Feb 27, 2012 8:00:25 PM
The Major Challenge in AD RMS Implementations

The major challenge in an AD RMS implementation is not getting the infrastructure up and running or getting the client settings, files and application deployed to all users. It's not making RMS available through your firewall or getting it working with your SharePoint server. No, the major challenge is getting your users to actually use RMS to protect e-mail messages and documents. It's very simple for your users to apply RMS protections to an e-mail or document--it's just a couple clicks--but it's hard to train them to remember to take that extra step. Luckily, there are solutions available to help you automate protections, so you're not entirely relying on your users to take that extra step.

Exchange 2010

Microsoft Exchange 2010 introduced two features that help you apply protections to content--RMS protections in Exchange hub transport rules and Outlook protection rules. Of these, hub transport rules are the more versatile. Imagine anything you could do with an Exchange hub transport rule--select an e-mail message based on words or text matching in the subject line or body, based on the sender or recipient(s), based on attachments, etc.--and slap RMS on it. For example, you can create a rule that looks through the body of each e-mail message sent in your organization for something that looks like a social security number, and when an e-mail is found that appears to have a social security number in it, the rule will apply a rights policy template to it to protect that potentially sensitive content.

The thing to remember about hub transport rules, however, is that they don't get applied until an e-mail message reaches the Exchange server for processing. So, your user composes an e-mail message containing sensitive content like a social security number and hits the send button without remembering to apply RMS to the e-mail message. That e-mail message travels in the clear, unencrypted, from the user's desktop to the Exchange server. On the Exchange server, the hub transport rule is applied to the message and then between the Exchange server and the recipient's mailbox, the e-mail message is now encrypted and protected.

Outlook protection rules, on the other hand, protect content end-to-end. Outlook protection rules are defined on the client machine, and, when a user composes an e-mail message that matches a protection rule, RMS protections are automatically applied to that e-mail message before the user hits the send button, causing the e-mail message to be protected and encrypted throughout its entire journey to the recipient. The down side of Outlook protection rules is that they don't offer nearly as many options for matching e-mail messages as hub transport rules. The major matching options are who the recipients are and the department to which the sender belongs. Outlook protection rules are configured from the command line using PowerShell commands, rather than through a user-friendly GUI. Outlook protection rules are supported only in Outlook 2010 working with Exchange 2010.

For more information see:

Exchange Hub Transport Rules
Outlook Protection Rules

SharePoint 2007 and 2010

Both Microsoft Office SharePoint Server (MOSS) 2007 and Microsoft SharePoint 2010 include integration with AD RMS to automate protection of documents stored in a SharePoint document library. AD RMS integration with SharePoint is designed to allow documents to be stored in SharePoint in an unencrypted state, to support indexing and easy backup and recovery. RMS protections are automatically applied to a document stored in a protected document library at the time the document is either opened or downloaded from the document library.

AD RMS in SharePoint works in conjunction with the regular SharePoint permissions structure, so a user granted contribute permissions on a document library will have edit permissions to an RMS-protected document extracted from that library and a user granted read permissions on a document library will have read-only permissions to an RMS-protected document extracted from that library. A user granted full control permissions on a document library will have full control over an RMS-protected document extracted from that library, including permissions to remove the RMS protections from the file.

SharePoint does not make use of AD RMS rights policy templates. Instead, rights policy controls are applied individually on a document library by document library basis.

In SharePoint 2007, you could upload a document that was already rights-protected into an RMS-enabled document library. If you did, it would live in that document library in an encrypted state and retain the original protections applied to the document. It would not inherit the permissions assigned to the document library. SharePoint 2010 has added the option to deny upload of documents that are already rights-protected, allowing you to control whether any documents will be allowed to live in SharePoint in an encrypted state. If you disable the feature that prohibits upload of previously rights-protected content in SharePoint 2010, documents that are already protected with RMS before being uploaded into this version of SharePoint will not inherit the permissions assigned to the document library either.

RMS Bulk Protection Tool and File Classification Infrastructure

The RMS Bulk Protection Tool is a command line tool that allows you to apply RMS protections to multiple documents sitting in a file system. It also allows you to remove RMS protections in bulk. The tool can be used in a script to, for example, regularly apply RMS protections to all the Word documents in a given directory on a file server.

The File Classification Infrastructure feature was added in Windows Server 2008 R2. This feature allows you to automate classification of documents sitting on a fileserver based on things such as key words in the documents. Used in conjunction with the RMS Bulk Protection Tool, it can be used to automate application of RMS protections to documents that match the classification rule(s).

Third Party Products

There are also third party products on the market that help you to automate application of RMS protections. For example, TITUS offers their Classification suite of products that can, among other things, prompt a user when sending an e-mail message or saving a document to apply a classification to the content, and some or all classification levels can be associated with RMS rights policy templates.