin2004Lossofrevenue,marketcapitalization,andcompetitiveadvantageInformationLossisCostly

Informationloss–whetherviatheftoraccidentalleakage–iscostlyonseverallevelsLeakedexecutivee-mailscanbeembarrassingUnintendedforwardingofsensitiveinformationcanadverselyimpactthecompany’simageand/orcredibilityIncreasingregulation:SOX,HIPAA,GLBABringingacompanyintocompliancecanbecomplexandexpensiveNon-compliancecanleadtosignificantlegalfees,finesand/orsettlementsFinancialImage&CredibilityLegal&RegulatoryComplianceInformationleakageistop-of-mindwithBusinessDecisionMakers0%10%20%30%40%50%60%70%Lossofdigitalassets,restoredE-mailpiracyPasswordcompromiseLossofmobiledevicesUnintendedforwardingofe-mails20%22%22%35%36%63%“Aftervirusinfections,businessesreportunintendedforwardingofe-mailsandlossofmobiledevicesmorefrequentlythantheydoanyothersecuritybreach” JupiterResearchReport,2004VirusinfectionTraditionalsolutionsprotectinitialaccess…AccessControlListPerimeterNoYesTrustedNetworkAuthorizedUsersUnauthorizedUsersInformationLeakageUnauthorizedUsers…butnotongoingusageToday’spolicyexpression……lacksenforcementtoolsHowdoesRMSaddressthis?Supportsdevelopmentofrich,third-partysolutionsontopofRMSviatheRMSSoftwareDevelopmentKit(SDK)Providesflexibilitytointegratewithanenterprise’sexistinginternalapplicationsEncryptssensitivecontentProtectsinsideandoutsidethetrustednetworkProtectsduringandafterdeliveryAllowsorganizationstoestablishandapplycentrally-managedpoliciesAllowsorganizationstotracktheinformation’slifecycleSupportssmartcardauthenticationAugmentsExistingTechnologiestoProvidePersistentProtectionEnforcesOrganizationalPoliciesProvidesaplatformforvalue-addedsolutionsCommonUsageScenariosServer-sideScenariosRegulatorycompliance&IPprotectionSecurebusinessprocessautomationCentralcontrolofinformationprotectionClient-sideScenariosDo-not-forwarde-mailPersistentdocumentprotectionMixed-versionOfficeenvironmentsPlatformandManagementScenariosCentrallydefineandmanagepermissiontemplatesLogandauditwhohasaccessedrights-protectedinformationExtendRMSplatformtoapplyandenforcerightsprotectiononHTMLcontentviatheRightsManagementAdd-onforIE(RMA)UserswithoutOffice2003canviewrights-protectedfilesviaInternetExplorerDoesnotprovideauthoringcapabilityRightsManagementAdd-onforIE(RMA)ClientUsageScenariosReduceinternal/externalforwardingofconfidentialinformationKeepsensitivee-mailwhereitbelongsOutlook2003RequiresRMS

+ControlaccesstosensitivecontentSetgranularpermissionsperuserDeterminelengthofaccessWord2003Excel2003PowerPoint2003CommunicateinaMixedVersionEnvironmentDo-Not-ForwardE-mailProtectSensitiveFilesImprovedconfidentialityGreatend-useradoptionduetointuitiveintegrationinOffice2003StrongplatformforextendedinformationprotectionsolutionsSensitiveexecutivee-mailsandinternalconfidentialdocumentsneededtobeprotectedforcompetitivereasonsTestedRMS/IRMforsixmonths,thenconductedpilotevaluationPositiveend-userfeedbackdroveafullrolloutofOffice2003plusRMSto19,000desktopsCaseStudy:SwisscomBenefitSituationSolution“TheintegrationofRMSwithOffice2003,combinedwiththeproduct’seaseofdeploymentandmanagement,makesiteasyforvirtuallyallofSwisscom’semployeestokeeptheircriticaldocumentsandinformationsafe–withouthavingtolearnacumbersomesetofnewtechnologies.” HeinzSch?r

MemberofManagement

SwisscomITServicesAGServerUsageScenariosExtendsprotectiontomanagedcontentstoredbydocumentandrecordsmanagementsolutionsEnablesarchivalofRMS-protectede-mailsProtectedcontentcanbesecurelyindexedandsearchedEnablesworkflowenginestoextendinformationprotectiontobusinessprocessautomationAppliesrightsprotectioninacentralizedwayEnablescontentinspectiongatewaystoinspect

RMS-protectedcontentandapplyRMS-protectioncentrallyEnablesISVstodevelopserver-basedsolutionsEnableRegulatoryCompliance&IPProtectionSecureBusinessProcessAutomationControlInformationProtectionCentrallyWindowsRMSWorkflowInformationAuthorTheRecipientRMSServerSQLServerActiveDirectory2345Authordefinesasetofusagerightsandrulesfortheirfile;Applicationcreatesa““publishinglicense”andencryptsthefileAuthordistributesfileRecipientclicksfiletoopen,theapplicationcallstotheRMSserverwhichvalidatestheuserandissuesa““uselicense”ApplicationrendersfileandenforcesrightsAuthorreceivesanidentitycertificatethefirsttimetheyrights-protectinformation1OSOSRMSRMSAppAppHowdoesRMSwork?OSRMSAppOSRMSAppRMSAppUsertriestopublishorconsumecontentApplicationcallsintoRMSClienttocreateanewsessionUsertriestopublishorconsumecontentOSRMSAppUsertriestopublishorconsumecontentApplicationcallsintoRMSClienttocreateanewsessionMachineActivationRMSClientstartsbootstrappingprocess……MachineActivationRMSClientgenerates1024-bitRSAkeypairPrivatekeysecuredbyCAPIPublickeystoredinsecurityprocessorcertificate(SPC)SPCsignedbyclientOSRMSAppRMSClientgenerates1024-bitRSAkeypairPrivatekeysecuredbyCAPIPublickeystoredinsecurityprocessorcertificate(SPC)SPCsignedbyclientMachineActivationOSRMSAppPrivatekeysecuredbyCAPIPublickeystoredinsecurityprocessorcertificate(SPC)SPCMachineActivationSPCsignedbyclientRMSClientgenerates1024-bitRSAkeypairTheuser’sidentitymustbeestablishedonthemachinebyaccountcertification.NewforSP1:TheRMSClientisactivatedwithoutcontactingaserverorrequiringadminprivileges.OSRMSAppSPCRMSAccountCertificationSPCRMSClientcontactsRMSServerwithacertificationrequest,sendingSPCRMSUserisauthenticatedDOMAIN\usernameSIDE-mailaddressisretrievedfromADDOMAIN\usernameSIDUser’s1024-bitRSAkeypairisgeneratedandstoredindatabaseSIDAccountCertificationSPCServervalidatesSPCAccountCertificationRMSSPCSPCRMSClientcontactsRMSServerwithacertificationrequest,sendingSPCUserisauthenticatedE-mailaddressisretrievedfromADUser’s1024-bitRSAkeypairisgeneratedandstoredindatabaseUser’sprivatekeyisencryptedwithmachinepublickeyServervalidatesSPCDOMAIN\usernameSIDRACAccountCertificationRMSSPCRACiscreatedanduser’se-mailaddressandpublickeyareaddedServersignsRACUser’sprivatekeyisencryptedwithmachinepublickeyDOMAIN\usernameSIDSPCRACAccountCertificationRMSRACisreturnedtoclientRACiscreatedanduser’se-mailaddressandpublickeyareaddedServersignsRACUser’sprivatekeyisencryptedwithmachinepublickeyTheusernowhasaRACthatcanbeusedforconsumption.Inordertopublish,theuserneedsaClientLicensorCertificate(CLC).RACClientEnrollmentRMSRMSClientcontactsRMSServerforclientenrollment,sendingRACServergeneratesCLC1024-bitRSAkeypairCLCprivatekeyisencryptedwithRACpublickeySPCRACRMSServervalidatesRACCLCRACClientEnrollmentRMSRMSClientcontactsRMSServerforclientenrollment,sendingRACServergeneratesCLC1024-bitRSAkeypairCLCprivatekeyisencryptedwithRACpublickeyCLCisgenerated,grantingtheusertherighttopublishSPCRACRMSServervalidatesRACServerinformation,suchasURLandserverpublickey,isalsoaddedtoCLCCLCClientEnrollmentRMSServersignsCLCSPCRACServerinformation,suchasURLandserverpublickey,isalsoaddedtoCLCCLCCLCisreturnedtoclientTheclientisnowreadyforbothpublishingandconsumptionofprotectedcontent.OSRMSAppRMSAppPublishingRMSUsercreatescontentusingRMS-enabledapplicationApplicationcallsintoRMSClientforpublishingUserspecifiesrecipients,rights,andconditionstopublishcontent,orchoosesatemplategroup@ read,print expires30daysCLCSPCRACApplicationcallsintoRMSClientforpublishingPLPublishingRMSgroup@ read,print expires30daysRMSClientgenerates128-bitAEScontentkeyClientencryptscontentClientcreatespublishinglicense(PL)CLCSPCRACOSRMSAppCLCSPCRACClientcreatespublishinglicense(PL)PLPublishingRMSRightsdataandcontentkeyareencryptedbyserverpublickeyfromCLCgroup@ read,print expires30daysServerURLisaddedtoPLgroup@ read,print expires30daysCLCsignsPLOSRMSAppPublishingRMSCLCsignsPLTheclientreturnsthePLtotheapplicationTheapplicationcannowpackagethePLwiththecontentPLgroup@ read,print expires30daysPLgroup@ read,print expires30daysThecontentcannowbesenttoitsrecipientsCLCSPCRACOSRMSRMSAppOSRMSAppThecontentcannowbesenttoitsrecipientsCLCSPCRACPublishingRMSPLgroup@ read,print expires30daysPublishersendsprotectedcontenttorecipientusinganymechanismAssumerecipienthasalreadybeenbootstrappedTherecipientneedsauselicenseinordertoaccessthecontentCLCSPCRACRecipientopensdocumentinRMS-enabledapplicationLicensingRMSApplicationcallsRMSClienttoretrieveauselicense.PLgroup@ read,print expires30daysRMSClientsendsPLandRACtoRMSServerRACServervalidatesRACandPLDatafromPLisdecryptedPLgroup@ read,print expires30daysgroup@ read,print expires30daysCLCSPCRACOSRMSAppRMSAppRACULgroup@ read,print expires30daysLicensingRMSIfcontentwaspublishedtoagroup,serverchecksgroupmembershipintheADPLgroup@ read,print expires30daysIfidentityinRACmatchesPLorgroupmembership,serverbeginsconstructinguselicense(UL)DatafromPLisdecryptedRightsaregrantedtouserCLCSPCRACOSRMSAppuser@ read,print expires30daysgroup@ read,print expires30daysuser@ read,print expires30daysRACULread,printexpires30daysLicensingRMSContentkeyencryptedbyRACpublickeyPLgroup@ read,print expires30daysEncryptedkeyaddedtoULRightsaregrantedtouserULreturnedtoclientULsignedbyserverCLCSPCRACOSRMSAppLicensingRMSPLgroup@ read,print expires30daysCLCSPCRACContentkeyencryptedbyRACpublickeyEncryptedkeyaddedtoULRightsaregrantedtouserULreturnedtoclientULsignedbyserverRecipientcannowbindthelicenseandopenthecontentULuser@ read,print expires30daysOSRMSAppOSRMSAppULuser@ read,print expires30daysAccessingContentPLgroup@ read,print expires30daysSPCRACCLCSPCULuser@ read,print expires30daysRACOSRMSAppOSRMSAppRMSAppAccessingContentSPCULread,printexpires30daysRACRMSClientusessecurityprocessortodecryptRACprivatekeyApplicationcallsRMSClienttobindlicenseanddecryptcontentRACprivatekeydecryptscontentkeyAccessingContentSPCULread,printexpires30daysRACRMSClientdecryptscontentRACprivatekeydecryptscontentkeyApplicationrenderscontentandenforcesrightsOSRMSRMSAppRMSClientsoftwareAnRMS-enabledapplicationRequiredforcreatingorviewingrights-protectedcontentMicrosoftOffice2003Editions

includesRMS-enabledapplications––Word,Excel,PowerPoint,OutlookOfficeProfessional2003isrequiredforcreatingorviewingrights-protectedcontentOtherOffice2003Editionsallowsuserstoview––butnotcreate––rights-protectedcontent.RightsManagementAdd-on(RMA)forInternetExplorer6.0Allowsuserstoviewrights-protectedcontentinIEEnablesdown-levelviewingsupportforcontentprotectedbyOffice2003RMSSolutionComponentsServerRMSServerRunsonWindowsServer2003(Standard,Enterprise,WeborDatacenterEditions)ProvidescertificationandlicensingActiveDirectory?directoryserviceWindowsServer2000orlaterProvidesawell-knownuniqueidentifierforeachuserE-mailaddresspropertyforeachusermustbepopulatedDatabaseServerMicrosoftSQLServer??(recommended)orMSDEStoresconfiguration,userkeys,andloggingdataClientRMSServerRMSserverisanASP.NETWebserviceProtocolisSOAPoverHTTP/HTTPSInternetInformationServer(IIS)6onlySinglerequest/responsetransactionmodelStatelessformostrequests––allprocessingonfrontendDBsuchasSQL(orMSDE)usedforconfiguration&loggingRequestsMachineActivation:OnetimeprocesstocreateanddownloadsecuretrustedrootpermachineCertificationandClientEnrollment:Bindingauserkeypair

toaspecificmachine.OnetimeperuserpermachineLicensing:requestingalicensetouseapieceofcontent(“UseLicense”);OnetimepercontentperuserXrML-basedinput/outputPluggableCryptoProviderRMSServerRMSServerisanASP.NETapplicationUsesADforauthenticatingusers,determiningemailaddressesforusers,confirmingmembershipofusersingroupsUsesMSMQtoforwardloggingentriestoSQLServerUsesSQLServertostoreRMSconfiguration,ADgroupexpansioncache,andallloggedclientactivitiesUsesIIS(WindowsIntegratedauthentication)toauthenticateallusersTechnologiesSupportingWindowsRMSAD&LDAPStoreuseraccounts,DLs,providedirectoryofemailaddresses,SCPlocation.NETFramework&ASP.NETApplicationenvironmentforallcriticalRMSserverapplicationcodeMSMQ&SQLStoresRMSconfigurationinformation,userkeypairs,activitylogs,cacheofADgroupsforexpansionXrMLstandard*inwhichallthelicenses,certificatesarestructuredSOAPProtocolstandardforallmessageexchangesbetweenclientandserver,serverandMSN,andclientandMSNUDDIDirectoryforfindingtheMSNRMSservicesRMS-EnabledApplicationsRMS-enabledapplicationsmayimplementRMSfeaturessuchaspre-licensing,contentaccess,certificaterequestsApplicationscanbebasedontheServerSDK(e.g.sample““RMS-enabledSPSserver””fromServerSDK)ApplicationscanbebasedontheClientSDK(e.g.OfficeWord2003,OfficeOutlook2003,RMA)ApplicationsneedtohaveallRMS-enabledlibrariesandexecutablessignedwithanRMScode-signingprivatekeyThesignatureisincludedinamanifest(XMLfile)fortheapplicationThemanifestisasignedXMLfilecontaininghashesofalllistedfilesThemanifestshouldincludeallfilesthatcallRMSClientAPIsRMSClientAPIsvalidatethehashesinthemanifestagainstalllistedfilesbeforeunlockingrights-protectedinformationRMSClientComponents&APIsClientComponents&theirAPIsarethegluebetweenRMS-enabledapplicationsandthelockboxMsdrm.dll,Msdrmhid.dll,Msdrmctrl.dllAllRMS-enabledapplicationsperformtheirworkthroughtheseAPIs,andanyapplicationscanprogramtotheseAPIs(ClientSDK),e.g.:RequestingmachineactivationFindingRMSservicesRequesting,parsinglicenses&certificatesManaginglicenses(enumerate,store)CreatingofflinepublishinglicensesClientcomponentscallthelockboxtoperformthesecurityoperationsADSQLScalinganRMSDeploymentBalancerRMSSSLFirewall79,000uniqueusers23,000uniqueusersperweek71,000contentlicensesissuedperweek10RMS-relatedhelpdeskcallsperweekOverallhelpdeskvolumeis11,000callsperweek20%escalatedtoTier2clientsupportMediantimetocertify<1secondOver1,000,000uselicensesservedRMSatMicrosoftFY05DeploymentStatisticsRMSdoesnotprotectagainstanalogattacks…RMSProductRoadmapKeyScenariosPlatformEnhancementsRMS-enabledMicrosoftAppsTodayEnterpriseinformationpolicyexpressionandenforcementIntra-companycontentexchangeIntegrationwithserver-based,centrallymanagedsolutionsActiveDirectoryintegrationFIPScomplianceSmartcardsupportOffice2003:Outlook,Word,PowerPoint,ExcelFY07AdditionalclientandserverapplicationsBroaderexternalcollaborationscenariosIncreasedsecuritywhilemaintainingeaseofuseImproveddeploymentandmanagementModifiedtrustinfrastructureExpandedauthenticationsupportFY06AccessprotectedcontentonWindowsMobiledevicesRMSVersionRMSv1withSP1RMSv1withSP1RMSforWindowsMobileRMSv2(Longhorn)WindowsMobilesupportPocketInboxAuthoringRights-ProtectedInformationwithRMSandWord2003CreatingaDo-Not-Forwarde-mailwithRMSandOutlook2003ConsumingRights-ProtectedInformationwithRMSandOutlook2003andExcel2003ResourcesRMSWebsite:/rmsRMSBlog:/rmsRMSTechNetVirtualLab:/technet/traincert/virtuallab/rms.mspxMicrosoftSecurity:/securityMicrosoftIT’sRMSdeployment:/technet/itsolutions/msit/infowork/deprmswp.mspxRMSSDKonMSDN:/library/en-us/dnanchor/html/rm_sdks_overview.aspQuestions?9、靜夜四無鄰鄰，荒居舊業(yè)業(yè)貧。。12月-2212月-22Saturday,December31,202210、雨中黃葉葉樹，燈下下白頭人。。。15:30:0115:30:0115:3012/31/20223:30:01PM11、以我我獨沈沈久，，愧君君相見見頻。。。12月月-2215:30:0115:30Dec-2231-Dec-2212、故人江江海別，，幾度隔隔山川。。。15:30:0115:30:0115:30Saturday,December31,202213、乍乍見見翻翻疑疑夢夢，，相相悲悲各各問問年年。。。。12月月-2212月月-2215:30:0115:30:01December31,202214、他鄉(xiāng)鄉(xiāng)生白白發(fā)，，舊國國見青青山。。。31十十二二月20223:30:01下下午15:30:0112月月-2215、比不了了得就不不比，得得不到的的就不要要。。。十二月223:30下午午12月-2215:30December31,202216、行動出成果果，工作出財財富。。