Automatic RMS Protection of non-MS Office files using FCI and the Rights Management Cmdlets

Updated on 2015-12-01 to work with the release version of the Azure RMS PowerShell cmdlets.

File Classification Infrastructure (FCI) is a built-in feature on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 that helps IT admins to manage their organization's data on file servers by providing automatic classification processes. Using rules which are constructed with regular expressions, PowerShell, and/or .NET or native modules, FCI can identify sensitive files and perform actions such as encrypting Microsoft Office documents with Rights Management Services (RMS), expiring files that have passed a defined date limit, or other custom action (defined through a script/program). FCI provides an extensible infrastructure that enables organizations to construct rich end-to-end classification solutions built upon Windows. For more information on FCI please check this blog post.

By default, FCI's built-in tasks can only encrypt Microsoft Office documents with Rights Management Services (RMS). By using a custom FCI task and the Rights Management (Microsoft.Protection) cmdlets, IT admins can apply RMS protection to any file in a file share. Once the files are protected, only authorized users will be able access those files even if they are copied to another location. This blog post covers how to use Azure RMS with your File Server in the case that your File Server is directly connected to the Internet. A follow up blog post will be added demonstrating how to use Azure RMS without connecting your File Server directly to the Internet.

Install RMS PowerShell Cmdlets (and other necessary software)

  1. Create a working directory to download the software to:
    > $workDir = mkdir ~\Downloads\RmsInstall
    > cd $workDir
  2. Install the Rights Management Client. This can be done using PowerShell with the following commands:
    > Invoke-WebRequest https://download.microsoft.com/download/3/C/F/3CF781F5-7D29-4035-9265-C34FF2369FA2/setup_msipc_x64.exe -OutFile setup_msipc_x64.exe
    > .\setup_msipc_x64.exe /quiet
  3. Download and install the RMS PowerShell cmdlets:
    > Invoke-WebRequest https://download.microsoft.com/download/0/6/6/06619015-6BD2-4CB5-9B66-5FF015457976/setup_RmsProtectionTool_x64.exe -OutFile setup_RmsProtectionTool_x64.exe
    > .\setup_RmsProtectionTool_x64.exe /quiet
  4. Download the PsExec commandline tool to be used in configuration of FSRM:
    > Invoke-WebRequest https://download.sysinternals.com/files/PSTools.zip -OutFile PSTools.zip
    > $psTools = mkdir ($workDir.FullName + "\PSTools")
    > $shell = New-Object -ComObject Shell.Application
    > $zip = $shell.NameSpace($workDir.FullName + "\PSTools.zip")
    > foreach($item in $zip.items()) { $shell.NameSpace($psTools.FullName).copyhere($item) }
    
  5. Reboot your server before continuing on:
    > Restart-Computer
    

Configure your File Server for use with Azure RMS

To use Azure RMS with your File Server, you will need to configure an AAD Service Principal which has been authorized on your Azure RMS Tenant and at least one RMS Template. This guide assumes that you have already configured this with Azure RMS; further instructions about how to do this can be found here.

  1. Register your Azure RMS tenant with the Local Service account for use with FSRM/FCI:
    In original PowerShell Window:
    > $workDir = Get-Item -Path ~\Downloads\RmsInstall\
    > cd $workDir
    > Invoke-Expression -Command ("PSTools\psexec.exe \\" + [System.Net.Dns]::GetHostByName(($env:computerName)).HostName + " -i 1 -s powershell.exe")
    

    In new PowerShell window:

    > whoami # Optional to verify running as NT Authority\Local System
    > Set-RmsServerAuthentication -BposTenantId <YOUR AZURE RMS TENANT ID HERE> -AppPrincipalId <AAD SERVICE PRINCIPAL FOR RMS TENANT> -Key <SERVICE PRINCIPAL KEY> 
    > exit # End Local System session
    

    All further commands will be run in the original PowerShell window.

  2. Create the PowerShell script to encrypt files with Azure RMS:
    > mkdir C:\Shares\Scripts
    > notepad C:\Shares\Scripts\EncryptFile.ps1 # This will pop a Notepad window for you to paste the script from the next step into
    
  3. Paste the following script in the opened Notepad window and save and close:
    param([string]$PathToFile, [string]$RmsTemplateId, [string]$RmsTemplateName)
    
    # Verify there is a registered RMS Server
    try
    {
        $serverOutput = Get-RMSServer
        if ($serverOutput.Count -lt 2) {
            throw [System.ArgumentException] "No RMS Servers Registered"
            exit -1
        } 
    }
    catch
    {
        throw [System.ArgumentException] "No RMS Servers Registered"
        exit -1
    }
    
    
    # Verify that we're given either a RmsTemplateId or RmsTemplateName, but not both
    if (!([System.String]::IsNullOrEmpty($RmsTemplateId) -xor [System.String]::IsNullOrEmpty($RmsTemplateName))) {
        throw [System.ArgumentException] "There must be one and only one RmsTemplate parameter filled"
    }
    
    
    # Verify that the provided template is valid
    if (![System.String]::IsNullOrEmpty($RmsTemplateId)) {
        $match = Get-RMSTemplate | Where-Object { $_.TemplateId -eq $RmsTemplateId }
    }
    else {
        $match = Get-RMSTemplate | Where-Object { $_.Name -like ("*" + $RmsTemplateName + "*") }
    }
    
    if ($match.Count -eq 0) {
        throw [System.ArgumentException] "Provided Template does not match any found templates"
    }
    elseif ($match.Count -eq 1) {
        $TemplateId = $match[0].TemplateId
    }
    else {
        throw [System.ArgumentException] "Provided Template matches multiple found templates"
    }
    
    
    # Protect File
    if ((Get-RMSFileStatus -File $PathToFile).Status -ne "Protected") {
        Protect-RMSFile -File $PathToFile -TemplateID $TemplateId
    }
    
  4. Create new FSRM task to encrypt files meeting the desired condition (a classification property set during classification, Impact = High):
    > $Command = "C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe"
    > $CommandParameters = "C:\Shares\Scripts\EncryptFile.ps1 -PathToFile '[Source File Path]' -RmsTemplateName 'Microsoft - Confidential View Only'"
    > $Action = New-FSRMFmjAction -Type Custom -Command $Command -CommandParameters $CommandParameters -SecurityLevel LocalSystem -WorkingDirectory "C:\Windows\System32\WindowsPowerShell\v1.0\"
    > $Condition = New-FsrmFmjCondition -Property "Impact_MS" -Condition Equal -Value 3000
    > $date = (Get-Date)
    > $date = $date = $date.AddDays($date.DayOfWeek.value__ * -1).Date
    > $Schedule = New-FsrmScheduledTask -Time $date -Weekly Sunday
    > New-FsrmFileManagementJob -Name "Test RMS Encrypt" -Namespace "C:\Shares\TestShare" -Action $Action -Condition $Condition -Schedule $Schedule -Continuous
    

Cleanup Workspace (optional)

  1. Several packages were downloaded when installing the RMS PowerShell Cmdlets. These can safely be removed:
    > cd ~
    > rm $workDir -Recurse
    

Additional Resources