Secure SharePoint documents with Active Directory Rights Management Services
Last year I worked on a government agency project as a solutions architect. The project included Microsoft Dynamics CRM 2015, SharePoint 2013, Active Directory Federation Services 3.0, Office Web Apps 2013 and RealMe authentication.
The system that we were building contained sensitive information and therefore crucial that data must be protected from unauthorised access, both intentionally and unintentionally. Many of our users access the system outside of their corporate network, some work from home, and others may access the system from unsecured locations, e.g. internet cafés. It’s important that documents hosted by SharePoint 2013 are protected from unauthorised access.
It’s worth mentioning at this point that the system is primarily accessed from web browsers. Depending on the browser settings, clicking on a document hyperlink may download the document to the default download folder on the device. Once the document is downloaded, it can be opened by anyone who has access to the download folder. Thus there is a high chance that our users could leak the data from our secured system to unsecured locations such as home laptops or even worse, an internet café desktop.
To tackle this, Active Directory Rights Management Services (AD RMS) was proposed and implemented.
What is AD RMS?
AD RMS is a feature of Windows Server which allows us to specify access permissions to documents through Information Right Management (IRM) policies. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorised persons. After a file’s permissions have been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself. More importantly, it is free with a Windows Server licence.
How does it work?
The following Technet article explains in detail how AD RMS protects and consumes documents.
“At high level, AD RMS works along with RMS-enabled applications to allow users to create and consume protected content. Protection works by encrypting a document, creating a policy and stamping it all together, along with a certificate identifying the author and some other information in a single file. Consumption works by using the users identity certificate and the policy stamped in the document to request from the AD RMS server a license to decrypt it and use it.”
In our case, SharePoint 2013 requests AD RMS to protect a document with encryption before returning it to the user. When the document is open with a RMS-enabled application, a request will be sent to AD RMS. AD RMS will ask the user for their credentials before decrypting the document.
Installation and Configuration
It’s relatively easy to install and configure AD RMS so I’m not going to show how to do it here.
Once AD RMS is installed and configured, you just need to go to the SharePoint Central Admin and tell SharePoint to start using AD RMS.
Once this is done, the Information Rights Management option will be available in the Document Library settings.
Azure Rights Management Services
You could use Azure Rights Management Services to protect your SharePoint on-premises and SharePoint online. To use Azure Rights Management Services, you will need the Azure Information Protection plan. More information can be found here: https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms
Caveats
There are a few caveats when working with AD RMS.
- AD RMS protects only Office documents, XPS and PDF files. If you want to protect other document types, you need to extend AD RMS protection using the AD RMS Software Development Kit (SDK).
- AD RMS only works with RMS-enabled applications, e.g. you cannot open a protected Word document using Open Office application.
- Office Web Apps only offers read-only capability for IRM protected Office documents in SharePoint. IRM protection precludes Office Web Apps from allowing editing of IRM protected documents.
- Documents that have any IRM permissions modification or protection added from the client application (i.e. Word, PowerPoint, Excel) and then uploaded to SharePoint cannot be opened by Office Web Apps.
- As we used AD FS, the client registry must be updated so that the client can find the local federation server. For example, we have to set the [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\Federation]\FederationHomeRealm key to ”http://<adfs_server>/adfs/services/trust"
- Co-authoring no longer works with Office documents protected by Information Rights Management.
If you’re looking to implement secure document sharing with SharePoint or Office 365, it pays to know the potential pitfalls ahead of time to ensure your solution is water-tight. Drop us a line to see if AD RMS is right for you.
That’s it for now.
