Active Directory Rights Management Services (AD RMS ) : Part 9 ( File Classification Infrastructure and RMS )
What is the File Classification Infrastructure?
The Windows Server 2008 R2 File Classification Infrastructure (FCI) automates classification processes so that you can manage your data more effectively. You can save money and reduce risk by storing and retaining files based on their business value or impact. The built-in solution for file classification provides expiration, custom tasks, and reporting. The extensible infrastructure enables you to meet additional customer classification needs by building rich end-to-end classification solutions that are built on the classification foundation of Windows Server in a consistent and supported way and within the existing Windows file serving platforms.
What happens to a file’s classification properties when the file is moved?
The file remains classified if the file is moved to another NTFS file system by using a standard mechanism such as Copy or Move. However, the properties for files in Microsoft® Office® products remain attached regardless of how the file is moved.
Where are classification properties stored?
The properties are stored in an alternate data stream, which is a feature of NTFS. Alternate data streams move with a file if the file moves within NTFS file systems, but they do not appear in the file’s contents. The properties are also stored within file formats in Office products as custom document properties or server document properties.
How quickly are files classified?
The speed at which files are classified depends on the classification rules that are defined, the classification mechanisms in use, and the types of data. Approximately 40 files are classified per second when the content classifier is used to classify Office 2007 documents that are under 1 megabyte (MB). When the folder classifier is used, approximately 800–1000 files are classified per second.
How are soft and hard links classified?
Soft links are not classified; however, the target file is classified if it is within the scope of a classification rule. Hard links are classified, and the target file stores the classification properties. If hard links cause a file to fall within the scopes of multiple classification rules, it can take multiple runs to set all the classification properties for the file.
Does FCI classify remote folders?
No. FCI only classifies files locally on the server. It also classifies folders that are stored on a mounted drive.
Does FCI classify mounted volumes?
Yes.
Can FSRM and FCI classify a failover cluster?
Yes.
Can FSRM and FCI run on a Server Core installation of Windows Server 2008 R2?
Yes.
Can I classify images based on their content by using optical character recognition (OCR)?
Yes. You need to install Windows TIFF IFilter on the server that is running FCI. Then the content classifier can recognize TIFF images and extract text from those files. Other file types require other extensions.
For more information about Windows TIFF IFilter, see the Windows TIFF IFilter Installation and Operations Guide on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=150226).
What happens if separate classification rules attempt to set the same property for a file to different values?
FCI attempts to aggregate the property values.
- For Yes or No properties, a Yes value takes priority over a No value.
- For ordered list properties, the highest property value takes priority.
- For multiple choice properties, the property sets are combined into one set.
- For multiple string properties, a multistring value is set that contains all the unique strings of the individual property values.
- For other property types, an error occurs.
Can I classify files within .vhds, .zip, and other container files?
FCI does not identify individual files within a container file. However, a non-Microsoft classification plug-in can attempt to assign an overall classification to the container file that is based on the files within the container.
FCI installation
First we install the file server file server resource manager
Next we install AD RMS bulk protection tool ( get it from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd&displaylang=en )
Note : unfortunately the bulk tools don’t have much documentation explaining why but I will try to explain as much as I can
Next step is to grant read and execute permission on the RMS nodes as displayed in the photo to the file server that have FCI
Back to the file server we start the power shall
And run
Set-Executionpolicy Unrestricted
This will make our script run normally
we will be classifying our information in the following levels
Classification levels
- Unclassified
- ·Restricted
- Confidential
- Secret
- Top Secret
We start by creating a property
This will make the FCI tag the files with the appropriate value (no changes will be made to the file )
Next we create a data property so that we don’t process the same file more than once we will set a tag if it there this means its been processed
Now we move to the rules creation we can create two types of rules
1. Folder based ( if your users stick to the folders set by InfoSec team most properly you don’t need this post . if you users like the rest of the planet go to number two )
2. Content based ( this file will be searched for a specific keywords and strings if found it will be tagged )
we will tag the and search for the confidential word in the file
The step after
We create a PowerShell script to kick start the RMS bulk tool
Please change the highlighted part to your location
This step explains how to create a file management task to restrict access . This task will apply the Confidential rights policy template to all of the documents that have been classified with a Confidential property and that have not already been encrypted. The original owner of the file will retain full control of the AD RMS protection, unless the owner is not registered in Active Directory. In that case, the Administrator will gain full control of the AD RMS protection on the file.
So save the below text as ps1
# execute bulk tool $encryptfile = ‘"’ + $args[0] + ‘"’ $owneremail = $args[1] if ($owneremail -eq "[Source") { $owneremail = $args[5] } $r = start-process –Wait –PassThru –FilePath C:\Windows\SysWOW64\RmsBulk.exe –ArgumentList “/encrypt”, $encryptfile, “\\rms.demo\rmspolicy\Confidential.xml”, $owneremail, “/log”, “C:\RmsLog.log”, “/append”, “/preserveattributes” if ($r.ExitCode –eq 0) { $c = new-object –com Fsrm.FsrmClassificationManager $d = (get-date).toFileTimeUTC() $d = $d – ($d % 10000000) $c.SetFileProperty($args[0], “dateEncrypted”, $d.ToString()) } |
Next we create file task
Now under the executable we use
c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
and in the argument
-File c:\FCI\RMSbulkConfidential.ps1 [Source File Path] [Source File Owner Email] administrator@RMS.Demo
also we set the conditions
Note : you can make FCI send emails each time it encrypts something to the users and to the administrator .
The steps for this is under
http://technet.microsoft.com/en-us/library/ff625740(WS.10).aspx
http://technet.microsoft.com/en-us/library/ff627831(WS.10).aspx
some recommendations
- Test on a small numbers of files first
- Try to run the first time in the week end ( 2kGHz core will do 50 Doc per hour ) so in a large file server this will take days
- FCI will only tag the files local on the server so each file server you have you must install FCI into it
Martin
Hi,
do you know what am I doing wrong? Im still receiving below error when trying to encrypt files using PS. When I try it manually via bulk tool everything is OK.
Owner Email Address didn’t match with standard email format.
Thanks
Ahmed Hussein
Hello Martin ,
the emails Must be identical for this to work , in the email Field in AD and the one uses using @ his outlook .
you can submit the error if you like so i can zoom in on the issue
A