Protect everything: using FCI to protect files of any type with Windows Server 2012

First published on CloudBlogs on Nov, 09 2012

Hey folks,

We once again have a guest for today's AD RMS Team blog. Today's post is brought to you by Andrey Moskvitin. Andrey is a Technical Solutions Professional who specializes in Security for our Microsoft Russia subsidiary and he's going to help you see how to use File Classification Infrastructure along with our Rights Protected Folder Explorer and an additional third-party tool, the PDF protector offered by our friends at Foxit Software, to protect files of any type using Windows Server 2012.

I'm sure you will enjoy learning how to use these tools together to automate protecting of documents based on classification rules. While this is, as Andrey points out, not a totally new feature scenario, it has become an easier and richer one to explore with recent updates and new functionality that have come about around the release of Windows Server 2012.

Thanks,
Dan

Hi, I am Andrey and today I want to highlight how AD RMS and Windows Server 2012 can assist you in making the world a more secure place by automating protection of documents.

Certainly you have encountered a strong desire (or demand) to protect with RMS all files within a folder or maybe just files with a certain content. Some possible scenarios include:

• Access to all documents on file server must be limited to active employees of the company, even when files are copied to local storage or a former employee made copies on a USB-drive prior to the layoff.
• Apply RMS-policy "Finance read-only” must be applied to all files containing more than 10 credit card numbers or other PII.
• Apply RMS-policy "Sales Managers Only" to all Excel files larger than 10 MB containing PII and contract numbers being created by the CRM system.

With the Windows Server File classification Infrastructure (FCI) feature you can identify sensitive files and encrypt them with RMS. FCI crawls file shares for files meeting certain criteria and tag them based on the results. Tags are stored in the file attributes and
persist even after moving files to another NTFS storage. Once files are tagged, you can automatically apply the "RMS Encryption" action to files with certain tags, and select one of the existing RMS templates in your organization or define a custom RMS policy.

While when people think of “documents” they often associate that with Microsoft Office documents, IT admins know well that’s not all that it’s out there. PDF files, CAD drawings and other types of files account for a significant portion of the sensitive data out there, and protecting it is essential to reduce the risks of data leakage. So when we protect data with FCI it is very valuable to be able to protect any type of file in the best available way.

Integrating FCI and AD RMS was possible before (as it was well documented in the past), but with Windows Server 2012 we got a plethora of new functionality:

• No need for AD RMS Bulk protection tool or creating your own scripts – RMS protection of Office files is available in the FSRM feature of File and Storage Services server role.
• Protecting files "on the fly"  -  a newly created or modified file is immediately classified and protected.
• Ability to define ad-hoc policies in addition to the option of using Rights Policy Templates.
• Detect a certain number of pattern matches, for more flexibility in the identification of sensitive content.

There are lot of classification criteria including file path, extension, size, date of creation, author, specific content, etc. The most interesting one is analyzing the content of a file for matches against custom regex-filters allowing you to search for example for:

• Certain words or word combinations
• Base of word, neglecting word forms, suffixes or prefixes
• Specifically formatted data, for example credit card numbers, phone numbers, SSNs, PII, contract numbers, etc.
• Amount of data above threshold such as more than 10 credit card numbers in one file

Basically, you can identify anything that can be expressed with a regular expression, which can go from an easy Social Security Number to formatted or unformatted credit card numbers from all the most common providers. Of course, you don’t need to be an expert in writing Regular Expressions, as there are plenty of regex libraries on the Internet .

And could you ever imagine that you can scan not only text files but also TIFF images? Here is the list of supported file formats that can be scanned with FCI.

With FCI you can perform different actions on files you identify as sensitive. One of them is to use the in-box RMS protection capability. But you can also perform custom tasks. This comes in handy because the in-box RMS protection action only supports Office files. You can support other types of files trough two options:

• Putting files in encrypted container using Rights Protected Folder Explorer (RPFe)
• Triggering specific RMS protectors for certain types of files, such as PDF, CAD or images, supported with partner solutions

Of course, the latter option is preferred whenever possible, but RPF is a great fallback solution when a file is in a format for which you don’t have a native protector.

So let’s say you want to protect all files in a folder that contain five or more Social Security Numbers. You want to protect Office documents, PDF files and also all other files. So in order to do this, at a high level, you will need to:

• Install the necessary roles (File Server Resource Manager, RPFe and a PDF protector, these tasks are left behind scenes, but you can get a PDF protection tool from Foxit ( http://www.foxitsoftware.com/ ).
• Define new classification property named “Sensitivity” with value “PII”
• Create new classification rule via the Classification Management tab in the File Server Resource Manager
• Name it “Protect docs with more than 5 SSNs”.
• Under Scope select the folders or sets of folders to be scanned.
• Under Classification choose classification method “Content classifier”.
• Choose a property value to be assigned “Sensitivity” and check the “PII” value.
• Click Configure, select the Expression Type “Regular expression” and insert Expression “d{3}-d{2}-d{4}” in Expression
  field to look for SSNs. Set the minimum number of occurrences to 5 for rule not to trigger on files containing 4 or less SSNs.
• Create 3 file management tasks for Office documents, PDF and all other files
  • Scope of each rule will contain all files with the corresponding file extensions (e.g. .docx) that are tagged as “Sensitivity - PII”.
  • For the “Office documents” task you will use the in-box “RMS Encryption” to protect the file, choosing a suitable template.
  • For the PDF task you will configure a custom action that will use a script to run the Foxit RMS protector command line tool or an equivalent solution. With Foxit, you would use the following command line: RMSProtector.exe /encrypt [Source FilePath] /template TemplateName
  • All other files not matching the PDF or Office file extensions will be covered with a task that runs rpfexplorer.exe with arguments described here to put files into encrypted container
  • Schedule scans to run on a recurring basis
  • Set report properties to receive emails with the updates on sensitive files found and protected

Once you have implemented these three tasks, all files in the destination folder that contain five or more social security numbers will be protected with RMS. Office files will be protected with the in-box RMS
protection capability, PDF files will be protected with the protector from Foxit, and all other files will be converted into a Rights Protected Folder which ensures encryption and access controls.

With this functionality, you can ensure your sensitive files are protected as soon as they are created and saved to a file share. Of course, some organizations will need more advanced capabilities such as enterprise-wide
content detection, advanced pattern matching and context-aware content identification, capabilities often available in high-end DLP solutions (we like to call the capabilities discussed in this post as “DLP-lite”).

Thanks to the ease of integration RMS provides, most high-end DLP solutions today can work with AD RMS. These DLP solutions can often do a great job in detecting sensitive content, and with the ability to
protect files with AD RMS they gain a great deal of flexibility, reducing the impact of false positives and allowing more flexible policies that don’t simply block access. We are working actively to ensure that AD RMS can be integrated seamlessly with any such solution you might want to use. Stay tuned for more on this.

(Update added 12/03/2012) Here's a bit more guidance on how to use FCI + AD RMS with the Foxit RMS protector to classify PDF files.

First of all, classifying PDF files based on file content is possible with the installation on your file server of PDF iFilters from either Adobe (see http://www.adobe.com/support/downloads/detail.jsp?ftpID=2611 ) or Foxit (see http://www.foxitsoftware.com/products/ifilter/ ) .

After you have set up an FCI + AD RMS infrastructure based on how I described previously in this post, you should have a File Management Task (FMT) that applies only to all PDF (*.pdf) files. A FMT type is a custom action and it will be used to trigger the Foxit RMS Command Line Tool (Foxit CLI Tool).

1. Extract the Foxit CLI Tool to a local folder on your file server computer and then set the correct permissions. The tool executable file must be set to read-only for any non-administrative users and the folder should also be set to read-only for non-administrative users as well.
2. Install the AD RMS Client 2.0 as the Foxit CLI Tool relies on it.
3. In the FMT properties, define the correct path to the Foxit CLI Tool executable.
4. In the Arguments field enter:
   /encrypt [Source File Path] /template <RMS_template_name>
5. In addition, you can add to the Arguments some keys listed in the Foxit CLI Tool manual, among them is /preserveattributes , which is for
   preserving all the original file attributes including Owner, Creation Time, Modified Time, Accessed Time etc.

Your FMT properties should look similar to these:

In addition, Microsoft has created an extension to the existing PDF standard allowing consummation of RMS-encrypted PDFs in third-party readers. Currently, however, only Foxit Software has implemented this standard.