Summary: Jaroslav Zikmund, one of our Czech Republic-based Microsoft Premier Field Engineers who focuses on Messaging, provides us with some insights and details on enhancements in Exchange 2013 for protecting email via Active Directory Rights Management. Better safe than sorry! Enjoy.
When it comes to utilizing Active Directory Rights Management Services (AD RMS) for protecting and limiting access to e-mail, Microsoft Exchange 2013 preserves the same functionality as Exchange 2010, and adds some exciting new and useful features.
Access to RMS protected emails is available in Outlook Web Access (OWA) in similar ways as in Exchange 2010. The main enhancement from an AD RMS integration point of view is Offline mode.
OWA in Exchange 2013 now supports offline mode, which can be beneficial for users without full Outlook clients. If offline mode is enabled, the web browser will cache data in IndexDB on the local drive. Your browser has to support HTML5 to use this functionality. Currently Internet Explorer 10, Chrome or Safari should support this functionality (I’ve personally tested this with current versions of Chrome and IE10). As in the standard version of OWA, RMS emails are decrypted on the server side and then displayed in the OWA interface or downloaded to the indexDB. Messages are not encrypted in the DB, so some level of system encryption (BitLocker or EFS) is highly recommended.
When a client is offline without connectivity to the corporate network, an end user can read protected emails (rights are enforced by IE) but cannot protect new created emails (templates are not cached in the indexDB)
Note: in case you want to play with this functionality in your lab environment, be sure that your system is up to date, including the latest version of IE 10, as prior/beta versions can have problems with OWA or the Exchange Control Panel (ECP).
Transport rules has been extended in Exchange 2013 (check out a full list of what’s new in Transport Rules for Exchange 2013). The options to apply the AD RMS temple is still available as in previous versions. I would like to highlight two new conditions available in new version of Exchange. AD RMS templates can be applied based on source IP address of the client, and based on sensitivity of information in the emails. A full list of conditions are available in this article that discusses Transport Rule Predicates.
If you apply templates based on the source IP address, the IP is evaluated even when OWA or Outlook is used (in the case of an OWA user, the IP address is used and not the IP address of the server).
If you apply RMS templates based on the sensitivity of the information, you can choose from list of predefined sensitive information types including passport numbers, bank accounts, IP addresses or credit card numbers. If you specify credit card numbers, Exchange server will be able to detect credit card numbers based on format and checksum. For example, if you send 1111-1111-1111-1111 as credit card number, RMS templates will not be applied because this is not valid credit card number. If you send the same email with this credit card number 4111-1111-1111-1111, the RMS template will be applied because of the valid checksum.
A completely new feature in Exchange, Data Loss Prevention (DLP) consists of two parts:
If one of the actions in the DLP policy is to apply an RMS template, the message will be sent from Outlook without protection and the template will be applied on the server level. If the client doesn’t support policy tips (e.g. older Outlook clients) the RMS template will by applied on the server level anyway. If the client is able to support policy tips, the tip will be displayed during the message composition.
Outlook Protection Rules work in the same way as in Exchange 2010. More information on Outlook Protection Rules is available on the TechNet.
The main differences between DLP and Outlook protection rules:
Hope you found this helpful. Any and all comments are welcome.
Posted by Frank Battiston, MSPFE Editor.
I think this is great for detecting PAN in creating emails - but how about search for PAN information within a range of mailboxes through in-place eDiscovery? Would it be possible to do regex searches in future releases so that we don't have to purchase
from 3rd parties who will scan mailboxes?