We once again have a guest for today's AD RMS Team blog. Today's post is brought to you by Andrey Moskvitin. Andrey is a Technical Solutions Professional who specializes in Security for our Microsoft Russia subsidiary and he's going to help you see how to use File Classification Infrastructure along with our Rights Protected Folder Explorer and an additional third-party tool, the PDF protector offered by our friends at Foxit Software, to protect files of any type using Windows Server 2012.
I'm sure you will enjoy learning how to use these tools together to automate protecting of documents based on classification rules. While this is, as Andrey points out, not a totally new feature scenario, it has become an easier and richer one to explore with recent updates and new functionality that have come about around the release of Windows Server 2012.
Hi, I am Andrey and today I want to highlight how AD RMS and Windows Server 2012 can assist you in making the world a more secure place by automating protection of documents.
Certainly you have encountered a strong desire (or demand) to protect with RMS all files within a folder or maybe just files with a certain content. Some possible scenarios include:
With the Windows Server File classification Infrastructure (FCI) feature you can identify sensitive files and encrypt them with RMS. FCI crawls file shares for files meeting certain criteria and tag them based on the results. Tags are stored in the file attributes andpersist even after moving files to another NTFS storage. Once files are tagged, you can automatically apply the "RMS Encryption" action to files with certain tags, and select one of the existing RMS templates in your organization or define a custom RMS policy.
While when people think of “documents” they often associate that with Microsoft Office documents, IT admins know well that’s not all that it’s out there. PDF files, CAD drawings and other types of files account for a significant portion of the sensitive data out there, and protecting it is essential to reduce the risks of data leakage. So when we protect data with FCI it is very valuable to be able to protect any type of file in the best available way.
Integrating FCI and AD RMS was possible before (as it was well documented in the past), but with Windows Server 2012 we got a plethora of new functionality:
There are lot of classification criteria including file path, extension, size, date of creation, author, specific content, etc. The most interesting one is analyzing the content of a file for matches against custom regex-filters allowing you to search for example for:
Basically, you can identify anything that can be expressed with a regular expression, which can go from an easy Social Security Number to formatted or unformatted credit card numbers from all the most common providers. Of course, you don’t need to be an expert in writing Regular Expressions, as there are plenty of regex libraries on the Internet.
And could you ever imagine that you can scan not only text files but also TIFF images? Here is the list of supported file formats that can be scanned with FCI.
With FCI you can perform different actions on files you identify as sensitive. One of them is to use the in-box RMS protection capability. But you can also perform custom tasks. This comes in handy because the in-box RMS protection action only supports Office files. You can support other types of files trough two options:
Of course, the latter option is preferred whenever possible, but RPF is a great fallback solution when a file is in a format for which you don’t have a native protector.
So let’s say you want to protect all files in a folder that contain five or more Social Security Numbers. You want to protect Office documents, PDF files and also all other files. So in order to do this, at a high level, you will need to:
Once you have implemented these three tasks, all files in the destination folder that contain five or more social security numbers will be protected with RMS. Office files will be protected with the in-box RMSprotection capability, PDF files will be protected with the protector from Foxit, and all other files will be converted into a Rights Protected Folder which ensures encryption and access controls.
With this functionality, you can ensure your sensitive files are protected as soon as they are created and saved to a file share. Of course, some organizations will need more advanced capabilities such as enterprise-widecontent detection, advanced pattern matching and context-aware content identification, capabilities often available in high-end DLP solutions (we like to call the capabilities discussed in this post as “DLP-lite”).
Thanks to the ease of integration RMS provides, most high-end DLP solutions today can work with AD RMS. These DLP solutions can often do a great job in detecting sensitive content, and with the ability toprotect files with AD RMS they gain a great deal of flexibility, reducing the impact of false positives and allowing more flexible policies that don’t simply block access. We are working actively to ensure that AD RMS can be integrated seamlessly with any such solution you might want to use. Stay tuned for more on this.
(Update added 12/03/2012) Here's a bit more guidance on how to use FCI + AD RMS with the Foxit RMS protector to classify PDF files.
First of all, classifying PDF files based on file content is possible with the installation on your file server of PDF iFilters from either Adobe (see http://www.adobe.com/support/downloads/detail.jsp?ftpID=2611 ) or Foxit (see http://www.foxitsoftware.com/products/ifilter/) .
After you have set up an FCI + AD RMS infrastructure based on how I described previously in this post, you should have a File Management Task (FMT) that applies only to all PDF (*.pdf) files. A FMT type is a custom action and it will be used to trigger the Foxit RMS Command Line Tool (Foxit CLI Tool).
Your FMT properties should look similar to these:
In addition, Microsoft has created an extension to the existing PDF standard allowing consummation of RMS-encrypted PDFs in third-party readers. Currently, however, only Foxit Software has implemented this standard.