1. Configuring IRM
IRM provides persistent online
and offline protection of email messages and attachments by applying the
information protection technology AD RMS. IRM protection is configured by
applying an AD RMS rights policy template. You can use policy templates to
control permissions that recipients have on a message.
1.1. AD RMS Rights Policy Templates
Exchange 2010 ships with the Do Not Forward template. When this template
is applied to a message, only the recipients addressed in the message can
decrypt the message, and these recipients cannot forward the message to
anyone else, copy content from the message, or print the message. You can
create additional RMS templates on the AD RMS server in your organization
(if installed) to meet your IRM protection requirements.
The following EMS command retrieves the list of active rights management
services policy templates that are currently available to the Exchange
Server 2010 server on which the command is run:
Get-RMSTemplate
1.2. Applying IRM Protection
IRM
protection can be applied to messages manually by Outlook users. This
process uses the IRM functionality in Outlook, but you can use Exchange to
take actions (such as applying transport protection rules) that enforce your
organization’s messaging policy. OWA users can protect messages they
send and view IRM-protected messages they receive.
In Outlook 2010, you can create Outlook protection rules that
automatically IRM-protect messages. Outlook 2010 applies IRM protection when
a user is composing a message. You can create transport protection rules on
Hub Transport servers.
1.3. Configuring IRM Features and Testing IRM Configuration
You can use
the EMS but not the EMC to configure IRM features. The
Set-IRMConfiguration cmdlet is used to enable or
disable IRM for internal messages and to enable or disable transport
decryption, journal report decryption, IRM for Exchange Search, and IRM in
OWA.
The following command enables licensing and hence enables IRM features for
messages sent to internal recipients (assuming that external licensing is
currently disabled):
Set-IRMConfiguration -InternalLicensingEnabled $true
The following command enables licensing and hence enables IRM features for
messages sent to external recipients if external licensing is currently
disabled:
Set-IRMConfiguration -ExternalLicensingEnabled $true
Journal report decryption attaches a decrypted copy of an IRM-protected
message to the journal report. The following command enables Journal report
decryption if it is currently disabled:
Set-IRMConfiguration -JournalReportDecryptionEnabled $true
IRM features are enabled in OWA by default. The following command disables
IRM features in OWA:
Set-IRMConfiguration -OWAEnabled $false
The following command enables IRM features in OWA if they have previously
been disabled:
Set-IRMConfiguration -OWAEnabled $true
If transport decryption is mandatory, any message that cannot be decrypted
is rejected, and a non-delivery report (NDR) is returned to the sender. The
following command sets transport decryption to mandatory:
Set-IRMConfiguration -TransportDecryptionSetting mandatory
If transport decryption is disabled, no attempt is made to decrypt
internal or external messages before delivery. The following command sets
transport decryption to disabled:
Set-IRMConfiguration -TransportDecryptionSetting disabled
Setting transport decryption to
optional provides a best effort approach to decryption. Messages are
decrypted if possible but are delivered even if decryption fails. The
following command sets transport decryption to optional:
Set-IRMConfiguration -TransportDecryptionSetting optional
If you want to view the current IRM configuration—either the default
values before you configure it or the values after configuration—you
enter the following command:
Get-IRMConfiguration | FL
The following command tests the IRM configuration for messages Kim Akers
sends to Don Hall:
Test-IRMConfiguration -Sender [email protected] -Recipient [email protected]
1.4. Using Transport Protection Rules
These are transport rules that implement messaging
policies by inspecting message content, encrypting sensitive email content,
and using rights management to control access. Transport protection rules
apply an AD RMS rights policy template to protect messages through
IRM.
You can use either the New Transport Rule Wizard in the EMC or the
New-TransportRule EMS cmdlet to create a transport
protection rule. To use the EMS to create a transport protection rule, your
first step is to discover what rights management templates are available.
The following command generates a list of available templates (note that
this command does not list the pre-installed Do Not Forward
template):
Get-RMSTemplate | FL
You then use a command that creates a transport protection rule. For
example, if you wanted to create a rule named Protect-Confidential that
IRM-protects messages that contain the word “Confidential” in
the Subject field using the Do Not Forward template, you would use the
following command:
New-TransportRule -Name "Protect-Confidential" -SubjectContainsWords "Confidential"
-ApplyRightsProtectionTemplate "Do Not Forward"
1.5. Protecting Outlook and OWA Messages
Outlook protection rules help an organization protect against the risk of
information leakage by automatically applying IRM protection to messages. In
Outlook 2010, messages are IRM-protected before they leave the Outlook
client. This protection is also applied to any attachments using supported
file formats. When you create Outlook protection rules on an Exchange Server
2010 server, these rules are automatically distributed to Outlook 2010 by
Exchange Web Services.
You can use the EMS but not the EMC to create an Outlook protection rule.
For example, the following command creates the Outlook protection rule
MyProject. This rule protects messages sent to the TechnicalAuthors
distribution group with the AD RMS template Protect-Confidential:
New-OutlookProtectionRule -Name "MyProject" -SentTo "TechnicalAuthors"
-ApplyRightsProtectionTemplate "Protect-Confidential"
You can use the Get-OutlookProtectionRule EMS cmdlet
to obtain the configuration of an existing Outlook protection rule and the
Set-OutlookProtectionRule EMS cmdlet to change that
configuration. You can also use the
Remove-OutlookProtectionRule EMS cmdlet to remove
an Outlook protection rule. For example, the following command removes the
MyProject Outlook protection rule:
Remove-OutlookProtectionRule -Identity "MyProject"
1.6. Enabling or Disabling IRM in OWA
You can use commands based on the
Set-IRMConfiguration EMS cmdlet to enable or
disable IRM in OWA for your entire Exchange Server 2010 organization. You
can also enable or disable IRM for an OWA virtual directory using the
Set-OWAVirtualDirectory cmdlet and setting the
IRMEnabled parameter to $true (the default) or $false. Alternatively, you
can enable or disable IRM for an OWA mailbox
policy using the Set-OWAMailboxPolicy cmdlet and
setting the IRMEnabled parameter to $true (the default) or $false.
The following command enables IRM in OWA for an entire Exchange Server
2010 organization:
Set-IRMConfiguration -OWAEnabled $true
The following command disables IRM in OWA for the virtual directory
MyVirtualDirectory on Client Access server VAN-EX2:
Set-OWAVirtualDirectory -Identity VAN-EX2\MyVirtualDirectory -IRMEnabled $false
Note:
Note that the Set-IRMConfiguration cmdlet
supports the OWAEnabled parameter, whereas the
Set-OWAVirtualDirectory and
Set-OWAMailboxPolicy cmdlets support the
IRMEnabled parameter.
