Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Exchange Server 2010 : Managing Transport Rules (part 4) - Using Transport Protection Rules

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
5/7/2011 10:22:46 AM

6. Using Transport Protection Rules

Email messages and attachments typically contain business critical information, including personally identifiable information (PII), such as contact details, credit card numbers, and employee records. Industry-specific and local regulations govern the collection, storage, and disclosure of PII. Organizations create messaging policies that provide guidelines about how to handle sensitive information. In Exchange Server 2010, transport protection rules implement messaging policies by inspecting message content, encrypting sensitive email content, and using rights management to control access. Transport protection rules are transport rules that apply an AD RMS rights policy template to protect messages through the IRM.

Exchange Server 2010 ships with the Do Not Forward template. When this template is applied to a message, only the recipients addressed in the message can decrypt it. These recipients cannot forward the message to anyone else, copy content from the message, or print the message. Additional RMS templates can be created using your organization’s AD RMS server to meet your rights protection requirements.


6.1. Creating a Transport Protection Rule

You can use transport protection rules to apply persistent rights protection to messages based on message properties such as sender, recipient, message subject, and content. You can use either the EMC or the EMS to create a transport protection rule. To use the EMC, carry out the following procedure:

  1. Open the EMC and expand the tree on the Console pane.

  2. Under Organization Configuration, click Hub Transport.

  3. Click New Transport Rule on the Actions pane. This opens the New Transport Rule Wizard.

  4. On the Introduction page, provide a name and, optionally, a comment. If you do not want the new rule to be enabled automatically when it is created, clear the Enabled check box.

  5. Click Next. On the Conditions page, shown in Figure 9, complete the following fields:

    • In the Step 1. Select Condition(s) box, select all the conditions that you want to apply to this rule. Note that if you do not select any conditions, all messages handled by Hub Transport servers are IRM protected. In a production environment, this can lead to a considerable resource requirement.

    • If you selected conditions in the Step 1. Select Condition(s) box, click each blue underlined word in the Step 2. Edit The Rule Description By Clicking An Underlined Value box.

    Figure 9. The Conditions page


  6. When you click a blue underlined word, a window opens, as shown in Figure 10, to prompt you for the values to apply to the condition. Select the values that you want to apply or type the values manually. If the window requires that you manually add values to a list, type a value and then click Add. Repeat this process until you have entered all the values and then click OK to close the window.

  7. Repeat the previous step for each condition that you selected. After you configure all the conditions, click Next on the Conditions page.

  8. On the Actions page, shown in Figure 11, complete the following fields:

    • In the Step 1. Select Actions box, select the Rights Protect Message With RMS Template check box.

    • In the Step 2: Edit The Rule Description By Clicking An Underlined Value box, click the underlined words RMS Template.

  9. In the Select RMS Template dialog box, select an available RMS template and then click OK.

    Figure 10. Applying values to a condition


    Figure 11. The Actions page


  10. Click Next. Optionally, on the Exceptions page, select an exception you want to use and specify the appropriate value as required.

  11. Click Next. On the Create Rule page, review the Configuration Summary. Make sure that the RMS template selected is the one you intend to use.

  12. Click New to create the transport rule.

  13. On the Completion page, if the status is Failed, click Back and review your settings. Otherwise, the status is Completed, in which case click Finish to close the wizard.

You can also use the EMS to create a transport protection rule. The following command creates the transport protection rule Protect-Confidential. The rule IRM-protects messages that contain the word “Confidential” in the Subject field using the Do Not Forward template:

New-TransportRule -Name "Protect-Confidential" -SubjectContainsWords "Confidential"
-ApplyRightsProtectionTemplate "Do Not Forward"

6.2. Protecting Outlook and OWA Messages

Outlook and OWA users can apply IRM protection to messages by applying an AD RMS rights policy template. However, this gives users the option of sending messages in clear text without IRM protection. In organizations that use email as a hosted service, information leakage can occur as a message leaves the client and is routed and stored outside the boundaries of the organization. Email hosting companies might have well-defined procedures and checks to help mitigate the risk of information leakage, but an organization loses control of the information after a message leaves its boundary. Outlook protection rules can help protect against this type of information leakage.

Outlook protection rules help an organization protect against the risk of information leakage by automatically applying IRM protection to messages. In Outlook 2010, messages are IRM-protected before they leave the Outlook client. This protection is also applied to any attachments using supported file formats. When you create Outlook protection rules on an Exchange Server 2010 server, these rules are automatically distributed to Outlook 2010 by Exchange Web services. Outlook 2010 can then apply the rule, provided that the AD RMS rights policy template is available on client computers.

Outlook protection rules are applied in Outlook 2010 before the message leaves the user’s computer. Messages protected by an Outlook protection rule enter the transport pipeline with IRM protection already applied and are saved in an encrypted format in the Sent Items folder of the sender’s mailbox.

If you use transport protection rules, users have no indication of whether a message will be automatically protected on the Hub Transport server. When, on the other hand, an Outlook protection rule is applied to a message in Outlook 2010, users know whether a message will be IRM protected. If required, users can also select a different rights policy template.

You can use the EMS but not the EMC to create an Outlook protection rule. For example, the following command creates the Outlook protection rule MyProject. This rule protects messages sent to the TechnicalAuthors distribution group with the AD RMS template Do Not Forward:

New-OutlookProtectionRule -Name "MyProject" -SentTo "TechnicalAuthors"
-ApplyRightsProtectionTemplate "Do Not Forward"

You can specify whether the user can override the rule, either by removing IRM protection or by applying a different AD RMS rights policy template. If a user overrides the IRM protection applied by an Outlook protection rule, Outlook 2010 inserts the X-MS-Outlook-Client-Rule-Overridden header in the message. This allows an administrator to discover that the user overrode a rule.

You can use the Get-OutlookProtectionRule EMS cmdlet to obtain the configuration of an existing Outlook protection rule and the Set-OutlookProtectionRule EMS cmdlet to change that configuration. You can also use the EMS Remove-OutlookProtectionRule cmdlet to remove an Outlook protection rule. For example, the following command removes the MyProject Outlook protection rule:

Remove-OutlookProtectionRule -Identity "MyProject"

6.3. Enabling or Disabling IRM in OWA

If you enable IRM in OWA in your organization, OWA users can IRM-protect messages by applying an AD RMS template created on your AD RMS cluster. This also enables OWA users to view IRM-protected messages. Note that before you enable IRM in OWA, you must add the Federated Delivery mailbox to the super users group on the AD RMS cluster, as described earlier in this lesson.

You can use commands based on the Set-IRMConfiguration EMS cmdlet to enable or disable IRM in OWA for your entire Exchange Server 2010 organization. You can also control IRM in OWA at the following levels:

  • Per-OWA virtual directory To enable or disable IRM for an OWA virtual directory, use the Set-OWAVirtualDirectory cmdlet and set the IRMEnabled parameter to $true (the default) or $false. This allows you to disable IRM for one OWA virtual directory on a Client Access server while keeping it enabled on another virtual directory on a different Client Access server.

  • Per-OWA mailbox policy To enable or disable IRM for an OWA mailbox policy, use the Set-OWAMailboxPolicy cmdlet and set the IRMEnabled parameter to $true (the default) or $false. This allows you to enable IRM in OWA for one set of users and disable it for other users by assigning them a different OWA mailbox policy.

You can use the EMS but not the EMC to enable or disable IRM in OWA. The following command enables IRM in OWA for an entire Exchange Server 2010 organization:

Set-IRMConfiguration -OWAEnabled $true

The following command disables IRM in OWA for the virtual directory MyVirtualDirectory on Client Access server VAN-EX1:

Set-OWAVirtualDirectory -Identity VAN-EX1\MyVirtualDirectory -IRMEnabled $false				  


Note:

Note that the Set-IRMConfiguration cmdlet supports the OWAEnabled parameter, whereas the Set-OWAVirtualDirectory and Set-OWAMailboxPolicy cmdlets support the IRMEnabled parameter.

Other -----------------
- Exchange Server 2010 : Managing Transport Rules (part 3) - Configuring Disclaimers, Rights Protection & IRM
- SharePoint 2010 PerformancePoint Services : Securing a PerformancePoint Installation - Create SPNs for the Farm and Data Sources
- SharePoint 2010 PerformancePoint Services : Securing a PerformancePoint Installation - Configuring Per-User Authentication with Kerberos
- SharePoint 2010 PerformancePoint Services : Securing a PerformancePoint Installation - Securing a Deployment with TLS
- BizTalk 2010 Recipes : Deployment - Enlisting and Starting Send Ports
- BizTalk 2010 Recipes : Deployment - Deploying a BizTalk Solution from Visual Studio
- BizTalk 2010 Recipes : Deployment - Manually Deploying Updates
- Exchange Server 2010 : Configuring Federated Sharing (part 2) - Assigning the Federated Sharing Role
- Exchange Server 2010 : Configuring Federated Sharing (part 1) - Implementing Federated Sharing
- Exchange Server 2010 : Role Based Access Control
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server