How AD-RMS can stop your organization’s secrets ending up on Wikileaks

The extraordinary thing about the current Wikileaks news isthat the documents were obtained by someone with relatively low levelprivileges. In fact, almost all of the documents that seem to turn up on siteslike Wikileaks were obtained by people who in the lower echelons of theirorganization.

The scale of the Wikileaks information dump indicates aprofound failure in the application of security using Access Control Lists(ACL). The form of ACL that most people reading this article will be familiarwith is NTFS and Shared folder permissions. One thing I’ve noticed as both atrainer and as an author is that a lot of experienced people fundamentallymisunderstand how permissions work, especially when you combine NTFS withShared Folder permissions. When you get to the stage of having to work outpermissions through memberships of nested groups at both levels, what yougenerally end up with is an administrator who is flummoxed. Which is why in allprobability (though I can’t say for sure), the reason that the people whoobtained the documents that later leaked were able to do so was that thesecurity permissions that protected those documents weren’t properly applied.And if they, in theory, aren’t properly applied at places like the US Militaryor State Department, what are the chances that they are properly applied at theplace where you work?

There is no perfect solution that ensures that documentsthat your organization wants kept secret cannot be leaked and posted on theinternet. If someone who has legitimate access to a document wants to share it,there is a good chance that they’ll be able to do that. What you can do isensure that low level people that should not have access to important documentsdon’t. A more reliable way of ensuring that the access that should be grantedto the document is the access granted to the document is through technologiessuch as Active Directory Rights Management Services.

AD RMS is a technology that has been included with theWindows Server operating system since Server 2003 R2. To grossly simplify howAD RMS works - rather than assigning permissions to accounts on at the filelevel, you use digital rights management technology to configure rights at thedocument level. When you configure rights at the document level, it doesn’tmatter what NTFS or Share permissions are assigned at the file level. Unlesssomeone is given the right to open a document, they can’t open it.  You can even block people from openingsensitive documents on computers outside the domain. These rights are enforcedby applications and managed centrally through Active Directory. AD RMS allowsyou to revoke rights to a document once the document has been distributed shouldyou so choose. You can also go further and segment a user’s rights so that oneuser might be able to read a document, but is unable to copy any aspect of thatdocument (including taking a screenshot). You can also stop a user fromprinting a document.  AD RMS also fullyintegrates with Exchange, so people can’t forward sensitive documents outsidethe organization unless they are explicitly given permission to do so. With ADRMS, you can’t open a document unless the application supports AD RMS.  The document is essentially in an encryptedlocked off state until someone who has the rights to open it does so with anapplication that can obtain a license to that document from the central AD RMSserver. If the application doesn’t support AD RMS, the file is unreadable.

What this means from the perspective of stopping a Wikileakstype event is that if someone is surfing file shares at the organization andcopying everything to which they have access to a local storage device they won’tbe able to open those copied files unless they actually have been granted theright to do so. 250,000 files obtained from various file shares are prettyuseless if you don’t have the ability to open any of them.

AD RMS does have the ability to perform license recovery sothat an Administrator could recover a document that they haven’t been directlygranted rights to, but this process can be secured and in the cases of thedocuments that are turning up in places like Wikileaks, it isn’t the sysadminsthat are doing the leaking. At the moment rogue sysadmins aren’t the problem,but procedures can be put in place to lock them down as well.

AD RMS is a nifty technology that has been included withWindows Server operating systems for some time. As organizations become moreaware of the perils of information leakage (and with the exposure wikileaks isgetting, how can they not be aware of it?), they are going to want to look atsolutions that minimize the possibility of an embarrassing data dump turning upon a public web site. AD RMS won’t prevent all information from leaking, but itwill do a better job of stopping leaks than NTFS and Shared Folder permissionscurrently do.