Automatic RMS protection of non-MS Office files using FCI and Rights Protected Folder Explorer

 FCI

File Classification Infrastructure(FCI) provides insight into your data by automating classification processes so that you can manage your data more effectively. The built-in solution for file classification provides expiration, custom tasks, and reporting. The extensible infrastructure enables Microsoft partners to construct rich end-to-end classification solutions that are built upon Windows. For more information on FCI please check the blog post

Rights Protected Folder Explorer

Rights Protected Folder Explorer (RPFe) is a Windows based application that allows you to protect files and folders. A Rights Protected Folder is similar to a file folder in that it contains files and folders. However, a Rights Protected Folder controls access to the files that it contains, no matter where the Rights Protected Folder is located. By using Rights Protected Folder Explorer, you can securely store or send files to authorized users and control which users will be able to access those files while they are in the Rights Protected Folder. For more information please visit the RPFe  blog post.

Protecting highly sensitive data using FCI and RPFe

Today, FCI enabled administrators to automatically RMS protect sensitive information on file servers. We had several requests for enabling FCI to RMS protect other file types and we partnered with the RPFe team to provide a solution that enable that scenario.

Using FCI and RPFe, IT admins can Rights Management Services(RMS) protect any file on a file server. Once the files are protected, only authorized users will be able access those files even if they are copied to another location. To protect non-Microsoft Office file format,  FCI File Management job(FMJ) with custom action and RPFe can be used. We will now explore how to accomplish the task of protecting sensitive files other than Microsoft Office files.  RPFe has a command line utility that can protect files. FCI File Management Job custom action can be used to invoke RPFe command line utility under a desired namespace/Share where the admin wants to protect files automatically.

RPFe Usage:

• ·         Install RPFe tool on the file server by following the guidelines from here
• ·         Get the RMS template GUID to be used in the cmd line version. Go to %LOCALAPPDATA% \Microsoft\MSIPC\Templates on the File Server and open the XML file for the template of interest and get the GUID associated with OBJECT ID.
• ·         Command line usage to protect a file

RPFExplorer.exe /Create /Rpf:"G:\Share\CustomerInfo.txt.rpf" /TemplateId:{00a956d6-d14c-4a2c-bf86-c1e70b731e7b} /File:"G:\Share\ CustomerInfo.txt "

• o   Parameter Explanation:
  • §  /File is the file that needs to be protected.
  • §  /Rpf is for the new file that will be created which is RMS protected
  • §  /TemplateID is the RMS Template GUID gathered from step 2 above.

RPFe Protection

Original file stays the way it is and there is no change made to it. New RMS protected RPFe container is created which will contain a copy of the original file under the same parent directory.

FCI Integration with RPFe

To automate file protection using RPFe and FCI, Please follow the steps mentioned below.  The FMJ custom action calls a PowerShell script for each file that meets the FMJ condition. The PowerShell  script calls RPFe command line utility to protect files.

Create a File Management Job with custom action on a desired share with the following configurations

• ·         Install RPFe tool from here
• ·         Copy the script in the blog below to a new file called %SystemRoot%\System32\FCIRPFeFileProtection.ps1
• ·         For exe path, set the parameter to “%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe”
• ·         For Arguments, set the arguments to File -File “%SystemRoot%\System32\FCIRPFeFileProtection.ps1”  TemplateID [Source File Path] [Source File Owner Email] [Admin Email]
• ·         Configure the file extensions for files that need to be protected in the condition tab of the FMJ creation wizard. It is recommended to restrict the FMJ to specific file extensions only
• ·         Additional filters can be added to filter files based on classification properties in the FMJ
• ·         Mark the File Management Job as continuous in the schedule tab of the FMJ creation wizard

File Protection Script

• ·         FCIRPFeFileProtection.ps1 is a simple PowerShell script that takes in source file path, file owner email, admin email and Template ID as parameters from the File Management Job and calls in RPFe command line utility to protect files. A protected copy of the original file is created in the same folder where the original file existed.
• ·         The script copies all classification properties from the source file to the protected file. This ensures that all classification information is passed on from the original file to the protected file.
• ·         Please make sure to configure the FMJ to run on specific extensions. If the FMJ is marked as continues and configured to run on all file types, ( say on P:\foo) and a new file P:\foo\file.txt is created then recursive FMJ kicks in. First P:\foo\file.txt.rpf is created which will cause RMJ to act on it creating P:\foo\file.txt.rpf.rpf and so forth. It is recommended to restrict the FMJ to specific file extensions only.
• ·         Please note that the script creates a protected copy for a file and the original file still remains in the share. Care has to be taken to have enough space on a volume to accommodate protected copies of sensitive data. If you intend to delete the original file after the file is successfully protected please remove the comment in line “remove-item $encryptfile” and test it in your environment before deployment.
• ·         Script returns error back to the FMJ. Any file that encountered an error will be reported in the FMJ error report and log.
• ·         FCIRPFeFileProtection.ps1 -: Below is a sample PowerShell script that protects files using RPFe

#

#             Main Routine Begin

#

$TemplateID = $args[0]

 $encryptfile =  $args[1]

$newfile = $encryptfile + ".rpf"

 # verify that the new file name does not exist and attempt to find a new name

$ver = 0

while (Test-Path $newfile)

{

   $ver = $ver + 1

   $newfile = $encryptfile + $ver + ".rpf"

   if ($ver –gt 100) {

                exit  -1 # could not find a good name for the rpf file

         }

}

 # get the owner of the file, if not found use the supplied administrator email address

$owneremail = $args[2]

if ($owneremail -eq "[Source")

{

   $owneremail = $args[6]

}

 # run the RPF Explorer to encrypt the file

$arguments = "/Create /Rpf:"+ "`""+$newfile +"`"" +" /TemplateId:"+ $TemplateID +" /File:"+"`""+$encryptfile +"`"" +" /Owner:"+$owneremail

$run = start-process –Wait –PassThru –FilePath "C:\Microsoft_Rights_Protected_Folder_Explorer\RPFExplorer.exe" –ArgumentList $arguments

if ($run.ExitCode –eq 0)

{

     # transfer properties from the old file to the new file

   $cm = New-Object -comobject FSRM.FSRMClassificationManager        

   $props = $cm.EnumFileProperties($encryptfile, 1)

    try

    {

       foreach ($prop in $props)

       {

           $cm.SetFileProperty($newfile, $prop.Name, $prop.Value)

       }

    } catch [Exception] {

       remove-item $newfile

       exit -1

    }

# remove-item $encryptfile

# The original file can be removed after successfully creating a protected copy.

# Before adding the above remove-item line, please test in your environment and verify that there is no data loss

 }

exit $run.ExitCode

 #

#             Main routine end

#

 RPFe files on Non-Windows machines

RPF files don’t get recognized on other non-windows devices. This is because there is no AD RMS client available on non-windows platforms. Also non-windows users wont be able to consume RPF files.