Showing posts with label RMS. Show all posts
Showing posts with label RMS. Show all posts

11 October, 2012

How can you set up RMS-based protection to the documents users store in SharePoint?


You can use Windows Rights Management Services (RMS) to protect SharePoint documents in the two most recent releases of SharePoint; SharePoint Server 2010 and SharePoint Server 2007 both include RMS support. However, there are some restrictions and complexities you should be aware of if you plan to set up RMS with your SharePoint installations.

An important thing to know is that RMS can only encrypt SharePoint documents and subject them to RMS access control restrictions when they are downloaded from a SharePoint 2010 or SharePoint 2007 document library. RMS doesn't leave SharePoint documents encrypted while they're stored on the SharePoint server. This restriction exists so that SharePoint can index and scan the documents on a SharePoint storage provider. RMS applies its restrictions to a document only right before it's downloaded to a client computer. Similarly, when an RMS-protected document is uploaded to a SharePoint site, RMS removes all protection from the document until a new download request is received.

SharePoint-RMS integration ensures that security restrictions are enforced even after a document has left a SharePoint server, which is something that can't be achieved using the standard SharePoint permissions. SharePoint-RMS integration also automatically enforces an organization's RMS document security policies. A SharePoint administrator can centrally define different RMS policies for the document libraries hosted on a SharePoint server. Therefore, individual users don't have to decide what protection they need to apply to documents they post in SharePoint libraries. RMS permissions are defined at the SharePoint document library level: Documents in a library automatically inherit the library's RMS permissions. This protection applies to both existing and new documents in the SharePoint library.

The RMS protection of SharePoint data is, just like the RMS protection that's bundled with Windows and Microsoft Office, only possible for certain file formats. Out of the box, it supports Word, Excel, PowerPoint, InfoPath, and XPS files. Extensions to apply RMS protection to other file formats (e.g., .pdf, .cad) can be added through special software from Microsoft partners such as Liquid Machines (now part of Check Point Software Technologies) and GigaTrust.

RMS support for SharePoint can be set up using either RMS SP2 or RMS V2, which is bundled with Windows Server 2008. Provided you already have a functioning RMS infrastructure, enabling RMS protection in SharePoint is relatively straightforward. The main configuration actions are
  • enabling RMS support on the SharePoint server
  • setting the actual RMS restrictions in the configuration of a given document library
You can enable RMS support in SharePoint by selecting either the Use the default RMS server specified in Active Directory or Use this RMS server option in the Information Rights Management section of the SharePoint Central Administration\Operations configuration section.

To set RMS restrictions on a SharePoint document library you must use the Information Rights Management section in the Permissions and Management configuration section of the document library. When you select the Restrict permission to documents in this library on download check box, you can further refine the RMS protection as follows:
  • Allow users to print documents.
  • Enforce users to verify their credentials every x number of days. This setting can be useful when someone who has access to RMS-protected confidential data leaves your organization; the individual will retain access to the data only for x days after his or her last successful authentication to an RMS server.
  • Reject files that don't support Microsoft Information Rights Management (IRM). Selecting this option results in SharePoint rejecting the upload of document formats that don't support RMS.
  • Remove RMS protection on a particular date. This setting is useful for publishing company financial results, for instance. After the quarterly results are published, the RMS protection policy on the quarterly results SharePoint library automatically changes -- meaning that the RMS restrictions are removed.
Microsoft provides more detailed guidance on how to set up SharePoint-RMS integration in the article "Deploying Windows Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide," which is available from Microsoft's website.

Courtesy: www.sharepointpromag.com

12 September, 2012

Integrating AD RMS and SharePoint

By preparing SharePoint infrastructure to store IRM-protected documents, where the protection capabilities are embedded in the document, it will make these protected documents unsearchable since they cannot be tagged or indexed while the document contents are encrypted.  This is no longer the case with AD RMS and SharePoint 2007 since the IRM policies are only applied when the documents are downloaded and they are stored unencrypted in the libraries, hence making them index able and later searchable.

With SharePoint, IRM protection is available for files that are located in document libraries. SharePoint uses the access control list (ACL) on the library or list to determine the permissions that it applies to a document for the user downloading it. Protection includes the following options with integration of SharePoint with AD RMS:
·         Whether or not users can print documents that are rights managed.
·         Whether the user can run Microsoft Visual Basic for Applications (VBA) and other custom code in the file.
·         The number of days for which the license is valid; after the specified number of days, the license expires and the user must download the file again from the document library.
·         Whether to let users upload file types that do not support IRM.
·         Optionally, the date to stop restricting permissions to the document library; after the specified date passes, Office SharePoint Server removes all rights-management restrictions from the documents in the library.
There are basically three simple steps to integrate AD RMS with SharePoint 2007 as follows:
(Notes: If we are using Windows Server 2008, as it already includes AD RMS client, there is no need to install a separate Windows RMS client as in Windows Server 2003)

Add permissions for the SharePoint server to the AD RMS certification pipeline
·         Log on to the AD RMS server as a local administrator
·         Click Start, and then click Computer
·         Navigate to c:\Inetpub\wwwroot\_wmcs\Certification
·         Right-click ServerCertification.asmx, click Properties, and then click the Security tab
·         Click Advanced, click Edit, select the Include inheritable permissions from this object's parent check box, and then click OK two times
·         Click Edit
·         Click Add
·         Click Object Types, select the Computers check box, and then click OK
·         Type the name of the SharePoint web front-end server, and then click OK twice.
·         Repeat the above three steps for other web front-end servers
·         Click OK to close the ServerCertification.asmx Properties sheet. By default the Read & Execute and the Read permissions are configured
·         Reset IIS

Specify RMS server location in SharePoint using Central Administration
·         Open SharePoint 3.0 Central Administration site
·         Click Operations, and then click Information Rights Management
·         Select Use the default RMS server specified in Active Directory.
·         Click OK

Before installation of Windows Rights Management Services Client.


After installation of Windows Rights Management Services Client


Note:  Ensure that Windows Rights Management Services Client (WindowsRightsManagementServicesSP2-KB917275-Client-ENU-X64.exe) is installed on the server. It is very small installation and takes less time. It will come by default with Windows server 2008.

Enable IRM policy to control access to the contents of a document library
1.       Open a SharePoint site and go to the document library where we want to enable the IRM policy
2.       Click Settings, and then click Document Library Settings
3.       Under Permissions and Management, click Information Rights Management
4.       Select the Restrict permission to documents in this library on download check box
5.       In the Permissions policy title box, type in the policy title
6.       In the Permission policy description box, type in the policy description
7.       Click OK

SharePoint will now automatically apply AD RMS rights to the document when it is downloaded from the document library. These rights are determined by the user permission for that library. For example, a user who has Read permission will not be able to modify the document when it is downloaded from the document library.

Notes: When AD RMS protected documents (created outside SharePoint environment) are uploaded to the library with IRM policy enabled, the original document protection policy will supersede the library protection policy when those documents are downloaded or accessed by users.  AD RMS end-to-end security prevents SharePoint from decrypting documents created outside of the SharePoint environment, hence applying the SharePoint library IRM policy to those documents.