How to protect the security of important documents in a domain environment (II)-REM & RMS (I)

Document directory

•  

Hi, everyone. after reading the previous two articles about the use, deployment, and maintenance of EFs in a domain environment, do you have some inspiration and help to reinforce the security of important documents of the company? As I mentioned at the end of this article, EFS, as a system application with a long history, has gradually faded out of everyone's vision and scope of consideration, and it cannot meet the functional requirements of some it pro friends. turning out the Forum that friend's post (http://bbs.51cto.com/thread-604202-1.html), which he mentioned to achieve the effect: "encrypted files, only in the domain can hit, leave the company can not open, unless you have a certificate or something! "...

To do this, EFS cannot do it. So what mainstream technical solutions and measures does Microsoft provide to you?

Before introducing the main character of this article, I would like to first ask you what office software is most used to process documents at work?

There is no doubt that it is microsoftofficesystem! From officexp, office2003 to office2007, and even the beta version of office2010, we have become accustomed to using word to write work documents, using EXCEL to collect statistics and make reports, use PowerPoint to create slides and use outlook to send and receive emails... and so on.

So what measures do you usually use to protect the security of these office documents?

Some people say that encryption can be used to set passwords. Everyone on Earth knows this.

Well, that's right. Let's take a look at how to encrypt office documents.

Taking microsoftofficeword2007 as an Example

After clicking "office", select "prepare" in the pop-up menu and select "encrypted document ".

A dialog box will pop up asking you to enter the password

You can enter a password with a maximum of 255 characters.

What you cannot see in the background is that it uses the Advanced Encryption Standard of aes128.

Here, use a complex combination of uppercase and lowercase letters, numbers, and symbols with a length greater than or equal to 8.

Once entered, it will require another confirmation

After the encryption is complete, you need to enter the password when any user needs to view the file.

OK, it is very simple and practical, but this measure still has the following problems:

1. It has nothing to do with the domain environment, and every time you want to protect a document, you must set a password separately. If the user forgets the password, the trouble may be high. Microsoft also solemnly reminds you above.

2. Due to the great popularity of office products, there are many tools for cracking and encryption on the Internet. I have tested some of them, and some of them are indeed effective.

3. it still fails to achieve the expected results. you can transfer the file (copy, mail, and other methods) to another machine or even try various cracking tools in your own house.

Okay,

Informationrightsmanagement!

Let's take a look at what IRMS can do?

This allows you to set permissions for each document, user, or group (in combination with the Active Directory environment ). compared with EFS encryption and Office document encryption, the real value of this function is that you can set it to allow others to view it, but not allow them to perform the following operations:

◆ Copy any part of a file or file
◆ Save files to their hard disk or other media
◆ Editing files
◆ Print files
◆ Forward mail
◆ Fax the content
◆ Cut or paste files
◆ Use the printscreen key to copy the content in a captured image.

In addition, file expiration is also supported, that is, the user cannot view the file content after a specified period of time.

Borrow the 3G advertisement, wo...

Very good and powerful. Please try it now.

To use MnS in Office2007, you must first install the WindowsRightsManagementServices (RMS) ServicePack1 (SP1) client on your computer.

In the vista operating system, the client software is installed by default. on XP, we need to start with it. download the client address here and I will not post it. (Why ?... LR, you can't send the link out, so we don't need to search it)

Well, it's not my laziness. Let's open a Word2007 (on the XP operating system) and check it out.

The location of the message to use is under "encrypted document". Click "manage credenirm"

You can click "yes" to automatically start downloading. The premise is that the computer is connected to the Internet.

Only 2.31 M, not very large...

Note: If you are using a common domain user account, you must determine whether it has the software installation permission.

The installation process is omitted. Just click Next several times to complete the installation.

Let's go back and select "Restrict access"

There was a short picture of connecting to the authorized server. It was a flash. I didn't come and cut it...

Then...

The detailed text description is displayed.

Yes. It turns out to be a free trial service provided by Microsoft, and Windows liveid must be used before this service can be used.

Select "yes", next item

Register a brother who has not registered LiveID... (with the rise of MSN, there is little to do with it ...)

This is what I really have. Next Step

The Service has a validity period of six months...

I accept... continue

Connecting to the Account Certificate Service, this process is also very fast. Fortunately, the figure is captured...

You can use this service on up to 25 PCs...

You can start authorization. You can enter the email address of the user you want to authorize or select from the Active Directory.

Click "Other Options" To View Details

(Well, I forgot to cover the ID. Oh, it's okay. This is also my MSN number. If you have any questions about Windows server, you can ++ and share them with me)

Go back to the last page and select who will grant the permission...

Here I select to search for users from the Active Directory

I chose to authorize cto to users who frequently appear in this series.

Click OK and you will find that the original email address is the user's email address.

Note: I have not set up exchange in the experiment environment, so I will write an external email address here.

Later, we need to build our own exchange.

If you have not set an email address for the user, it will be as follows:

The above mentioned Basic settings for the MFA function are provided here.

You can select the expiration time for user authorization.

Only the permissions granted to him expire, not the documents are unavailable or deleted. Do not be afraid.

You can also authorize printing.

You can set whether users with read permission can copy content in the document.

......

After setting the authorization item, you will see the words "Restrict access ".

On another computer (Windowsserver2003 system), we can access this Word file that has been configured with permissions.

Double-click to open

You will be prompted to install the RMS client.

After the client is installed, you are required to obtain the creden of the REM service.

Use the liveID of cto

The system prompts that this document has been set for permission, and you need to connect to the Microsoft License Server to download the permission.

After passing the liveID verification, you can view the document content.

Cannot be modified. It is restricted.

The copied content cannot be cut or Limited (the gray button is unavailable)

Unable to print, or restricted (gray keys unavailable)

However, you can contact the permission setting person at the end by email to request the permission to be relaxed.

Or the permission setting person directly modifies the user permission on the document.

When you click "request additional permissions", Outlook mail is automatically enabled...

Summary:

Through the demonstration in this article, we can see that the use of REM achieves an amazing permission management for Office documents. Its comprehensive security comparison EFS, Office document encryption and other methods have improved. but the trouble is that we need to connect the client to the Internet using the liveID to contact Microsoft's Lisencesserver, and the free service still has a time limit.

Is it necessary for us to use such a good thing?

Oh, of course not. In fact, we can set up an RMS server in the internal network to replace Microsoft's authentication server on the public network.

In the next article, let's learn how to use RMS to manage information permissions of Office documents.

Reprinted: http://mrfly.blog.51cto.com/151750/192629