Security Groups

During installation, the administrator specifies a user account to use as the service account. This user account is automatically made a member of the Service Group, and is thereby granted its permissions.

Another important group is the Super Users group. This group has full control over all content, which means that a member of this group can decrypt all protected content files and remove all protections from them. The Super Users group has no members, by default, and does not automatically include administrators. Managing the membership of this group is crucial to the security of your protected content

.

Security Modes

Active office DRM uses different security settings for the following three modes:

During each mode, Active Office DRM gains access to different resources for different purposes. It also uses different security accounts, depending on the operations that it must perform. The remaining topics that are in this section describe security during the three modes; describe the operations that DRM perfoActive office DRM; and describe the security accounts that it uses, as well as their access permissions.

During installation, the administrator specifies a user account to use as the service account. This user account is automatically made a member of the Service Group, and is thereby granted its permissions.

Another important group is the Super Users group. This group has full control over all content, which means that a member of this group can decrypt all protected content files and remove all protections from them. The Super Users group has no members, by default, and does not automatically include administrators. Managing the membership of this group is crucial to the security of your protected content.

Security During Normal Operations

After you install and provision Active office DRM, the Active office DRM Web services operate as IIS applications, accessing various system resources which require authentication and authorization. All system resources require authentication and cannot be configured otherwise. The rest of this page describes the design of authorization in Active office DRM.

The Active office DRM Web services run within the context of an IIS application pool. Each application pool in IIS has a unique identity that may correspond to a domain user account, a local user account, the Network Service local account, or the Local System local account. Each of these accounts has varying degrees of authorization within the system. When Active office DRM is provisioned, you may choose to run the Active office DRM Web services as the Local System account or as a domain user account. This account then becomes the application pool identity for the Active office DRM application pool.

Resources that Active office DRM Web services need to access include various files and folders on the system, databases and stored procedures in the database server, the local registry, Active Directory, the assembly cache, memory, and other processes running on the system. The Active office DRM Logging Service also needs to access the logging queue on the local system. Each of these resources has its own DACLs which define who is authorized to access the resource and what can be done with the resource.

To simplify assigning permission and managing service accounts, all of the required permissions are assigned to the local Active office DRM Service Group that Active office DRM created during provisioning. Because the Active office DRM service account is a member of this group, it receives all the permissions assigned to the group.

The following list summarizes the permissions that are granted to the Active office DRM Service Group:

If you are using Microsoft SQL Server 2000 as your database server, you should be aware that it uses a slightly different method of assigning permissions than Windows Server 2003 does. Provisioning Active office DRM creates a login for the Active office DRM service account on the SQL Server. If you elected to provision Active office DRM using the Local System account a SQL Server login is created using the DOMAIN\computer_name format, where DOMAIN is the name of the Active Directory domain that the computer is a member of and computer_name is the name of the server. A SQL role is created called Active office DRM_service to which all necessary permissions are granted.  The login for the Active office DRM service account is added to this group.  No permissions are explicitly granted to the Active office DRM service account.

Additionally, SQL Server assigns a database owner (DBO) to every database. Database ownership is assigned as follows during provisioning:

The permissions to all resources created by Active office DRM were very carefully selected during the design of Active office DRM with an eye toward security. There should be no reason to modify the permissions that are assigned during provisioning for any of the resources. If you need to change the user account or password of the service account after provisioning, you can do this from the Active office DRM Global Administration Web page.