Tip

Information Rights Management protection in Exchange 2010 SP1

Ezine

This article can also be found in the Premium Editorial Download "Exchange Insider: Prepping BlackBerry Enterprise Server for Exchange 2010 SP1."

Download it now to read this article plus other related content.

No matter what corporate policies are in place to prevent it, users will still send email messages containing sensitive information. It’s the administrator’s job to protect these messages. And although encryption technologies such as TLS and S/MIME can, to some degree, protect these messages, both technologies fall short of providing comprehensive message security.

Enter Exchange Server’s Information Rights Management (IRM) feature. IRM allows a sender to specify what the recipient can and cannot do with the message. For example, a sender might use IRM to prevent the recipient from forwarding or printing the message. Admins can also use IRM to prevent recipients from extracting message contents using copy and paste or the Windows snipping tool. You can configure IRM-protected messages with an expiration date after which the message can no longer be viewed.

With all of IRM’s unique security capabilities, it is no wonder that so many organizations use it to protect sensitive data. Of course, all of this protection comes at a price; IRM is useless unless the end user’s mail client supports it.

Outlook Web App and IRM aggravations
Microsoft Outlook has supported Information Rights Management since Outlook 2003. However, until

    Requires Free Membership to View

Exchange Server 2010, Outlook Web Access (OWA) clients couldn’t use IRM. Even then, IRM support for Outlook Web App, as it’s called in this latest version of Exchange, still isn’t quite right.

Although Exchange 2010 allows OWA users to send and receive IRM-protected messages, the process collapses if a protected message contains an attachment. The user can’t view the attachment directly through the OWA interface; instead he has to download it and use the associated application to open it. Although this extra step probably isn’t a deal breaker for most organizations, it does mean that users who log onto OWA from a kiosk or a public computer still cannot access IRM-protected attachments.

Exchange Server 2010 SP1 alleviates this problem. If a user receives an IRM-protected message that also contains an attachment, he can view the attachment directly through the browser using Web-ready document viewing. 

SP1 was also designed to allow Exchange mobile device users connected via ActiveSync to send and receive IRM-protected messages without having to connect to Windows Mobile Device Center -- a previous requirement. Another improvement is that users aren’t forced into one particular browser. You can view IRM-protected documents via Internet Explorer, Firefox and Safari browsers (Figure 1).


Figure 1. You can view IRM-protected attachments directly through Outlook Web App.

In spite of this, there are still several limitations related to sending and receiving email. For starters, Information Rights Management only supports specific types of attachments. The application seamlessly supports Microsoft applications including Word, Excel PowerPoint documents and .xps files. 

If a user attaches one of these types of documents to an IRM-protected message, the attachment is also IRM-protected. But when a user tries to send any other type of attachment, such as a .pdf file, he will receive a message informing him that file cannot be protected.

Likewise, Exchange 2010 only offers Web-ready document viewing for these specific file types. If a user receives an unsupported attachment type, then he must save the attachment and open it with the corresponding application -- regardless of whether or not the attachment is IRM-protected.

This brings up an important point. Although IRM is used in Exchange Server 2010, it’s not limited to Exchange Server. Users can send documents that are IRM protected, without the message itself being IRM protected. 

Generally, when a user adds an attachment to an IRM-protected email message, the attachment -- if it’s a supported file type -- also becomes IRM-protected. If a user attaches an IRM-protected document to an IRM-protected email, however, the attachment’s original IRM protection is retained. Exchange will not attempt to overwrite Information Rights Management protection.

ABOUT THE AUTHOR
Brien M. Posey, MCSE, is a seven-time Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information visit www.brienposey.com.

This was first published in January 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.