Protect Documents No Matter Where They Are: AD Rights Management Services

There’s different types of encryption.  The one you might know best is transmission encryption.  A message is encrypted only while it is in transit over the wire between a source and destination.  It is unprotected at either end.  Then there is folder or file encryption.  While a document is on the disk or in the folder it is secure.  If the document leaves the folder, e.g. on USB stick or by email, it is not secure.  Disk encryption (Windows Vista/7 BitLocker, SafeBoot, etc) or device (e.g. Windows 7 BitLocker to Go) encryption protect everything on a disk.  You can put that disk in another machine and have no access to the data without authentication.  But this doesn’t protect your data if it leaves that disk.

I just read a blog post where a company lost control of business data and it was put in a pretty compromised position.  A document with valuable information left secure control and was available to "the wild".  What can you do to protect documents in case they leave the safety of your encrypted network, folders or disks?  What if your documents are out "in the wild"?  Can you stop anyone from reading them?

Someone might suggest using passwords on those documents.  You’ve probably seen something similar to "protect" Excel spreadsheets, etc.  That won’t help.  Such a password is easily cracked using 3rd party tools that you can buy on the net.

What will help is Rights Management Services (RMS).  It first turned up as a free download for Windows Server 2003 (but requiring RMS CAL licensing) and Windows Server 2008 Active Directory Rights Management Services.  Using x.509 certs, you can protect your documents no matter where they are.  If someone copies documents and brings them home they have no access to them.  If someone takes them to a competitor when they leave the company they have no access to them.  If someone sends them to a press reporter they have no access to them.  According to MS, "Users can define who can open, modify, print, forward, or take other actions with the information". 

The cool thing about this solution is that it is AD integrated and ties directly into Office to make it very user friendly.  You can define policies for controlling documents, set up Internet connectivity for non-connected users, set up MOSS 2007 integration and set up AD Federated Services for partner companies.

There’s a step-by-step guide here.  Check the sub-pages in the navigation pane on the left for the content.

Worm Alert: Conficker

I just got an email from our TAM in Microsoft.  It must be important because we don’t normally get mails like this from MS.  They’re warning us that a worm called Conficker is rampant at the moment.  You are vulnerable if you have not deployed the security update MS08-067.  If you do get infected by Conficker or Banload then there is a fix.

That security patch was released in October 2008.  See how important it is to perform your updates?  Don’t blame MS if you get hit by this one.  And yes, Linux and Mac have security updates too!

Microsoft To Release Free Consumer Anti-Malware

Microsoft currently sells a subscription service product for consumer computer security called Live OneCare.  It takes care of AV, firewall, spyware, etc.  I’ve used the trial and I reckoned it was pretty good for the domestic user.  I didn’t subscribe – I’ve been using AVG free for a while now (Avast beforehand) and I find it pretty good.

According to Bink, MS are going to stop selling OneCare via retail in June 2009 and replace it with a free product.  The aim is to get as many people protected as possible, thus giving Windows consumers the protection from malware that they need.  The decision to phase out OneCare allows MS to focus their efforts on a single consumer product.  Making it free spreads the cover of their protection to the maximum possible install base.

Credit: Bink.

Microsoft Updates: September 2006

The following updates were released by Microsoft on Patch Tuesday:

  • MS06-052 – addresses a vulnerability in Microsoft Windows
  • MS06-053 – addresses a vulnerability in Microsoft Windows
  • MS06-054 – addresses a vulnerability in Microsoft Office

They also re-released the following 2 security updates on September 12, 2006:

  • MS06-040 – addresses a vulnerability in Microsoft Windows
  • MS06-042 – addresses a vulnerability in Internet Explorer, a component of Windows

As usual, it is recommened that you test these updates before deploying them on your network.  BTW, there have been some rumblings on the net about a performance hit and/or machines failing to start up after this months deployments.  I’ve not had any problems myself but there have been some problems with updates over the last two or three months … please make use of the free VM solutions that are out there or the targetting mechanisms built into SMS/WSUS and test before you deploy.