View
4
Download
0
Category
Preview:
Citation preview
A Foxit Software Company White Paper
Foxit Software Company, LLC.June 2009
www.foxitsoftware.com
TABLE OF CONTENTS
Abstract............................................................................................................ 3
Introduction..................................................................................................... 4
The Need for Data Security Policies................................................................. 4
PDF in the Enterprise....................................................................................... 5
Benefits for IT Professionals............................................................................. 6
System Components......................................................................................... 7
Microsoft Windows AD RMS Components...................................................... 7
Foxit security Suite Components..................................................................... 9
System Requirements....................................................................................... 10
AD RMS Concepts............................................................................................ 11
Typical Workflows........................................................................................... 14
AD RMS Workflow........................................................................................... 14
Protection Method........................................................................................... 15
Description of Protection Methods used
by Foxit PDF Security Suite shown in diagram................................................ 16
Additional AD RMS Technical Resources........................................................ 18
Conclusion....................................................................................................... 19
About Foxit Software Company....................................................................... 20
Protecting PDF Documents with Foxit PDF Security Suite 2
Foxit PDF Security Suite for Microsoft™ Active Directory® Rights Management
Services delivers cost effective PDF policy protection and PDF reader extensions to any
business.
4Protect sensitive PDF documents to prevent loss of valuable company assets
4Manage AD RMS policy templates to insure regulatory compliance and corporate
governance
4Automate forms and reduce paper handling
This Foxit Software white paper provides a general overview of how the Foxit PDF
Security Suite software components work together with *Microsoft Active Directory
Rights Management Services to policy protect PDF documents inside and outside the
firewall. Included is a glossary of relevant RMS concepts, a description of the Foxit
Security Suite functions in the course of typical user scenarios, and a description of the
AD RMS protection method used by the Foxit PDF Secure Protector and Foxit PDF
Secure Reader clients.
*When Microsoft first introduced its enterprise rights management technology, it was named “Rights
Management Services” or RMS. In 2007 Microsoft included this technology along with other identity
management and security technologies in it Active Directory product line. The name of their rights management
technology was then changed to Active Directory Rights Management Services or AD RMS. For the purposes of
this document, AD RMS is used as a general term to describe the Microsoft rights management technology used to
protect PDF documents in the system described in this white paper.
Abstract
Protecting PDF Documents with Foxit PDF Security Suite 3
THE NEED FOR DATA SECURITY POLICIES
The proliferation of the Internet and connected computer networks continues to make
a un-precedented amount of electronic data openly available. This increased openness
requires a heightened level of responsibility and accountability for any organization
dealing in private or confidential information. Often, the difficult task of finding the
right balance between openness and data security falls to the IT department chartered
with implementing systems that support regulatory and governance policies. Some
challenges in the design of these systems include persistent data protection, support
for multiple file formats, and online/offline support.
With Windows Server 2007, Microsoft introduced Microsoft Active Directory Rights
Management Services (AD RMS). AD RMS helps safeguard digital information from
unauthorized use—both online and offline, inside and outside of the firewall. In
conjunction with AD RMS–enabled applications, AD RMS augments an organization's
security strategy by protecting information through persistent usage policies. These
policies remain with the information—whether documents, spreadsheets,
presentations, or e-mail messages—no matter where it goes or how it is stored. In the
six years since its introduction, Microsoft AD RMS has gained wide acceptance as an
enterprise ready policy protection technology for Microsoft Office document file
types. However, AD RMS protection of the PDF file format is not a current feature of
Microsoft products.
Introduction
Protecting PDF Documents with Foxit PDF Security Suite 4
PDF IN THE ENTERPRISE
It has been estimated that 20% of electronic enterprise documents are in PDF format.
PDF (Portable Document Format) is the ISO 32000 standard for electronic document
exchange first popularized by Adobe Systems, Inc. in 1992. Since then, an ecosystem of
vendors have created tools for the creation of PDF files, and developers have embraced
this file format as the basis of publishing, archiving, and electronic forms solutions
world-wide.
Foxit Software, LLC is the industry leader in OEM licensing of ISO 32000 PDF solutions.
With over 70 million Foxit PDF Readers in use today, Foxit software has become a high
quality, affordable and popular alternative to other PDF software tool suppliers.
Building on the success of Foxit PDF iFilter for Microsoft products and services, Foxit
has extended AD RMS to easily support all PDF files. Foxit Software's fully ISO 32000
compatible PDF technology and award winning software applications are a natural
choice for use with Microsoft AD RMS enabled products. Currently Foxit Software is
working together with Microsoft and its other AD RMS partners to roll out complete
Information Rights Management (IRM) solutions to Windows Server and Sharepoint
customers.
For IT Professionals and Business leaders who need to improve information security,
meet compliance requirements, and save time and money with improved business
processes efficiencies through enhanced collaboration and forms usage, Foxit PDF
Security Suite is a cost effective enterprise software toolkit that provides Microsoft
Active Directory Rights Management Services policy protection of PDF documents and
selective enablement of PDF features including forms fill out and document editing for
improved efficiencies within and without the enterprise.
Protecting PDF Documents with Foxit PDF Security Suite 5
BENEFITS FOR IT PROFESSIONALS
Enhancing the value of existing IT infrastructure investments by extending AD RMS to
PDF documents is a big benefit to IT professionals.
Foxit PDF Security Suite makes it easy to:
4 Protect sensitive PDF documents to prevent loss of valuable company assets
4 Manage AD RMS policy templates associated with PDF documents to insure
regulatory compliance and corporate governance
4 Reduce paper handling by adding PDF document rights to enable cost-
effective digital workflows using existing PDF documents
Foxit PDF Security Suite provides seamless integration with Microsoft Windows Server
and Sharepoint (MOSS 2007) environments. Foxit's simple software toolkit is easily
deployed across the enterprise. The Foxit PDF Secure Reader is a freely available
download allowing for no hassle maintenance.
Protecting PDF Documents with Foxit PDF Security Suite 6
System Components
MICROSOFT WINDOWS AD RMS COMPONENTS
AD RMS technology includes client and server software along with SDKs.
4 AD RMS server software is a Web service for Windows Server that handles the
XrML-based certification of trusted entities, licensing of rights-protected
information, enrollment of servers and users, and administration functions.
4 Windows Rights Management client software is a group of Windows APIs that
facilitate the machine activation process and allow AD RMS-enabled applications to
work with the AD RMS server to provide licenses for publishing and consuming
rights-protected information.
4 Software development kits (SDKs) for the server and client components include a set
of tools, documentation, and sample code that enables software developers to
customize their Windows AD RMS server environment and to create RMS-enabled
applications.
For an end-to-end AD RMS solution, the following is necessary:
4 AD RMS for Windows Server 2003
4 AD Rights Management client software (XP only)
4 AD RMS-enabled applications (such as Microsoft Office 2003 Editions) or an RMS-
enabled browser (such as Microsoft Internet Explorer with the Rights Management
Add-on) to create and/or view rights-protected information
Protecting PDF Documents with Foxit PDF Security Suite 7
Figure Deployment of Windows AD RMS
1. Server enrollment. An organization's root Rights Management Services (RMS)
server sends its public key along with the RMS version and URL information to the
Server Enrollment Service to request an RMS Licensor Certificate.
2. Client setup. Windows APIs that work with RMS-enabled applications are either
installed by administrator as part of RMS rollout (via SMS or similar tool) or by
downloading from Windows Update.
3. Machine activation. As part of the client software instalation, each client machine
connects to the organization's RMS server for machine activation. The RMS server acts
as a proxy for the client machine and acquires a unique lockbox and machine certificate
from either the hosted Machine Activation Service or via a future hardware appliance
that would live inside the organization's network perimeter.
Protecting PDF Documents with Foxit PDF Security Suite 8
For added protection and interoperability, RMS uses the Extensible Rights Markup
Language (XrML), an emerging rights expression language (REL) standard based on
XML. XrML offers a common, simple-to-use means for applying rights and usage policies
to digital information. It is a flexible, extensible, and interoperable standa-rd equipped
to meet any organization's needs, regardless of industry, platform, format, media type,
business model, or delivery architecture.
FOXIT SECURITY SUITE COMPONENTS
·Foxit desktop application software
program installed on machines with Microsoft Active Directory Rights Management
Services (AD RMS) clients. Once installed this application extends all Microsoft AD RMS
features to any .pdf file.
Foxit PDF Secure RMS Protector provides an easy to use graphical user interface and
command line interface that allows all users controls to protect documents, manage AD
RMS policy templates, and optionally add unique PDF document rights.
4 Protect files in a single or multiple directories.
4 View permissions in individual templates.
4 Distribute specific rights to individual users or groups.
4 Set validity date for a users' certificate.
4 Add unique PDF document rights to any PDF document.
·Foxit server application software
program installed on any Sharepoint server communicating with a Microsoft Active
Directory Rights Management Services (AD RMS) server. Once installed this application
extends all Microsoft AD RMS features to any .pdf file posted to the Sharepoint Server.
Foxit PDF Secure RMS Protector (Sharepoint extensions) seamlessly integrates into a
Sharepoint workflow to automatically and transparently extend AD RMS policy
protection to any PDF document.
Foxit PDF Secure RMS Protector for Windows
Foxit PDF Secure RMS Protector for Sharepoint
Protecting PDF Documents with Foxit PDF Security Suite 9
Foxit PDF Secure RMS Reader/Pro (Windows only)
Foxit PDF Secure RMS Protector for Windows
Foxit PDF Secure RMS Protector for Sharepoint
.Foxit client application software
program installed on enterprise Windows desktop.
Once installed, an end-user wishing to view an AD RMS protected PDF may open a
protected file, view permissions, and manage user credentials.
4 Open and view a protected PDF file
4 View file permissions
4 Manage user credentials via the “select users” dialog box.
Foxit also offers its professional version of PDF Secure RMS Reader to allow form filling,
commenting, sticky notes and other annotation features if allowed by RMS policy.
SYSTEM REQUIREMENTS
Foxit PDF Security Suite software is designed to for use with the following Microsoft
software:
4 Windows XP (all versions), Windows Server 2003, Windows Vista (all versions),
Windows 7 (all versions);
4 Windows XP and Windows Server 2003 only: Microsoft RMS Client 1.0 SP1;
4 256MB memory, 10MB free disk space
4 Microsoft Office SharePoint Server (MOSS) 2007
4 Windows Server 2003 (32-bit and 64-bit) and Windows Server 2008 (32-bit and 64-bit):
Microsoft RMS Client 1.0 SP1;
4 1GB memory, 10MB free disk space
Foxit PDF Secure RMS Reader for Windows
4 Windows XP (all versions), Windows Vista (all versions), Windows 7 (all versions);
4 Windows XP and Windows Server 2003 only: Microsoft RMS Client 1.0 SP1;
4 256MB memory, 20MB free disk space
Protecting PDF Documents with Foxit PDF Security Suite 10
AD RMS Concepts
The following topics contain overviews of the major concepts that you should
understand before using the Active Directory Rights Management Services (AD RMS)
SDK. (Source: Microsoft Developers Network (MSDN). More detailed information
about each concept can be found at http://msdn.microsoft.com/en-
us/library/cc530386(VS.85).aspx )
Topic Description
Licenses
An Active Directory Rights Management Services (AD RMS)
licensing server can issue end-user licenses or issuance licenses. End-
user licenses specify the right(s) granted to a specific user to consume
protected content. Issuance licenses specify the users who can
consume protected content and the rights that can be made available
to them.
AD RMS licenses are structurally similar to AD RMS certificates. Both
are XrML documents and both consist of a certificate chain that ends
with a Microsoft root of trust. The purpose of the two documents,
however, differs. Licenses typically specify rights and conditions that
govern content use. Certificates identify entities such as computers or
users by singing them into an AD RMS certificate hierarchy.
end-user license
(EUL) The license that enables end users to consume protected
content. Also known as a use license
Issuance (or publishing) license
(PL)The license that contains the usage policies for a protected file.
Usage policies include a set of usage rights and conditions along with
the list of authorized users who can request a use license. Also known
as a publishing license.
Certificates
An Active Directory Rights Management Services certification
service can issue the following certificates:
Protecting PDF Documents with Foxit PDF Security Suite 11
Certificate Description
Machine
certificate
Issued by an AD RMS certification service to
identify a computer in the AD RMS certificate
hierarchy.
Rights account
certificate (RAC)
Issued by an AD RMS certification service to
identify an Active Directory user account in the
AD RMS certificate hierarchy.
Client licensor
certificate
(CLC)
Issued the AD RMS licensing service to enable
offline signing of an issuance license.
Server licensor
certificate
Identifies an AD RMS server in the AD RMS
certificate hierarchy. Beginning with Windows
Server 2008, the certificate is created
automatically when you install the AD RMS role.
Application
manifest
Identifies an AD RMS application by signing it
with the Pre-production or Production certificate
provided by Microsoft.
Pre-Production
certificate
Provided by Microsoft to sign a custom
application into the Pre-production AD RMS
certificate hierarchy. This certificate is used
during application development.
Production
certificate
Provided by Microsoft to sign a custom
application into the Production AD RMS
certificate hierarchy. This certificate is used
during application development.
Certificates
Protecting PDF Documents with Foxit PDF Security Suite 12
User Activation
Introduces user activation, a process that identifies an Active
Directory user account in the appropriate AD RMS hierarchy
and associates it with a specific computer.
Server Enrollment Discusses how an AD RMS server is enrolled into the
certificate hierarchy.
Service Discovery Discusses how an application finds an AD RMS certification,
licensing, or publishing Web service.
Rights Introduces the common rights used in AD RMS licenses.
Exclusion Discusses how users can be prohibited from acquiring new
licenses or certificates.
Revocation Discusses how AD RMS licenses and certificates can be
invalidated after issuance.
Server Transport Protocol Discusses the protocols that can be used to communicate with
an AD server.
Topic Description
Certificate Hierarchy Introduces the AD RMS Pre-production and Production
certificate hierarchy.
Templates Introduces pre-defined templates that can be used to apply
usage policies when creating a license.
Extended Policy Template
Information
Discusses the rights policy of a template that controls how
content licenses are to be implemented.
Application Manifests
Introduces application manifests, a type of certificate that
signs your application into the appropriate AD RMS
certificate hierarchy.
Lockboxes Introduces the components that can be used to create secure
environments on AD RMS clients and servers.
Encryption Discusses encrypting and decrypting content.
Computer
Activation
Introduces computer activation, a process that identifies the
computer by signing it into the appropriate AD RMS
hierarchy.
Protecting PDF Documents with Foxit PDF Security Suite 13
Typical Workflows
Author Steps:
1. Author receives a client licensor certificate the first time he or she rights-
protects information.
2. Author defines a set of usage rights and rules for the file. The application
creates a "publishing license" and encrypts the file.
3. Author distributes the file.
Recipient Steps:
1. Recipient clicks file to open. The application calls to the AD RMS Client,
which contacts the RMS server, which validates the user and issues a "use license."
2. Application renders file and enforces rights.
AD RMS WORKFLOW
Protecting PDF Documents with Foxit PDF Security Suite 14
Protection Method
Protecting PDF Documents with Foxit PDF Security Suite 15
Description of Protection Methods used by Foxit PDF Security Suite shown in diagram
1. The first time an Author uses the protector Client A, this client uses AD RMS, a
Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) are received.
This happens when an enabled user publishes rights-protected PDF files (Both online
and offline).
2. The Foxit PDF Secure Protector creates PDF files and assigns user rights. An end-
user license (EUL) is generated at the same time.
3. Foxit PDF Secure Protector generates a content key, and encrypts PDF files with it.
(A) Online Publishing – The public key of AD RMS server encrypts the content key and
sends it to AD RMS server. The server creates and signs a Publishing License (PL)
(B) Offline Publishing –The public key of CLC encrypts the content key and uses the
AD RMS server's public key to encrypt copy of content key. Creates PL and signs
with CLC private key. Attaches PL to encrypted PDF file.
4. Author send AD RMS protected PDF file to intended recipient.
5. Recipient receives file and opens it by using Foxit PDF Secure RMS Reader. If the
recipient does not have a certificate on the current computer , the AD RMS server will
issue one. The recipient will receive an email from AD RMS Server, (PDF file notifies
Foxit PDF Secure RMS Reader of the AD RMS server URL).
Protecting PDF Documents with Foxit PDF Security Suite 16
6. Foxit PDF Secure RMS Reader sends request to AD RMS server for use license. If the
PDF file is published online the request will be sent to AD RMS server that issued the
publishing license; if the PDF file is published offline the request will be set to the
server that issued the CLC. RAC and PL are included in the request. The request will
be sent to the publisher what issued the CLC RAC and the PL is included in the request.
7. The AD RMS server checks the recipient's authorization status and name, then
creates a use license (EUL) for the user. The AD RMS Server decrypts the content key by
using its private key and re-encrypts the content key by using the public key of the
recipient. Then the AD RMS server adds an encrypted content key to the use license.
Since the content key is encrypted by recipient's public key, only the intended recipient
is able to open the PDF file.
8. (A) Online Publishing: The AD RMS server then sends the use license information
to the recipient's computer.
(B) Offline Publishing: The publisher sends the use license information to the
recipient's computer.
9. The Foxit PDF Secure RMS Reader then examines the recipient's account certificate
information and use license to determine whether any certificate in trust chain needs a
revocation list. After the Reader confirms all components are valid, it will grant
recipient access to the PDF file. And all proper policies will be applied to the PDF file.
Protecting PDF Documents with Foxit PDF Security Suite 17
Much of the information describing the specifics of Microsoft AD RMS was taken
directly from Microsoft publications and the wealth of technical information found on
www.microsoft.com Readers of this white paper may find the following Microsoft
resources for AD RMS useful:
http://technet.microsoft.com/en-
us/library/cc753046(WS.10).aspx
http://technet.microsoft.com/en-us/windowsserver/dd448611.aspx
http://www.microsoft.com/windowsserver2003/techinfo/overview/articleindex.mspx
#EKFAC
http://msdn.microsoft.com/en-us/library/cc530389(VS.85).aspx
Microsoft™ is a trademark of Microsoft Corporation in the United States and other countries. Active Directory® Sharepoint®, Windows
Server®, and Windows Vista® are registered trademarks of Microsoft Corporation in the United States and other countries.
Information taken from the Microsoft website(s) is copyrighted by Microsoft Corporation used here by permission.
CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED AS PART OF THE SERVICES FOR ANY PURPOSE. ALL SUCH
DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS
RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, INCLUDING ALL
WARRANTIES AND CONDITIONS OF MERCHANTABILITY, WHETHER EXPRESS, IMPLIED OR STATUTORY, FITNESS FOR A PARTICULAR
PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR ANY
SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THE SERVICES.
THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THE SERVICES COULD INCLUDE TECHNICAL INACCURACIES OR
TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. MICROSOFT AND/OR ITS RESPECTIVE
SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY
TIME.
Microsoft Office Sharepoint Services and AD RMS:
Windows Server 8 AD RMS information:
Windows Server 2003 RMS information:
AD RMS software design:
MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION
Additional AD RMS Technical Resources
Protecting PDF Documents with Foxit PDF Security Suite 18
Enhancing the value of existing IT infrastructure investments by extending Microsoft
Active Directory Rights Management services to PDF documents is a big benefit to IT
professionals. By making use of AD RMS policy protection technology as part of a
Windows Server or Sharepoint infrastructure, any organization can now protect
sensitive PDF documents to prevent loss of valuable company assets, manage AD RMS
policy templates associated with PDF documents to insure regulatory compliance and
corporate governance and reduce paper handling by adding PDF document rights to
enable cost-effective digital workflows using existing PDF documents.
Foxit PDF Security Suite provides seamless integration with Microsoft Windows Server
and Sharepoint (MOSS 2007) environments. This simple software toolkit is easily
installed and deployed across the enterprise. The Foxit PDF Secure Reader is a freely
available download allowing for no hassle maintenance
Conclusion
Protecting PDF Documents with Foxit PDF Security Suite 19
Foxit Software Company is the industry leader in OEM licensing of ISO 32000 PDF
solutions. Foxit's award winning software products include software applications for
reading, creating, organizing and securing PDF documents. Customers who license
Foxit technology for use in their products include Microsoft, Intel, Hewlett Packard and
Amdocs. Foxit Software Company employs nearly 150 at offices in California, China,
Japan, and France. With over 70 million Foxit PDF Readers in use today, Foxit software
has become a high quality, affordable and popular alternative to other PDF software tool
suppliers.
ABOUT FOXIT
Learn more about the enterprise-wide power of Foxit products by visiting
www.foxitsoftware.com or contacting one of our sales representatives in your area.
Foxit Software Company
39819 Paseo Padre Parkway, Fremont, CA 94538, USA
TEL: 1-866-MYFOXIT or 1-866-693-6948 510-438-9090, 408-307-9358, 408-329-7976
FAX: 510-405-9288
E-mail: sales@foxitsoftware.com support@foxitsoftware.com
Website: www.foxitsoftware.com
CONTACT
Protecting PDF Documents with Foxit PDF Security Suite 20
Recommended