File Classification Infrastructure (FCI) is a built-in feature on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 that helps IT admins to manage their organization's data on file servers by providing automatic classification processes. Using rules which are constructed with regular expressions, PowerShell, and/or .NET or native modules, FCI can identify sensitive files and perform actions such as encrypting Microsoft Office documents with Rights Management Services (RMS), expiring files that have passed a defined date limit, or other custom action (defined through a script/program). FCI provides an extensible infrastructure that enables organizations to construct rich end-to-end classification solutions built upon Windows. For more information on FCI please check this blog post.
By default, FCI's built-in tasks can only encrypt Microsoft Office documents with Rights Management Services (RMS). By using a custom FCI task and the Rights Management (Microsoft.Protection) cmdlets, IT admins can apply RMS protection to any file in a file share. Once the files are protected, only authorized users will be able access those files even if they are copied to another location.
Install the Microsoft.Protection PowerShell Cmdlets
- Install the AD RMS Client. This can be done using PowerShell with the following commands:
> Invoke-WebRequest http://download.microsoft.com/download/3/C/F/3CF781F5-7D29-4035-9265-C34FF2369FA2/setup_msipc_x64.exe -OutFile setup_msipc_x64.exe> .\setup_msipc_x64.exe /quiet
- Download the Microsoft.Protection PowerShell cmdlets (available in CTP through Microsoft Connect; nonetheless, fully supported in production environments):
- Navigate to Microsoft Connect and sign in with your Microsoft Account.
- Register with the Rights Management project for the Microsoft.Protection PowerShell cmdlets (if you have already done this, please skip to step C). Search on the front page of Microsoft Connect for Rights Management Services. The appropriate program to 'join' is "Rights Management Services SDK".
- Download the Microsoft.Protection PowerShell cmdlets from HERE.
- Unzip the Microsoft.Protection zip file and run the following commands as an administrator (in the newly unzipped folder):
> Set-ExecutionPolicy Unrestricted -Force> Get-ChildItem | Foreach-Object { Remove-Item $_.Name -Stream Zone.Identifier -ErrorAction Ignore }> .\Install.ps1
- Add the necessary registry keys and values to the registry to allow non-Office files to be encrypted by the Microsoft.Protection. This can be done automatically with the following PowerShell commands:
> New-Item -Path HKLM:\Software\Microsoft\MSIPC\FileProtection\*> New-ItemProperty -Path HKLM:\Software\Microsoft\MSIPC\FileProtection\* -Name Encryption -PropertyType String -Value Pfile
- Reboot your server before continuing on.
Configure the Microsoft.Protection Cmdlets to be used with Azure RMS
The Microsoft.Protection Cmdlets can be used with either the on-prem version of RMS or with Azure RMS. If you intend to use FCI with the on-prem version of RMS, you may skip this section. To enables Azure RMS, do the following steps:
- Enable Azure Rights Management Service:
- Download the Microsoft Online Services Sign-In Assistant from here.
> Invoke-WebRequest http://download.microsoft.com/download/C/1/7/C17BEB52-BB8A-4C7F-86F3-AAF17BB3682A/msoidcli_64.msi -OutFile msoidcli_64.msi> .\msoidcli_64.msi /quiet
- Download and install the Azure Rights Management Administration Tool from here.
> Invoke-WebRequest http://download.microsoft.com/download/1/6/6/166A2668-2FA6-4C8C-BBC5-93409D47B339/WindowsAzureADRightsManagementAdministration_x64.exe -OutFile WindowsAzureADRightsManagementAdministration_x64.exe> .\WindowsAzureADRightsManagementAdministration_x64.exe /quiet
- Import the Azure RMS module by using the following cmdlet:
> Import-Module AADRM
- Connect to the service with your administrator credentials (will prompt for credentials):
> Connect-AadrmService -Verbose
- Enable Azure RMS in your organization:
> Enable-Aadrm
- Capture the AADRM Configuration:
> $AadrmConfig = Get-AadrmConfiguration
- Download the Microsoft Online Services Sign-In Assistant from here.
- Services need to use service principals (also known as service identities), which are a type of credentials that are configured globally for access control. Service principals allow your service to authenticate directly with Microsoft Azure AD and to protect information using the Microsoft Azure AD Rights Management Service. To create a service principal:
- Install the Microsoft Azure AD Module for Windows PowerShell from here.
> Invoke-WebRequest http://go.microsoft.com/fwlink/p/?linkid=236297 -OutFile AdministrationConfig-en.msi> .\AdministrationConfig-en.msi /quiet
- Import the Microsoft Azure AD module using the following cmdlet:
> Import-Module MSOnline
- Connect to your online service with your administrator credentials (will prompt for credentials):
> Connect-MsolService
- Create a new service principal by running:
> $ServicePrincipal = New-MsolServicePrincipal -DisplayName ExampleServicePrincipal
- Make note of the symmetric key that is written out to the window. We will need it going forward, and the symmetric key is only available when it is created.
- Install the Microsoft Azure AD Module for Windows PowerShell from here.
- Configure the Microsoft.Protection cmdlets to work with Azure RMS:
> Set-RmsServerAuthentication -Key <PASTE SYMMETRIC KEY HERE> -AppPrincipalId $ServicePrincipal -BposTenantId $AadrmConfig.BPOSId
FCI Integration with the Microsoft.Protection Cmdlets
To protect non-Office files with RMS, we need to create a PowerShell script that will utilize the Microsoft.Protection cmdlets. Here is a working sample script that will encrypt non-Office documents. You may wish to modify it to perform more advance functions (such as emailing the owner to notify him that his file was encrypted):
# Parameters to set in the File Management Task in File Server Resource Manager
param([string]$FileToEncrypt, [string]$RmsTemplate="", [string]$RmsServer="", [string]$OwnerEmail)
#
# Main Routine Begin
#
Add-PSSnapin Microsoft.Protection
# Double check $RmsServer matches an existing server
if ($RmsServer.Trim() -ne "") {
$count = (Get-RMSServer | Where-Object { $_.DisplayName -eq $RmsServer.Trim() }).Count
if ($count -ne 1) {
throw [System.ArgumentException] "RmsServer does not match any visible RMS Servers"
exit -1
}
}
# Lookup RMS Template ID
if ($RmsTemplate.Trim() -ne "") {
if ($RmsServer.Trim() -ne "") {
$template = (Get-RMSTemplate -RmsServer $RmsServer.Trim() | Where-Object { $_.Name -eq $RmsTemplate.Trim() })
}
else {
$template = (Get-RMSTemplate | Where-Object { $_.Name -eq $RmsTemplate })
}
if ($template -ne $null) {
$RmsTemplateId = $template.TemplateId
}
else {
throw [System.ArgumentException] "The RmsTemplate provided does not match any visible RMS Templates"
exit -1
}
}
else {
throw [System.ArgumentException] "The RmsTemplate provided is empty"
exit -1
}
# Do not attempt to reencrypt files
if ($FileToEncrypt -like "*.pfile") {
exit 0
}
$EncryptedFile = ""
try {
# Encrypt file
$out = Protect-RMSFile -File $FileToEncrypt -TemplateID $RmsTemplateId -OwnerEmail $OwnerEmail
$EncryptedFile = $out.EncryptedFile
}
catch {
$ExceptionMessage = "Encryption of " + $FileToEncrypt + " failed."
throw [System.Exception] $ExceptionMessage
exit -1
}
#exit 0
Copy the above script to a new file called C:\Windows\System32\FciRmsFileProtection.ps1.
The following PowerShell commands will create a custom file management task that will use this script to RMS encrypt a file whenever the file is classified as HBI. You may also create a custom file management task from the FSRM GUI. Replace the RMS Template with one that matches a template in your organization (more information about how to find this below; Get-RMSTemplate):
$Command = "C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe" $CommandParameters = "C:\Windows\System32\FciRmsFileProtection.ps1 -FileToEncrypt [Source File Path] -RmsTemplate 'Contoso All - All Rights' -OwnerEmail [Source File Owner Email]" $Action = New-FSRMFmjAction -Type Custom -Command $Command -CommandParameters $CommandParameters -SecurityLevel LocalSystem -WorkingDirectory "C:\Windows\System32\WindowsPowerShell\v1.0\" $Condition = New-FsrmFmjCondition -Property "Impact_MS" -Condition Equal -Value 3000 $Schedule = New-FsrmScheduledTask -Time (Get-Date) -Weekly Sunday New-FsrmFileManagementJob -Name "Test RMS Encrypt" -Namespace "C:\Shares" -Action $Action -Condition $Condition -Schedule $Schedule -Continuous
Learn more about the Microsoft.Protection Cmdlets
- To get the RMS server name to be used, run this command:
Name: Get-RMSServer
Synopsis: Returns the list of all AD RMS servers that can issue templates for the user.
Syntax: Get-RMSServer [<CommonParameters>]
Description: The Get-RMSServer cmdlet returns a list of all AD RMS servers that can issue templates for the current user. - To get the RMS template GUID to be used, run this command:
Name: Get-RMSTemplate
Synopsis: Returns a list of AD RMS templates.
Syntax: Get-RMSTemplate [-Force ] [-RMSServer ] []
Description: The Get-RMSTemplate cmdlet returns a list of templates. - To protect a file:
Name: Protect-RMSFile
Synopsis: Protects using RMS encryption the specified file or the files in specified folder.
Syntax: Protect-RMSFile -File [-DoNotPersistEncryptionKey ] [-OutputFolder ] [-TemplateId ] []
Description: The Protect-RMSFile cmdlet protects and encrypts a specified file or the files in a specified folder if they were previously unprotected. The Protect-RMSFile cmdlet will run and execute in the following modes:- Encrypt a file and let it be encrypted in the default location.
- Encrypt a file and let the encrypted file be placed at a new location.
- Encrypt a folder. All files inside the folder will be encrypted.
RMS Protected Files on Non-Windows Machines
Files protected by the Cmdlets are accessible by users on all platforms (Android, iOS, Mac, Windows Phone, and Windows) using the RMS sharing apps.