SITEMETER


In the News


  • 2005-04-14:

    PKI in the News
    Diffie: Infrastructure a disaster in the making

    Part 2: Diffie, now chief security officer, vice president and a fellow at Sun Microsystems, explains why Windows' spread into critical infrastructure is dangerous and how use of elliptical curve cryptography will grow with the proliferation of smaller, integrated mobile devices.
    more...


    PKI in the News
    Hellman: Authentication at every access point

    Part 1: Hellman, now professor emeritus of electrical engineering at Stanford University, explains why phishing is one of the biggest threats we face, why strong authentication is needed at every access point and why security add-ons won't do much to ease the threats of cyberspace.
    more...


    2005-03-29:

    RMS in the News
    Patricia Seybold Group Identifies Liquid Machines as Leader in the Enterprise Rights Management Market

    "Liquid Machines' Solutions for Managing Digital Rights on Electronic Desktops: Tracking How Customers and Business Partners are Distributing Content across the Web" (Patricia Seybold Group - March 2005) discusses the suitability of Liquid Machines ERM products to the growing enterprise need for a rights-management solution that can protect their sensitive and high-value documents, prevent information leakage, and eliminate potential violation of compliance regulations. The report identifies many key differentiators of Liquid Machines ERM solutions' including its Policy Droplet? control, technology superiority in the area of policy enforcement and persistence, and strategic partnership with Microsoft® to extend Windows® Rights Management Services.
    more...


    2005-03-27:

    VS and VPC in the News
    Virtual-Server Face-Off

    The year 2004 might very well become known as the year of virtualization. Initially, IT pros recognized the value of virtualization technologies in test and demo environments. However, with the advent of ever more powerful systems coupled with continued improvements in virtual machine (VM) technologies, virtualization has since become a production-level technology that enables server consolidation.
    more...


    IdM in the News
    Microsoft Preps Move on ID Management

    Observers say Microsoft's intent is to centralize some identity services and make it easier to deploy its identity platform by reducing the amount of integration end users must do and giving developers one point where they can tie their applications to the identity platform.
    more...


    PKI in the News
    RSA Security Solutions Adopted for PSP (PlayStation®Portable)

    i-Newswire, 2005-03-25 - RSA Security Inc. ( Nasdaq: RSAS ) announced today that it has licensed RSA BSAFE® Secure Sockets Layer ( SSL ) and public key infrastructure ( PKI ) products to Sony Computer Entertainment Inc. ( SCEI ), to provide a secure interactive environment for software title developers and publishers creating game titles for its new PSPTM ( PlayStation®Portable ) handheld entertainment system.
    more...

« Want the Performance Improvements in Virtual Server 2005 R2 But Still Want to Use Virtual PC 2004? | Main | Virtual Server 2005 R2 Service Pack 1 Beta 1 Is Now Available! »

April 21, 2006

Interesting RMS Issue

So I'm working on an RMS deployment for a customer and we ran into a weird issue that up until now I'd never seen before so I thought that I'd share the problem and what we finally discovered to be the cause of the problem.
Problem Description
If a user, let's call her Alice since RMS is a cryptographic application, created a piece of protected content using the built-in Office protection methods (IOW not using a custom template) and assigned another user, say Bob, a specific set of limited rights on the content, when Bob opened the content, rather than having the limited rights assigned appeared to have full control of the content. Now if Bob were to create a piece of protected content, and assigned limited rights to Carol, when Carol opened the protected content, she had the correct rights assigned. Similarly, if Carol assigned rights on content to Bob, everything worked as expected. If Bob or Carol assigned rights on content to Alice, Alice had the correct rights when opening the content. So the problem only occurred when Alice was protecting content. Finally, if Alice protected content using a custom template, everything worked as expected.
Examining the EULs issued to Bob or Carol showed that regardless of the protections assigned by Alice, Bob and Carol had the OWNER right, which is similar to NTFS full control, in the EUL.
Cause and Resolution
After opening a case with Microsoft's CSS we discovered what was causing this problem. The customer uses the email attribute of security groups to list the email address of the owner of each group. They do this so that they have a point of contact for adding user accounts to the group in question. This was the cause of the problem we were seeing. It turned out that Alice was the owner of a group that contained Bob and Carol and because of the practice of adding the group owner's email address to the email attribute of the group anyone who was a member of that group was being granted OWNER rights to the content. Removing Alice's email address from the email attribute of the group, and flushing RMS' group cache resolved this problem.

The other side effect of this issue is that any member of a group that contained Alice's email address in the email attribute would have OWNER rights on the content, even if they had not been specifically assigned rights on the content.

The reason that this behaviour did not appear when using custom templates is that the templates used the special RMS group Anyone which obviously doesn't have an email attribute.

The customer in question is going to fix up the security groups that affect their pilot deployment, however, this behaviour may well prevent them from pursuing a broader deployment of RMS.

Hope this helps.

Posted by Paul Adare at April 21, 2006 05:29 AM