Feb 14, 2012 4:00:11 AM
First Look: Microsoft Generic File Protection Explorer

One of the things we often run into while working on AD RMS deployments is customers who want to protect documents in formats other than those that are natively supported by AD RMS--Outlook, Word, Excel, PowerPoint, InfoPath and XPS Viewer. Common asks include PDFs, graphics such as JPEGs, and Visio documents. There are third party solutions that can integrate with AD RMS to provide protections on additional document formats, but they represent additional expense and effort. For a customer with just a few other files that need protecting, bringing in a third party solution may not be worth it. Enter Microsoft's Generic File Protection Explorer.

The Generic File Protection Explorer is a GUI-based tool that allows you to create a rights-protected "bucket" into which you can place documents of any type for protection. While the documents are in the bucket, they are encrypted and access to them is limited to users with appropriate rights. You can move the bucket (in the form of a .rpf file) around from computer to computer, onto thumb drives and DVDs, as attachments to e-mail, etc. and the contents of the bucket will be protected wherever the bucket goes.

The following picture shows a bucket called ConfidentialInformation.rpf that contains documents of a variety of formats. The content has been protected using a template called "Read Only for All Staff."

Generic File Protection Explorer Generic File Protection Explorer

You can apply a rights policy template to the bucket to protect the content, but at this point there is no built-in option such as is found in Word, Excel or Outlook. You must have at least one rights policy template defined in order to use the tool.

The Generic File Protection tool does not allow you to apply the type of granular RMS permissions that you can in the natively supported tools such as Word. For example, you cannot restrict printing or copy and paste on documents stored in the bucket. If a user is granted access to the bucket, he or she has permissions to remove the files from the bucket and then do anything he or she likes with them. Once a file is removed from the bucket, it is no longer protected. Files cannot be modified while they are in the bucket. If you need to modify a file, you must remove it from the bucket, edit it, and then return it to the bucket.

Certainly the Generic File Protection tool has limits, but it may be just the ticket for organizations that need to allow their users to store and transport files of a variety of formats in a secure fashion and who are less concerned about restricting what their users do with the files. At the moment, the Generic File Protection tool has not yet released for production use. It is only available for testing purposes.

For more information about the Generic File Protection Explorer, see:

http://lab.technet.microsoft.com/en-us/library/generic-file-protection-explorer-rights-protected-folder%28v=ws.10%29.aspx

For instructions on getting your own copy of the Generic File Protect Explorer to play with, see:

http://blogs.technet.com/b/rmssupp/archive/2011/11/22/what-s-shiny-and-new-and-smells-like-pumpkin-pie.aspx

UPDATE:

This tool was renamed the Rights Protected Folder Explorer for the final release. It is available for download from Microsoft here:

http://www.microsoft.com/en-us/download/details.aspx?id=30152

Please note that the final version of the Rights Protected Folder Explorer requires installation of the RMS v2 client, which is embedded in the tool’s installer. We will have a blog post exploring the full features of the final release of this tool coming soon.