Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
General System Settings > Services > Configuring Microsoft RMS
Configuring Microsoft RMS
Administrator Help | Forcepoint DLP | Version 8.7.x
Forcepoint DLP integrates with Microsoft Azure Information Protection to apply DLP policies to Microsoft RMS encrypted files on Windows endpoints. This feature enables enterprises to maintain sensitive data visibility and control for files protected using Microsoft Azure and Active Directory (AD) RMS. Forcepoint DLP interacts directly with the RMS client, enabling the RMS visibility feature to work both on and off the network. It can also be used to better understand how Microsoft RMS is being used by employees to protect sensitive data.
Use the Microsoft RMS tab of the Settings > General > Services page to configure Forcepoint DLP to decrypt and analyze Microsoft Office files that were encrypted by Azure RMS or AD RMS on Windows endpoints. This includes files found on Windows endpoints (discovery) or sent via any endpoint channel.
Office files that are protected by Microsoft RMS include Word, Excel, PowerPoint and other Office documents created in Office 2007 or later, such as those ending in docx and pptx.
The system uses logged-in user credentials to access the Microsoft RMS server. Because the system runs under the security context of the logged-in user, it uses the same permission as the user and, therefore, can read everything the user can read. For example, when a user creates a document, the user has permission to read the document and so does the system. When the user has read permissions to the document, explicitly or as part of an Active Directory group or RMS template, so does the system. In case of errors, the transaction is permitted without analysis and the error is recorded in a log file.
By default, this setting is disabled.
To enable RMS decryption, select Enable RMS decryption, then click OK.
The RMS file detection feature has the following prerequisites:
1.
The endpoint machine must be in your organization's domain.
2.
Forcepoint DLP Endpoint version 19.xx or higher must be installed.
3.
Azure Active Directory/Office 365 single sign-on (SSO) between the local active directory and the Azure active directory must be configured and working. Users must be able to RMS-decrypt a document without a login request.
4.
Rights Management Service Client 2.1 must be installed on the endpoint machine.
5.
Microsoft RMS predefined templates must have Copy and Extract Content permissions.
6.
Make sure that the following Forcepoint DLP predefined policies are not configured to block breaches, because they may block the Azure RMS client communication to the RMS server: because they may block Azure RMS client communication to Azure (OR Office365?)
*
Encrypted Files - Unknown Format (Script)
*
Encrypted Files - Unknown Format (Wide)
By default, these policies are set to monitor. If they are enabled, false positive incidents for RMS communication appear in the Security Manager.
To view RMS-related incidents in the Data Security module of the Security Manager, navigate to the Main > Reporting > DLP > Incidents - Last 3 days page. The Forensics tab shows when the detected breach was an RMS-protected file.
To determine whether RMS decryption and analysis is active or inactive, check the Main > Status > Endpoint Status page.
 
* 
Note 
*
See Microsoft documentation for more information on installing Microsft RMS Client 2.1.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
General System Settings > Services > Configuring Microsoft RMS
Copyright 2018 Forcepoint. All rights reserved.