Deploy Encryption of Office Files (Demonstration Steps)
Applies To: Windows Server 2012
Contoso’s Finance Department has a number of file servers that store their documents. These documents can be general documentation or they can have a high-business impact (HBI). For example, any document that contains confidential information is deemed, by Contoso, to have a high-business impact. Contoso wants to ensure that all their documentation has a minimum amount of protection and that their HBI documentation is restricted to the appropriate people. To accomplish this, Contoso is exploring using the File Classification Infrastructure (FCI) and AD RMS that is available in Windows Server 2012. By using FCI, Contoso will classify all of the documents on their file server, based on the content, and then use AD RMS to apply the appropriate rights policy.
In this scenario, you’ll perform the following steps:
Task |
Description |
---|---|
Enable the Impact and Personally Identifiable Information resource properties. |
|
Create the following classification rules: HBI Classification Rule and PII Classification Rule. |
|
Step 3: Use file management tasks to automatically protect documents with AD RMS |
Create a file management task that automatically used AD RMS to protect documents with high personally identifiable information (PII). Only members of the FinanceAdmin group will have access to documents that contain high PII. |
Examine the classification of documents and observe how they change as you change the content in the document. Also verify how the document gets protected by AD RMS. |
|
Verify that the document is protected with AD RMS. |
|
Step 1: Enable resource properties
To enable resource properties
In Hyper-V Manager, connect to server ID_AD_DC1. Sign in to the server by using Contoso\Administrator with the password pass@word1.
Open Active Directory Administrative Center, and click Tree View.
Expand DYNAMIC ACCESS CONTROL, and select Resource Properties.
Scroll down to the Impact property in the Display name column. Right-click Impact, and then click Enable.
Scroll down to the Personally Identifiable Information property in the Display name column. Right-click Personally Identifiable Information, and then click Enable.
To publish the resource properties in the Global Resource List, in the left pane, click Resource Property Lists, and then double-click Global Resource Property List.
Click Add, and then scroll down to and click Impact to add it to the list. Do the same for Personally Identifiable Information. Click OK twice to finish.
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
Set-ADResourceProperty –Enabled:$true –Identity:"CN=Impact_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=contoso,DC=com"
Set-ADResourceProperty –Enabled:$true –Identity:"CN=PII_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=contoso,DC=com"
Step 2: Create classification rules
This step explains how to create the High Impact classification rule. This rule will search the content of documents and if the string “Contoso Confidential” is found, it will classify this document as having high-business impact. This classification will override any previously assigned classification of low-business impact.
You will also create a High PII rule. This rule searches the content of documents, and if a Social Security number is found, it classifies the document as having high PII.
To create the high-impact classification rule
In Hyper-V Manager, connect to server ID_AD_FILE1. Sign in to the server by using Contoso\Administrator with the password pass@word1.
You need to refresh the Global Resource Properties from Active Directory. Open Windows PowerShell and type: Update-FSRMClassificationPropertyDefinition, and then press ENTER. Close Windows PowerShell.
Open File Server Resource Manager. To open File Server Resource Manager, click Start, type file server resource manager, and then click File Server Resource Manager.
In the left pane of File Server Resource Manager, expand Classification Management, and then select Classification Rules.
In the Actions pane, click Configure Classification Schedule. On the Automatic Classification tab, select Enable fixed schedule, select a Day of the week, and then select the Allow continuous classification for new files check box. Click OK.
In the Actions pane, click Create Classification Rule. This opens the Create Classification Rule dialog box.
In the Rule name box, type High Business Impact.
In the Description box, type Determines if the document has a high business impact based on the presence of the string “Contoso Confidential”
On the Scope tab, click Set Folder Management Properties, select Folder Usage, click Add, then click Browse, browse to D:\Finance Documents as the path, click OK, and then choose a property value named Group Files and click Close. Once management properties are set, on the Rule Scope tab select Group Files.
Click the Classification tab. Under Choose a method to assign the property to files, select Content Classifier from the drop-down list.
Under Choose a property to assign to files, select Impact from the drop-down list.
Under Specify a value, select High from the drop-down list.
Click Configure under Parameters. In the Classification Parameters dialog box, in the Expression Type list, select String. In the Expression box, type: Contoso Confidential, and then click OK.
Click the Evaluation Type tab. Click Re-evaluate existing property values, click Overwrite the existing value, and then click OK to finish.
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
Update-FSRMClassificationPropertyDefinition
$date = Get-Date
$AutomaticClassificationScheduledTask = New-FsrmScheduledTask -Time $date -Weekly @(3, 2, 4, 5,1,6,0) -RunDuration 0;
Set-FsrmClassification -Continuous -schedule $AutomaticClassificationScheduledTask
New-FSRMClassificationRule -Name "High Business Impact" -Property "Impact_MS" -Description "Determines if the document has a high business impact based on the presence of the string 'Contoso Confidential'" -PropertyValue "3000" -Namespace @(“D:\Finance Documents”) -ClassificationMechanism "Content Classifier" -Parameters @("StringEx=Min=1;Expr=Contoso Confidential") -ReevaluateProperty Overwrite
To create the high-PII classification rule
In Hyper-V Manager, connect to server ID_AD_FILE1. Sign in to the server by using Contoso\Administrator with the password pass@word1.
On the desktop, open the folder named Regular Expressions, and then open the text document named RegEx-SSN. Highlight and copy the following regular expression string: ^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$. This string will be used later in this step so keep it on your clipboard.
Open File Server Resource Manager. To open File Server Resource Manager, click Start, type file server resource manager, and then click File Server Resource Manager.
In the left pane of File Server Resource Manager, expand Classification Management, and then select Classification Rules.
In the Actions pane, click Configure Classification Schedule. On the Automatic Classification tab, select Enable fixed schedule, select a Day of the week, and then select the Allow continuous classification for new files check box. Click OK.
In the Rule name box, type High PII. In the Description box, type Determines if the document has a high PII based on the presence of a Social Security Number.
Click the Scope tab, select the Group Files check box.
Click the Classification tab. Under Choose a method to assign the property to files, select Content Classifier from the drop-down list.
Under Choose a property to assign to files, select Personally Identifiable Information from the drop-down list.
Under Specify a value, select High from the drop-down list.
Click Configure under Parameters.
In the Classification Parameters window, in the Expression Type list, select Regular Expression. In the Expression box, paste the text from your clipboard: ^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$, and then click OK.Note
This expression will allow invalid Social Security numbers. This allows us to use fictitious Social Security numbers in the demonstration.
Click the Evaluation Type tab. Select Re-evaluate existing property values, Overwrite the existing value, and then click OK to finish.
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
New-FSRMClassificationRule -Name "High PII" -Description "Determines if the document has a high PII based on the presence of a Social Security Number." -Property "PII_MS" -PropertyValue "5000" -Namespace @("D:\Finance Documents") -ClassificationMechanism "Content Classifier" -Parameters @("RegularExpressionEx=Min=1;Expr=^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$") -ReevaluateProperty Overwrite
You should now have two classification rules:
High Business Impact
High PII
Step 3: Use file management tasks to automatically protect documents with AD RMS
Now that you’ve created rules to automatically classify documents based on content, the next step is to create a file management task that uses AD RMS to automatically protect certain documents based on their classification. In this step, you will create a file management task that automatically protects any documents with a high PII. Only members of the FinanceAdmin group will have access to documents that contain high PII.
To protect documents with AD RMS
In Hyper-V Manager, connect to server ID_AD_FILE1. Sign in to the server by using Contoso\Administrator with the password pass@word1.
Open File Server Resource Manager. To open File Server Resource Manager, click Start, type file server resource manager, and then click File Server Resource Manager.
In the left pane, select File Management Tasks. In the Actions pane, select Create File Management Task.
In the Task name: field, type High PII. In the Description field, type Automatic RMS protection for high PII documents.
Click the Scope tab, select the Group Files check box.
Click the Action tab. Under Type, select RMS Encryption. Click Browse to select a template, and then select the Contoso Finance Admin Only template.
Click the Condition tab, and then click Add. Under Property, select Personally Identifiable Information. Under Operator, select Equal. Under Value, select High. Click OK.
Click the Schedule tab. In the Schedule section, click Weekly, and then select Sunday. Running the task once-a-week will ensure that you catch any documents that may have been missed due to a service outage or other disruptive event.
In the Continuous operation section, select Run task continuously on new files, and then click OK. You should now have a file management task named High PII.
Windows PowerShell equivalent commands
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
$fmjRmsEncryption = New-FSRMFmjAction -Type 'Rms' -RmsTemplate 'Contoso Finance Admin Only'
$fmjCondition1 = New-FSRMFmjCondition -Property 'PII_MS' -Condition 'Equal' –Value '5000'
$date = get-date
$schedule = New-FsrmScheduledTask -Time $date -Weekly @('Sunday')
$fmj1=New-FSRMFileManagementJob -Name "High PII" -Description "Automatic RMS protection for high PII documents" -Namespace @('D:\Finance Documents') -Action $fmjRmsEncryption -Schedule $schedule -Continuous -Condition @($fmjCondition1)
Step 4: View the results
It’s time to take a look at your new automatic classification and AD RMS protection rules in action. In this step you will examine the classification of documents and observe how they change as you change the content in the document.
To view the results
In Hyper-V Manager, connect to server ID_AD_FILE1. Sign in to the server by using Contoso\Administrator with the password pass@word1.
In Windows Explorer, navigate to D:\Finance Documents.
Right-click the Finance Memo document and click Properties.Click the Classification tab, and notice that the Impact property currently has no value. Click Cancel.
Right-click the Request for Approval to Hire document, and then select Properties.
Click the Classification tab, and notice that the Personally Identifiable Information property currently has no value. Click Cancel.
Switch to CLIENT1. Sign off any user who is signed in, and then sign in as Contoso\MReid with the password pass@word1.
From the Desktop, open the Finance Documents shared folder.
Open the Finance Memo document. Near the bottom of the document, you will see the word Confidential. Modify it to read: Contoso Confidential. Save the document and close it.
Open the Request for Approval to Hire document. In the Social Security#: section, type: 777-77-7777. Save the document and close it.
Note
You may need to wait 30 seconds for the classification to occur.
Switch back to ID_AD_FILE1. In Windows Explorer, navigate to D:\Finance Documents.
Right-click the Finance Memo document, and click Properties. Click the Classification tab. Notice that the Impact property is now set to High. Click Cancel.
Right-click the Request for Approval to Hire document and click Properties.
. Click the Classification tab. Notice that the Personally Identifiable Information property is now set to High. Click Cancel.
Step 5: Verify protection with AD RMS
To verify that the document is protected
Switch back to ID_AD_CLIENT1.
Open the Request for approval to Hire document.
Click OK to allow the document to connect to your AD RMS server.
You can now see that the document has been protected by AD RMS because it contains a Social Security number.