No matter what corporate policies are in place to prevent it, users will still send email messages containing sensitive information. It’s the administrator’s job to protect these messages. And although encryption technologies such as TLS and S/MIME can, to some degree, protect these messages, both technologies fall short of providing comprehensive message security.
Enter Exchange Server’s Information Rights Management (IRM) feature. IRM allows a sender to specify what the recipient can and cannot do with the message. For example, a sender might use IRM to prevent the recipient from forwarding or printing the message. Admins can also use IRM to prevent recipients from extracting message contents using copy and paste or the Windows snipping tool. You can configure IRM-protected messages with an expiration date after which the message can no longer be viewed.
With all of IRM’s unique security capabilities, it is no wonder that so many organizations use it to protect sensitive data. Of course, all of this protection comes at a price; IRM is useless unless the end user’s mail client supports it.
Outlook Web App and IRM aggravations
Microsoft Outlook has supported Information Rights Management since Outlook 2003. However, until Exchange Server 2010, Outlook Web Access (OWA) clients couldn’t use IRM. Even then, IRM support for Outlook Web App, as it’s called in this latest version of Exchange, still isn’t quite right.
Although Exchange 2010 allows OWA users to send and receive IRM-protected messages, the process collapses if a protected message contains an attachment. The user can’t view the attachment directly through the OWA interface; instead he has to download it and use the associated application to open it. Although this extra step probably isn’t a deal breaker for most organizations, it does mean that users who log onto OWA from a kiosk or a public computer still cannot access IRM-protected attachments.
Exchange Server 2010 SP1 alleviates this problem. If a user receives an IRM-protected message that also contains an attachment, he can view the attachment directly through the browser using Web-ready document viewing.
SP1 was also designed to allow Exchange mobile device users connected via ActiveSync to send and receive IRM-protected messages without having to connect to Windows Mobile Device Center -- a previous requirement. Another improvement is that users aren’t forced into one particular browser. You can view IRM-protected documents via Internet Explorer, Firefox and Safari browsers (Figure 1).
In spite of this, there are still several limitations related to sending and receiving email. For starters, Information Rights Management only supports specific types of attachments. The application seamlessly supports Microsoft applications including Word, Excel PowerPoint documents and .xps files.
If a user attaches one of these types of documents to an IRM-protected message, the attachment is also IRM-protected. But when a user tries to send any other type of attachment, such as a .pdf file, he will receive a message informing him that file cannot be protected.
Likewise, Exchange 2010 only offers Web-ready document viewing for these specific file types. If a user receives an unsupported attachment type, then he must save the attachment and open it with the corresponding application -- regardless of whether or not the attachment is IRM-protected.
This brings up an important point. Although IRM is used in Exchange Server 2010, it’s not limited to Exchange Server. Users can send documents that are IRM protected, without the message itself being IRM protected.
Generally, when a user adds an attachment to an IRM-protected email message, the attachment -- if it’s a supported file type -- also becomes IRM-protected. If a user attaches an IRM-protected document to an IRM-protected email, however, the attachment’s original IRM protection is retained. Exchange will not attempt to overwrite Information Rights Management protection.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, is a seven-time Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information visit www.brienposey.com.