Microsoft Rights-Protected Management System

[Peachy]

So, been perusing my daily fix of news from Microsoft Watch and noticed this article on Microsoft's new rights-management services. One of the features of the upcoming Office 2003 Professional is the ability to create rights-management protected documents. In other words not only can you password protect (already available in Office since 4.3 I believe) your Office documents, but you can disable printing (Adobe has that in Acrobat since version 5), expire the document and limit it's accessibility to Rights Managed software systems. Rights Managed software systems require a Windows 2003 Server and RM client access licenses for devices and software.

[Peachy]

This Ars Technica article on DRM in Office 2003 confirms some of my fears about RM ala Microsoft.

[ibe98765]

Yup. But they can't stop you from taking screen prints...

[Guest LilBambi]

There is a campaign slogan that really goes well with this fiasco ...Just Say No!

[Marsden11]

I think it is a welcome feature! Customers have been asking for this feature for years. They finally came through. We all tend to think that MS specifically creates applications like Office for the home user. Unfortunately not the case. Corporate sales drive the market and MS.Many of the products spill over into the home market. Those who choose not to go with Office Systems 2003 will not get that feature. Those companies who want it will get it. It is not like that all documents created within Office Systems 2003 will default to the protected content and lock everyone else out. If someone wants to take advantage of the new feature they can. In a sense it has to be a closed system becaues if everyone had the keys, how would it be secure? If you want protected docs you use the technology if you don't care about the docs use then you don't use it. If you are not using the technology then I don't see why those docs would not be interchangble with OpenOffice.Take the airline Jet Blue. They went 100% MS with Win2k3 Servers in the back and XP in the front. It's working for them. They had considered being a mixed shop. Discovered that going with MS for everything was cheaper from a single source and would cost less to maintain than in a mixed environment. Since they made the investment as an early adopter with Win2K3 servers moving to Office Systems 2003 is probably built into their volume license agreement at no additional cost.I'm running Small Business Server 2003 here at home. Win2k3 server intergrated with Exchange 2003, SQL 2002, and Outlook 2003. The package is going to be hot for MS. The large OEMs are ramping up to deliver servers all setup with SBS starting at $999 for the basic package and $1499 for the delux version. That's software and hardware! It is so easy to setup. You use to have to configure a floppy to connect client machines... a different floppy for each machine. Now just a simple url at the command prompt and the client downloads any applications that you specify. A reboot and your machine is connected to the network, configured for DNS, Exchange mailbox setup, and a private Intranet automatically configured; Remote Work space, and Remote Web mail and configured and setup in a single operation.SBS used to only connect to 25 clients; then 50 and now they raised it to 75. My point here is that MS does indeed listen to customers and what I have just described is what the majority have desired for some years. MS is delivering the goods.

[nlinecomputers]

I'm with Marsden11 on this. I don't see how this is a problem. DRM in a business envioroment is a very needed feature. It isn't required for everybody to use and it isn't on by default. In the home enviorment it can't even be used to create orignal docs as you don't have a sever to issue a certificate to you. How is this much different then using PGP? This is not like the DRM bios which is just a method to force you to use a Microsoft OS. This provides business with a needed feature to keep secret documents from leaving the building on somebody's thumbdrive.

[Peachy]

Marsden, Nathan,I can't argue with your points; corporate customers do want that level of control over their documents, esepcially sensitive/confidential information. The concept of Digital Rights Management is fine in principal. But I still can't help feeling a sense of forboding whenever MS talks rights management. I'm probably being real paranoid and you can call me on that, but MS and security has often been an oxymoron.

[Freddy]

This seems to address the problem that once you put something out on the internet, its irrecoverable and immortal (for as long as anyone is interested in it) even though it may no longer be relevant or is confidential or copywrited.

[Prelude76]

Yup.  But they can't stop you from taking screen prints...

actually, i read that you CANT do Print Screen, or copy & paste either. not sure if other screen captures would work, like PSP's hotkey screen capture tool. anyone can confirm / deny this? i didnt try it personally, but i read it somewhere that even doing those things wont work on 'locked' documents.and i think this is a good idea for business and such, or even for personal use (you can send a resume without fear of it being tampered with before it gets to the bosses desk, for example.). still, i wish PGP would become the norm for everything, since it is secure and doesnt force you to one format (like office 2003).

[nlinecomputers]

still, i wish PGP would become the norm for everything, since it is secure and doesnt force you to one format (like office 2003).

Well the only problem with PGP is that once you have decoded the doc into cleartext your free to do with it whatever you wish. The M$ system prevents things like this from easily happening.

[ibe98765]

This was taken from a story on ZDNet.

To use IRM features, businesses will need a server running Microsoft's Windows Server 2003 operating system and Windows Rights Management Services software. The server software will record permission rules set by the document creator, such as other people authorized to view the document and expiration dates for any permissions. When another person receives that document, they briefly log in to the Windows Rights Management server--over the Internet or a corporate network--to validate the permissions.

Where is this Windows Rights Management server? Is it a MS server or is it behind the corporate firewall? Might this not provide another hacking target for someone? If it is behind the corporate firewall, will companies be willing to let outsiders through?

[nlinecomputers]

ibe not "Rights management server" its "rights management service". It is a service. It is built into Windows Server 2003 if I recall correctly. It's not something you depend on Microsoft to provide certificates to you. You make your own or if you want certificates with more "authority" you call up Verisign and buy one from them. But you still install it on YOUR server. This isn't any different then the proceedures need for a secure webpage. This is just for Word docs and the like.

[Marsden11]

Just like going from "http:" to "https:" with SSL.

[nlinecomputers]

But unlike a webpage this is something that probably will sit behind a firewall and you'd have to VPN to it to get to. If you are giving out docs to persons outside your corporate net then your either going to have to give them access to your Key server or it wil have to be open on the net. It isn't any more of a risk then anything else on the net. If you put it online they will hack it.

[Guest LilBambi]

Not to mention that it is proprietary and REQUIRES Microsoft Server 2003 be on your server to implement ... at least according to the ZDNet article.Hmmm.

[Cluttermagnet]

I'm with Marsden11 on this.  I don't see how this is a problem.  DRM in a business envioroment is a very needed feature.  It isn't required for everybody to use and it isn't on by default.  In the home enviorment it can't even be used to create orignal docs as you don't have a sever to issue a certificate to you.  How is this much different then using PGP?  This is not like the DRM bios which is just a method to force you to use a Microsoft OS.  This provides business with a needed feature to keep secret documents from leaving the building on somebody's thumbdrive.

With the ever-shrinking size of digital cameras, I would think that someone who can get access to a machine and bring up copies of sensitive, protected documents can record them the old-fashioned way- optically. Screen capture by digital camera. Can that be prevented? Seems to me that cameras can't be locked out by DRM like thumbdrives. If so, the removable media from cameras is pretty tiny as well. Scan the graphic later and recover text. Years ago, spies used to carry tiny, pocket size cameras to do precisely this sort of work from inside an organization. Info left the building on optical film. Today the 'film' is digital, otherwise all is pretty much the same.

[Marsden11]

I don't see what the big deal is. I use Remote Desktop to manage remote servers. RD uses RDP via TCP/IP.One reason that Microsoft decided to implement RDP for connectivity purposes within Windows Terminal Server is that it provides a very extensible base from which to build many more capabilities. This is because RDP provides 64,000 separate channels for data transmission. However, current transmission activities are only using a single channel (for keyboard, mouse, and presentation data). Also, RDP is designed to support many different types of Network topologies (such as ISDN, POTS, and many LAN protocols such as IPX, NetBIOS, TCP/IP, and so on). The current version of RDP will only run over TCP/IP but, with customer feedback, other protocol support may be added in future versions. The activity involved in sending and receiving data through the RDP stack is essentially the same as the seven-layer OSI model standards for common LAN networking today. Data from an application or service to be transmitted is passed down through the protocol stacks, sectioned, directed to a channel (through MCS), encrypted, wrapped, framed, packaged onto the network protocol, and finally addressed and sent over the wire to the client. The returned data works the same way only in reverse, with the packet being stripped of its address, then unwrapped, decrypted, and so on until the data is presented to the application for use. Key portions of the protocol stack modifications occur between the fourth and seventh layers, where the data is encrypted, wrapped and framed, directed to a channel and prioritized. Basically RDP is encapsulated and encrypted within TCP and it works very well. I suspect it will be delivered via RDP. MS has Remote Desktop clients for Mac OS X (10.2), Win 9X, ME, NT, Win2K, and Win2k3

[Guest LilBambi]

What I see is that there are only Windows and Mac supported clients. No Linux, or BSD/UNIX supported clients.And it still requires Microsoft Server 2003 on the originating server. No Apache server support. It is being very short sighted not to provide it as a universal standard for all server markets.It would be a great service (for those who need that type of document control) if it was made universally applicable on all servers.In time, they will probably ensure that all new servers have the DRM built into the BIOS that will give even further control.

[Marsden11]

If Microsoft ported Office to all of the NIXs, would you purchase a copy of Office System 2003 to get document DRM? Would anyone using any of the Linux distros purchase Office System 2003 to get document DRM?

[Guest LilBambi]

What I, as an individual, would do is irrelevant since I would have no need of document DRM.However, there are many corporations using alternate server and/or client situations who might well want that ability without having to change their entire way of doing business in order to accomplish it.If Microsoft doesn't port it, the Linux/UNIX developers will create their own in time to fill that need.It's up to Microsoft whether they wish to be a software service company or simply just another monopoly.

[nlinecomputers]

It seems like to me that companies like Verisign could offer authentication services over the net. Register your doc files at lockdocs.org or some other such system using Windows Server Tech without having to purchase the server.

[nlinecomputers]

With the ever-shrinking size of digital cameras, I would think that someone who can get access to a machine and bring up copies of sensitive, protected documents can record them the old-fashioned way- optically. Screen capture by digital camera. Can that be prevented? Seems to me that cameras can't be locked out by DRM like thumbdrives. If so, the removable media from cameras is pretty tiny as well. Scan the graphic later and recover text. Years ago, spies used to carry tiny, pocket size cameras to do precisely this sort of work from inside an organization. Info left the building on optical film. Today the 'film' is digital, otherwise all is pretty much the same.

Clutter, no system is perfect. At some point someone will no doubt be able to put some kind of worm in a system that can monitor the information. Somewhere in the system the text has to be made into cleartext. If nothing more then to put in on the screen or to print it out.(If allowed by the locks in the file.) Some program could piggyback on that and pull out that information. Heck even non microsoft screen dump programs might be able to do it.

[Guest ThunderRiver]

Being a disappointed beta tester for Office 11, I do have to say that DRM is not the most perfect security system in the world. DRM requires .NET passport in order for it to work properly. It has always been the potential issue that one unhappy employee encrypts all the company documents under his/her .NET passport and walk away. I can also see the scenario that one person sent out an document with DRM enabled, and sent to some users that don't always Internet access. As for dial up users, you are most likely have to get online and authenticate yourself in order to have access reading/modifying the documents. What if that person is at some restaurant or some public place? Darn.. no access to the document.Perhaps it was just in beta stage, but I have full of doubts on DRM. For example, in Outlook 2003, if you send out an email with DRM enabled, you might even run into problems reading your own email (the email you sent out). DRM is not working too well in my opinion. For corporate users, they get to have the option to host the DRM service as well as SharePoint Server on their own Windows 2003 Server. For general customers, they will have choices to use such service hosted by Microsoft. While it was beta, I was able to use such service for free. I don't know about the actual final copy. I haven't gotten myself a final copy yet, so I can't speak more on this one.