Automating the doc protection using FCI integration with RMS bulk protection tool

The following is the step-by-step guide to automate the procedure to protect the document using File Classification of FCI and RMS Bulk protection tool -

 

Prerequisites

  • AD RMS deployed and running
  • RMS Client deployed on end-user machines
  • MS Office document should get RMS protected.
  • Windows 2008 R2 Server being used as File Server (Shared Folders) which is joined in to the AD Domain
  • RMS Bulk Protection tool downloaded.
  • RMS Templates created and distributed. At least, a template should exists that allow access to employees (from example perspective).

Configuring the File Server for FCI

· 1. Log on to the File Server as Administrator or admin equivalent user.

· 2. Click Start, select Administrative Tools, and click Server Manager.

· 3. On the left, right-click Roles and select Add Roles. This will bring up the Add Roles Wizard.

· 4. On the Before you Begin screen, click Next.

· 5. On the Select Server Roles screen, click the box next to File Services and click Next.

· 6. On the File Services screen, click Next.

· 7. On the Select Role Services screen, click the box next to File Server Resource Manager and click Next.

· 8. On the Configure Storage Usage Monitoring screen, click Next.

· 9. On the Confirm Installation Selections screen, click Install.

· 10. On the Installation Results screen, verify the installation was successful and click Close.

· 11. Close Server Manager.

Installing the AD RMS bulk protection tool

1. Log on to the File Server as Administrator.

2. Navigate to where you downloaded the tool and double-click rmsbulk.msi. This will bring up the Rights Management Services Bulk Protection Tool Setup wizard.

3. On the Welcome to the Rights Management Services Bulk Protection Tool Setup Wizard screen, click Next.

4. On the End-User License Agreement screen, read the EULA, click I accept the terms in the License Agreement and click Next.

5. On the Destination Folder screen, click the Change button and navigate to C:\Windows\SysWOW64 and click OK. Verify the path is now SysWOW64 and click Next.

6. On the Ready to install Rights Management Services Bulk Protection Tool screen, click Install.

7. On the Completed the Rights Management Services Bulk Protection Tool Setup Wizard screen, click Finish

Grant FCI Machine Account Read and Execute Permissions

Step to grant the FCI machine account read and execute permissions to the ServerCertification.asmx page. This is required because it allows the AD RMS Bulk Protection Tool to run under the local system account on the FCI server.

1. Log on to AD RMS Server as Administrator

2. Click Start, select Computer, double-click Local Disk (C:), double-click inetpub, double-click wwwroot, double-click _wmcs, double-click certification, right-click ServerCertification.asmx and select Properties. This will bring up the ServerCertification.asmx Properties.

3. On the ServerCertification.asmx properties, select the Security tab, and then click Edit. This will bring up the Permissions for ServerCertification.asmx.

4. On the Permissions for ServerCertification.asmx screen, click Add. This will bring up the Select Users, Computers, or Groups screen.

5. On the Select Users, Computers, or Groups screen, to the right, click the Object Types… button. This will bring up the Object Types screen.

6. On the Object Types screen, place a check in Computers and click Ok. This will close the Object Types screen.

7. On the Select Users, Computers, or Groups screen, under Enter the object names to select, enter the user/groups you want and click Check Names. This should resolve with an underline. Click Ok.

8. On the Permissions for ServerCertification.asmx screen, select the newly added Domain_name\FCI$ and verify it has a check in Read & execute. Click Apply Click Ok. This will close the Permissions for ServerCertification.asmx screen.

9. On the ServerCertification.asmx properties, click Ok. This will close the ServerCertification.asmx properties.

Grant AD RMS Service Group Read and Execute Permissions

This step is to grant AD RMS Service Group read and execute permissions to the ServerCertification.asmx page. This is required because it allows the AD RMS Bulk Protection Tool to run under the local system account on the FCI server.

1. Log on to AD RMS Server as Administrator

2. Click Start, select Computer, double-click Local Disk (C:), double-click inetpub, double-click wwwroot, double-click _wmcs, double-click certification, right-click ServerCertification.asmx and select Properties. This will bring up the ServerCertification.asmx Properties.

3. On the ServerCertification.asmx properties, select the Security tab, select New, and click Edit. This will bring up the Permissions for ServerCertification.asmx.

4. On the Permissions for ServerCertification.asmx screen, click Add. This will bring up the Select Users, Computers, or Groups screen.

5. On the Select Users, Computers, or Groups screen, under Enter the object names to select, enter ADRMS\AD RMS Service Group and click Check Names. This should resolve with an underline. Click Ok.

6. On the Permissions for ServerCertification.asmx screen, select the newly added AD RMS Service Group and verify it has a check in Read & execute. Click Apply Click Ok. This will close the Permissions for ServerCertification.asmx screen.

7. On the ServerCertification.asmx properties, click Ok. This will close the ServerCertification.asmx properties.

8. Restart the AD RMS server.

Create the shared folder on File Server

It’s assumed that you already have the shared folder, but just in case you don’t you can create using the following steps –

1. Log on to File Server as Administrator

2. Click Start, click Computer, and then double-click Local Disk (C:).

3. Click File, point to New, and then click Folder.

4. Type SharedDocuments for the new folder, and then press ENTER.

5. Right-click SharedDocuments, click Share with, and then click Specific people.

6. On the File Sharing window, in the box under Type a name and then click Add, or click the arrow to find someone select Everyone, then and click Add. The Everyone group should now appear in the box below. Under Permission Level, select Read/Write.

7. Click Share. The window should change and you should now see Your folder is shared.

8. Click Done.

Assign Send As rights to FCI Server (file server)

This step would enable organizations to grant the FCI machine account the Send As right on the Administrator account. This will allow the FCI machine to send e-mail notifications as the Administrator when documents are rights protected

1. Log on to the AD Server as Administrator.

2. Click Start, select Administrative Tools, and click Active Directory Users and Computers.

3. At the top, select View and then select Advanced Features from the drop-down.

4. On the left, expand domain_name.com click the Users organizational unit. On the right, right-click Administrator and then select Properties. This will bring up the Administrator Properties window.

5. On the Administrator Properties screen, select the Security tab and click Add. This will bring up the Select Users, Computers, or Groups screen.

6. On the Select Users, Computers, or Groups screen, to the right, click the Object Types… button. This will bring up the Object Types screen.

7. On the Object Types screen, place a check in Computers and click Ok. This will close the Object Types screen.

8. On the Select Users, Computers, or Groups screen, under Enter the object names to select, enter domain_name\FCI and click Check Names. This should resolve with an underline. Click Ok.

9. Under Groups or user names: make sure FCI (Domain_name\FCI$) is select.

10. On the Permissions for FCI locate Send As and select Allow. Click Apply Click Ok. This will close the Administrators Properties screen.

11. Close Active Directory Users and Computers

·

Configure FCI for email notification

This section allows FCI machine account the Send As right on the Administrator account. This will allow the File Server to send e-mail notifications as the Administrator when documents are rights protected.

1. Log on to File Server as Administrator

2. Click Start, click Administrative Tools, and click File Server Resource Manager.

3. In the File Server Resource Manager, on the right, under Actions, click Configure Options. This will bring up the File Server Resource Manager Options.

4. Under SMTP server name or IP address, enter xxx.domain_name.com.

5. Under Default administrator recipients, enter administrator@ domain_name.com.

6. Under Default “From” e-mail address, enter administrator@ domain_name.com.

7. Click OK.

Important

You can test this by using the Send Test E-mail button that is provided on the File Server Resource Manager Options page.

Change Timeout on Certification Path Validation Settings

This section enables changing the default path validation cumulative retrieval timeout from 20 seconds to 2 seconds. This is required because the servers do not have access to the internet. If this GPO setting is not changed then the AD RMS Bulk Protection Tool will fail when attempting to activate the FCI server. This is only required because the server does not have internet access.

1. Log on to the AD Server as Administrator.

2. Click Start, select Administrative Tools, and click Group Policy Management.

3. Expand Forest: Forest.com, expand Domains, expand Domain_name.com, right-click Default Domain Policy, and then select edit. This will bring up the Group Policy Management Editor.

4. On the left, expand Computer Configuration, expand Windows Settings, expand Security Settings, and click Public Key Policies.

5. On the right, right-click Certificate Path Validation Settings and click Properties. This will bring up the Certificate Path Validation Settings Properties.

6. On the Certificate Path Validation Settings screen, click the Network Retrieval tab.

7. On the Network Retrieval screen, place a check in Define these policy settings and in the middle, change Default path validation cumulative retrieval timeout (in seconds) to 2.

8. Click Apply and Ok. This will close the Certificate Path Validation Settings.

9. Close Group Policy Management.

Refresh the policy on the FCI server

· 1. Log on to the File Server as Administrator

· 2. Click Start, and click Command Prompt. This will open a command prompt window.

· 3. From the command prompt, type gpupdate /force and hit Enter. Once this is complete is should say that the user and computer policies were updated successfully.

· 4. Close the Command Prompt.

Create Business Impact Classification Property

This section enables creation of the Business Impact Classification Property. Classification properties are used to assign values to files. There are many property types that you can choose from, and you can define them based on the policies your organization wants to enforce. This will be an ordered list property. A value of High will indicate that the document has a high business impact, while a value of Low will represent a low business impact.

1. Log on to File Server as Administrator

2. Click Start, click Administrative Tools, and click File Server Resource Manager.

3. In the File Server Resource Manager, on the left, expand Classification Management, and right-click Classification Properties, and select Create Property. This will bring up the Create Classification Property Definition window.

4. Under Property name, enter Business Impact.

5. Under Description, enter Describes the impact to the business if this file were to be disclosed to the public. Valid values are High and Low..

6. Under Property type, enter Ordered List.

7. Down under Value enter High. This will add a row below the value we just entered.

8. Under the High value we just added, enter Low.

9. Click OK.

Create dateEncrypted Classification Property

· Steps to create the dateEncrypted Classification Property. It allows for tracking which files have already been encrypted and do not need to be encrypted again. This will be a Date-Time property. It will indicate when the file was last encrypted.

·

1. Log on to File Server as Administrator

2. Click Start, click Administrative Tools, and click File Server Resource Manager.

3. In the File Server Resource Manager, on the left, expand Classification Management, and right-click Classification Properties, and select Create Property. This will bring up the Create Classification Property Definition window.

4. Under Property name, enter dateEncrypted.

5. Under Description, enter When this document was encrypted..

6. Under Property type, enter Date-Time.

7. Click OK.

·

Create LBI Classification Rule

Steps to create the LBI Classification Rule. This rule will classify all of our documents with an LBI property value. Later the HBI Classification Rule will override these LBI values if the documents match the criteria in the HBI Classification rule.

1. Log on to File Server as Administrator

2. Click Start, click Administrative Tools, and click File Server Resource Manager.

3. In the File Server Resource Manager, on the left, expand Classification Management, and right-click Classification Rules, and select Create a New Rule. This will bring up the Classification Rule Definitions window.

4. Under Rule name:, enter Low Business Impact.

5. Under Description, enter Classify all documents with low business impact by default.

6. Under Scope, click Add and browse to SharedDocuments. Click OK

7. At the top, click the Classification tab.

8. Under Choose a method to assign the property value, select Folder Classifier from the drop-down.

9. Under Choose a property value to be assigned, select Business Impact Classification Property from the drop-down.

10. Under Property value to be assigned, select Low from the drop-down.

11. Click OK.

Restrict Files to Organization’s Employees

Steps to demonstrate how to create a file management task to restrict access of low business impact files to Organizations employees. This task will apply the Organization Confidential rights policy template to all of the documents that have been classified with a Low property and that have not already been encrypted. The original owner of the file will retain full control of the AD RMS protection, unless the owner is not registered in Active Directory. In that case, the Administrator will gain full control of the AD RMS protection on the file. It will also send an e-mail message to the owner of each file when it is encrypted.

1. Log on to File Server as Administrator

2. Copy the script from Appendix A into notepad and save it as c:\windows\system32\MarkLBIandProtect.ps1.

3. Click Start, click Administrative Tools, and click File Server Resource Manager.

4. In the File Server Resource Manager, on the left, right-click File Management Tasks, and select Create File Management Task. This will bring up the Create File Management Task window.

5. Under Task name:, enter Restrict files to employees of Organization.

6. Under Description, enter Apply Organization Confidential rights policy.

7. Under Scope, click Add and browse to SharedDocuments. Click OK

8. At the top, click the Action tab.

9. Under Type, select Custom from the drop-down.

10. Under Executable, select Browse and navigate to c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe.

11. Under Arguments, enter -File c:\windows\system32\MarkLBIandProtect.ps1 [Source File Path] [Source File Owner Email] administrator@domain_name.com.

12. Under Run the command as:, select Local System.

13. At the top, click the Condition tab.

14. Click Add. This will bring up the Property Condition window.

15. On the Property Condition window, make sure Property: is set to Business Impact, set the Operator: to Equals, and for the Value: select Low from the drop-down. Click Ok.

16. Click Add. This will bring up the Property Condition window.

17. On the Property Condition window, make sure Property: is set to dateEncrypted, and select not exist for the condition. Click OK.

18. At the top, click the Notification tab.

19. Click Add. This will bring up the Add Notification window.

20. Set the Number of days before the task is executed to send notification to 0.

21. Check Send e-mail to the following administrators:

22. In the box, enter administrator@Domain_name.com.

23. Check Send e-mail to the user whose files are about to expire.

24. Under Subject: enter File encrypted.

25. Click OK.

26. At the top, click the Schedule tab.

27. On the Schedule tab, click Create. This will bring up the Schedule window.

28. On the Schedule window, click New.

29. Except the defaults and click Ok. This will close the Schedule window.

· 30. Click OK. This will close the Create File Management Task window.

Important

After the installation of PowerShell, the execution of scripts is disabled by default.
You must enable your system to run the scripts. This can be done by using the following command: Set-Executionpolicy Unrestricted.
Alternatively, the execution policy can be set to signed and the script can be signed. For more information about this topic, please see  Running Windows PowerShell Scripts (https://go.microsoft.com/fwlink/?LinkID=119588).

MarkLBIandProtect Windows Powershell Script

· PowerShell Script to restrict access to employees

-------------------------------------------------------------------------------------------

# execute bulk tool

$encryptfile = '"' + $args[0] + '"'

$owneremail = $args[1]

if ($owneremail -eq "[Source")

{

$owneremail = $args[5]

}

$r = start-process –Wait –PassThru –FilePath C:\Windows\SysWOW64\RmsBulk.exe –ArgumentList “/encrypt”, $encryptfile, “\\xxxx.Domain_name.com\ADRMSPublic\Organization_Confidential.xml”, $owneremail, “/log”, “C:\Documents\RmsLog.log”, “/append”, “/preserveattributes”

if ($r.ExitCode –eq 0)

{

$c = new-object –com Fsrm.FsrmClassificationManager

$d = (get-date).toFileTimeUTC()

$d = $d - ($d % 10000000)

$c.SetFileProperty($args[0], “dateEncrypted”, $d.ToString())

}

-------------------------------------------------------------------------------------------

· Where \\xxxx.Domain_name.com\ADRMSPublic\Organization_Confidential.xml is the path for Organization confidential template.