部署加密的 Office 檔案(示範步驟)Deploy Encryption of Office Files (Demonstration Steps)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Contoso 財經部門有許多檔案伺服器可儲存他們的文件。Contoso's Finance Department has a number of file servers that store their documents. 這些文件可以一般的文件或他們可能會有高商務影響 (HBI)。These documents can be general documentation or they can have a high-business impact (HBI). 例如,包含機密資訊任何文件已被視為、,以 Contoso,以影響高商務。For example, any document that contains confidential information is deemed, by Contoso, to have a high-business impact. Contoso 想要確保他們的文件有最少的保護,而且限制適當的人員為他們 HBI 文件。Contoso wants to ensure that all their documentation has a minimum amount of protection and that their HBI documentation is restricted to the appropriate people. 若要完成此動作,以 Contoso 瀏覽使用檔案分類基礎結構 (FCI) 以及 AD RMS,可在 Windows Server 2012 中。To accomplish this, Contoso is exploring using the File Classification Infrastructure (FCI) and AD RMS that is available in Windows Server 2012 . 使用 FCI,以 Contoso 將可根據 content,其檔案伺服器上的文件中的所有,並使用套用的適當權限原則 AD RMS。By using FCI, Contoso will classify all of the documents on their file server, based on the content, and then use AD RMS to apply the appropriate rights policy.

在本案例中,您將會執行下列步驟:In this scenario, you'll perform the following steps:

工作Task 描述Description
讓資源屬性Enable resource properties 影響個人辨識資訊資源屬性。Enable the Impact and Personally Identifiable Information resource properties.
建立分類規則Create classification rules 建立下列分類規則:HBI 分類規則PII 分類規則Create the following classification rules: HBI Classification Rule and PII Classification Rule.
使用檔案管理工作自動保護 AD RMS 文件Use file management tasks to automatically protect documents with AD RMS 建立自動保護高個人資訊 (PII) 文件用 AD RMS 管理工作檔案。Create a file management task that automatically used AD RMS to protect documents with high personally identifiable information (PII). 僅限群組成員的 FinanceAdmin 將可以存取的文件,包含高 PII。Only members of the FinanceAdmin group will have access to documents that contain high PII.
檢視結果View the results 檢查分類的文件,並觀察如何變更當您變更文件中的 content。Examine the classification of documents and observe how they change as you change the content in the document. 也驗證,AD RMS 的文件取得如何保護。Also verify how the document gets protected by AD RMS.
檢查 AD RMS 保護Verify AD RMS protection 檢查 AD RMS 受文件。Verify that the document is protected with AD RMS.

步驟 1:讓資源屬性Step 1: Enable resource properties

若要讓資源屬性To enable resource properties

  1. 在 [HYPER-V 管理員連接到伺服器 ID_AD_DC1。In Hyper-V Manager, connect to server ID_AD_DC1. Contoso\Administrator 使用密碼登入伺服器pass@word1Sign in to the server by using Contoso\Administrator with the password pass@word1.

  2. 開放 Active Directory 管理中心,然後按一下樹檢視Open Active Directory Administrative Center, and click Tree View.

  3. 展開動態存取控制,然後選取 [資源屬性Expand DYNAMIC ACCESS CONTROL, and select Resource Properties.

  4. 向下捲動影響中的屬性顯示名稱欄。Scroll down to the Impact property in the Display name column. 以滑鼠右鍵按一下影響,然後按可讓Right-click Impact, and then click Enable.

  5. 向下捲動個人辨識資訊中的屬性顯示名稱欄。Scroll down to the Personally Identifiable Information property in the Display name column. 以滑鼠右鍵按一下個人辨識資訊,然後按一下 [可讓Right-click Personally Identifiable Information, and then click Enable.

  6. 若要發行中的資源屬性全球資源的清單,在左窗格中,按一下 [清單的資源屬性,,然後按兩下 [全球的資源屬性清單To publish the resource properties in the Global Resource List, in the left pane, click Resource Property Lists, and then double-click Global Resource Property List.

  7. 按一下新增,然後向下捲動並按一下 [影響,將它新增到清單。Click Add, and then scroll down to and click Impact to add it to the list. 執行相同個人辨識資訊Do the same for Personally Identifiable Information. 按一下[確定]兩次,才能完成。Click OK twice to finish.

方案指南Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Set-ADResourceProperty -Enabled:$true -Identity:"CN=Impact_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=contoso,DC=com"  
Set-ADResourceProperty -Enabled:$true -Identity:"CN=PII_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=contoso,DC=com" 

步驟 2:建立分類規則Step 2: Create classification rules

這個步驟將告訴您如何建立高影響分類規則。This step explains how to create the High Impact classification rule. 此規則會搜尋 content 的文件,如果找到字串」Contoso 機密」,它會可為高商務影響這份文件。This rule will search the content of documents and if the string "Contoso Confidential" is found, it will classify this document as having high-business impact. 此分類會覆寫低商務影響的任何先前指派的分類。This classification will override any previously assigned classification of low-business impact.

您也會建立高 PII規則。You will also create a High PII rule. 此規則搜尋 content 的文件,如果找不到社會安全,它會分類遇到高 PII 的文件。This rule searches the content of documents, and if a Social Security number is found, it classifies the document as having high PII.

若要建立的影響分類規則To create the high-impact classification rule

  1. 在 [HYPER-V 管理員連接到伺服器 ID_AD_FILE1。In Hyper-V Manager, connect to server ID_AD_FILE1. Contoso\Administrator 使用密碼登入伺服器pass@word1Sign in to the server by using Contoso\Administrator with the password pass@word1.

  2. 您需要重新整理全球 Active directory 資源屬性。You need to refresh the Global Resource Properties from Active Directory. 打開 Windows PowerShell 並輸入:Update-FSRMClassificationPropertyDefinition,然後按 ENTER 鍵。Open Windows PowerShell and type: Update-FSRMClassificationPropertyDefinition, and then press ENTER. 關閉 Windows PowerShell。Close Windows PowerShell.

  3. 打開檔案伺服器資源管理員。Open File Server Resource Manager. 若要打開檔案伺服器資源管理員中,按一下 [ [開始],輸入檔案伺服器資源管理員,然後按一下 [檔案伺服器資源管理員To open File Server Resource Manager, click Start, type file server resource manager, and then click File Server Resource Manager.

  4. 在左窗格檔案伺服器資源管理員中,展開分類管理,然後選取 [分類規則In the left pane of File Server Resource Manager, expand Classification Management, and then select Classification Rules.

  5. 動作窗格中,按設定分類排程In the Actions pane, click Configure Classification Schedule. 自動分類索引標籤,選取可以修正的排程、選取星期幾,,然後選取 [允許連續分類的新檔案核取方塊。On the Automatic Classification tab, select Enable fixed schedule, select a Day of the week, and then select the Allow continuous classification for new files check box. 按一下[確定]Click OK.

  6. 動作窗格中,按建立分類規則In the Actions pane, click Create Classification Rule. 這樣建立分類規則對話方塊。This opens the Create Classification Rule dialog box.

  7. 規則名稱方塊中,輸入高商務影響In the Rule name box, type High Business Impact.

  8. 描述方塊中,輸入判斷是否為「Contoso 機密「字串是否有高企業影響文件 **In the **Description box, type Determines if the document has a high business impact based on the presence of the string "Contoso Confidential"

  9. 範圍索引標籤上,按一下 [設定資料夾管理屬性,請選取資料夾使用量,按一下新增,然後按一下 [瀏覽,瀏覽至路徑 D:\Finance 文件,按一下 [ [確定],],然後選擇 [屬性的值,名稱為群組檔案,按一下 [關閉On the Scope tab, click Set Folder Management Properties, select Folder Usage, click Add, then click Browse, browse to D:\Finance Documents as the path, click OK, and then choose a property value named Group Files and click Close. 一旦管理屬性的設定,請在規則範圍索引標籤上選取群組中的檔案Once management properties are set, on the Rule Scope tab select Group Files.

  10. 按一下分類索引標籤。Click the Classification tab. 選擇指派給屬性檔案的方法內容器從下拉式清單。Under Choose a method to assign the property to files, select Content Classifier from the drop-down list.

  11. 選擇屬性指定的檔案以,請選取影響從下拉式清單。Under Choose a property to assign to files, select Impact from the drop-down list.

  12. 指定值從下拉式清單。Under Specify a value, select High from the drop-down list.

  13. 按一下設定參數Click Configure under Parameters. 分類參數對話方塊中,在運算式輸入清單中,選取字串In the Classification Parameters dialog box, in the Expression Type list, select String. 運算式方塊中,輸入:Contoso 機密,然後按一下 [ [確定]In the Expression box, type: Contoso Confidential, and then click OK.

  14. 按一下評估類型索引標籤。Click the Evaluation Type tab. 按一下重新評估現有屬性的值,按一下 [覆寫的值,然後按一下 [ [確定]來完成。Click Re-evaluate existing property values, click Overwritethe existing value, and then click OK to finish.

方案指南Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Update-FSRMClassificationPropertyDefinition  
$date = Get-Date  
$AutomaticClassificationScheduledTask = New-FsrmScheduledTask -Time $date -Weekly @(3, 2, 4, 5,1,6,0) -RunDuration 0;  
Set-FsrmClassification -Continuous -schedule $AutomaticClassificationScheduledTask  
New-FSRMClassificationRule -Name "High Business Impact" -Property "Impact_MS" -Description "Determines if the document has a high business impact based on the presence of the string 'Contoso Confidential'" -PropertyValue "3000" -Namespace @("D:\Finance Documents") -ClassificationMechanism "Content Classifier" -Parameters @("StringEx=Min=1;Expr=Contoso Confidential") -ReevaluateProperty Overwrite  

若要建立高-PII 分類規則To create the high-PII classification rule

  1. 在 [HYPER-V 管理員連接到伺服器 ID_AD_FILE1。In Hyper-V Manager, connect to server ID_AD_FILE1. Contoso\Administrator 使用密碼登入伺服器pass@word1Sign in to the server by using Contoso\Administrator with the password pass@word1.

  2. 在桌面上,打開資料夾名為規則運算式,然後打開名為文字文件和RegEx-SSNOn the desktop, open the folder named Regular Expressions, and then open the text document named RegEx-SSN. 反白,然後將下列運算式字串複製:^(!000)([0-7]\d{2}|7([0-7]\d|7[012])) ([-] 嗎?)(?!00) \d\d\3(?!\d {4}$ 0000)Highlight and copy the following regular expression string: ^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$. 在稍後將會使用此字串此步驟,讓它在您的剪貼簿。This string will be used later in this step so keep it on your clipboard.

  3. 打開檔案伺服器資源管理員。Open File Server Resource Manager. 若要打開檔案伺服器資源管理員中,按一下 [ [開始],輸入檔案伺服器資源管理員,然後按一下 [檔案伺服器資源管理員To open File Server Resource Manager, click Start, type file server resource manager, and then click File Server Resource Manager.

  4. 在左窗格檔案伺服器資源管理員中,展開分類管理,然後選取 [分類規則In the left pane of File Server Resource Manager, expand Classification Management, and then select Classification Rules.

  5. 動作窗格中,按設定分類排程In the Actions pane, click Configure Classification Schedule. 自動分類索引標籤,選取可以修正的排程、選取星期幾,,然後選取 [允許連續分類的新檔案核取方塊。On the Automatic Classification tab, select Enable fixed schedule, select a Day of the week, and then select the Allow continuous classification for new files check box. 按一下 \ [確定 ]。Click OK.

  6. 規則名稱方塊中,輸入高 PIIIn the Rule name box, type High PII. 描述方塊中,輸入則的文件高決定 PII 根據卡的身分證號碼。In the Description box, type Determines if the document has a high PII based on the presence of a Social Security Number.

  7. 按一下範圍索引標籤,選取群組中的檔案核取方塊。Click the Scope tab, select the Group Files check box.

  8. 按一下分類索引標籤。Click the Classification tab. 選擇指派給屬性檔案的方法內容器從下拉式清單。Under Choose a method to assign the property to files, select Content Classifier from the drop-down list.

  9. 選擇屬性指定的檔案以,請選取個人辨識資訊從下拉式清單。Under Choose a property to assign to files, select Personally Identifiable Information from the drop-down list.

  10. 指定值從下拉式清單。Under Specify a value, select High from the drop-down list.

  11. 按一下設定參數Click Configure under Parameters.
    分類參數視窗中,請在運算式輸入清單中,選取運算式In the Classification Parameterswindow, in the Expression Type list, select Regular Expression. 運算式方塊中,文字從您的剪貼簿貼上:^(!000)([0-7]\d{2}|7([0-7]\d|7[012])) ([-] 嗎?)(?!00) \d\d\3(?!\d {4}$ 0000),然後按一下 [ [確定]In the Expression box, paste the text from your clipboard: ^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$, and then click OK.

    注意

    這個運算式可讓無效的身分證安全性數字。This expression will allow invalid Social Security numbers. 這可讓我們在展示使用虛構身分證號碼。This allows us to use fictitious Social Security numbers in the demonstration.

  12. 按一下評估類型索引標籤。Click the Evaluation Type tab. 選取 [重新評估現有屬性的值覆寫的值,然後按一下 [ [確定]來完成。Select Re-evaluate existing property values, Overwritethe existing value, and then click OK to finish.

方案指南Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

New-FSRMClassificationRule -Name "High PII" -Description "Determines if the document has a high PII based on the presence of a Social Security Number." -Property "PII_MS" -PropertyValue "5000" -Namespace @("D:\Finance Documents") -ClassificationMechanism "Content Classifier" -Parameters @("RegularExpressionEx=Min=1;Expr=^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$") -ReevaluateProperty Overwrite  

您現在應該會有兩個分類的規則:You should now have two classification rules:

  • 高企業影響High Business Impact

  • 高 PIIHigh PII

步驟 3:使用檔案管理工作自動保護 AD RMS 文件Step 3: Use file management tasks to automatically protect documents with AD RMS

既然您已經建立規則自動分類 content 為基礎的文件下, 一步就是建立自動保護特定根據其分類的文件使用 AD RMS 管理工作檔案。Now that you've created rules to automatically classify documents based on content, the next step is to create a file management task that uses AD RMS to automatically protect certain documents based on their classification. 在此步驟,您會自動保護高 PII 任何文件將檔案管理工作建立。In this step, you will create a file management task that automatically protects any documents with a high PII. 僅限群組成員的 FinanceAdmin 將可以存取的文件,包含高 PII。Only members of the FinanceAdmin group will have access to documents that contain high PII.

保護 AD RMS 文件To protect documents with AD RMS

  1. 在 [HYPER-V 管理員連接到伺服器 ID_AD_FILE1。In Hyper-V Manager, connect to server ID_AD_FILE1. Contoso\Administrator 使用密碼登入伺服器pass@word1Sign in to the server by using Contoso\Administrator with the password pass@word1.

  2. 打開檔案伺服器資源管理員。Open File Server Resource Manager. 若要打開檔案伺服器資源管理員中,按一下 [ [開始],輸入檔案伺服器資源管理員,然後按一下 [檔案伺服器資源管理員To open File Server Resource Manager, click Start, type file server resource manager, and then click File Server Resource Manager.

  3. 在左窗格中,選取 [檔案管理工作In the left pane, select File Management Tasks. 動作窗格中,選取建立檔案管理工作In the Actions pane, select Create File Management Task.

  4. 任務名稱:欄位中,輸入高 PIIIn the Task name: field, type High PII. 描述欄位中,輸入自動 RMS 保護高 PII 文件中的In the Description field, type Automatic RMS protection for high PII documents.

  5. 按一下範圍索引標籤,選取群組中的檔案核取方塊。Click the Scope tab, select the Group Files check box.

  6. 按一下動作索引標籤。Click the Action tab. 輸入RMS 加密Under Type, select RMS Encryption. 按一下瀏覽]來選取範本,然後選取以 Contoso 財經管理員只範本。Click Browse to select a template, and then select the Contoso Finance Admin Only template.

  7. 按一下條件索引標籤,然後按一下 [新增]Click the Condition tab, and then click Add. 屬性個人辨識資訊Under Property, select Personally Identifiable Information. 電信業者Under Operator, select Equal. Under Value, select High. 按一下[確定]Click OK.

  8. 按一下排程索引標籤。Click the Schedule tab. 排程區段中,按一下 [,然後選取星期日In the Schedule section, click Weekly, and then select Sunday. 執行此工作一次為星期將可確保您的捕捉可能因為服務中斷或其他受到干擾的事件遺漏任何文件。Running the task once-a-week will ensure that you catch any documents that may have been missed due to a service outage or other disruptive event.

  9. 繼續操作區段中,選取執行工作持續在新的檔案,然後按一下 [ [確定]In the Continuous operation section, select Run task continuously on new files, and then click OK. 您現在應該會有名為高 PII 檔案管理工作。You should now have a file management task named High PII.

方案指南Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

$fmjRmsEncryption = New-FSRMFmjAction -Type 'Rms' -RmsTemplate 'Contoso Finance Admin Only'  
$fmjCondition1 = New-FSRMFmjCondition -Property 'PII_MS' -Condition 'Equal' -Value '5000'  
$date = get-date  
$schedule = New-FsrmScheduledTask -Time $date -Weekly @('Sunday')    
$fmj1=New-FSRMFileManagementJob -Name "High PII" -Description "Automatic RMS protection for high PII documents" -Namespace @('D:\Finance Documents') -Action $fmjRmsEncryption -Schedule $schedule -Continuous -Condition @($fmjCondition1)  

步驟 4:檢視結果Step 4: View the results

它是在重要訊息中看看您的新自動分類和 AD RMS 保護規則。It's time to take a look at your new automatic classification and AD RMS protection rules in action. 在此步驟,您將檢查分類的文件,並觀察如何變更當您變更文件中的 content。In this step you will examine the classification of documents and observe how they change as you change the content in the document.

若要檢視結果To view the results

  1. 在 [HYPER-V 管理員連接到伺服器 ID_AD_FILE1。In Hyper-V Manager, connect to server ID_AD_FILE1. Contoso\Administrator 使用密碼登入伺服器pass@word1Sign in to the server by using Contoso\Administrator with the password pass@word1.

  2. 在 [Windows 檔案總管] 瀏覽至 D:\Finance 文件。In Windows Explorer, navigate to D:\Finance Documents.

  3. 以滑鼠右鍵按一下財經備文件,然後按一下屬性。按一下分類索引標籤,然後通知影響屬性,目前有不值。Right-click the Finance Memo document and click Properties.Click the Classification tab, and notice that the Impact property currently has no value. 按一下取消Click Cancel.

  4. 以滑鼠右鍵按一下申請核准雇用文件以,然後選取 [屬性Right-click the Request for Approval to Hire document, and then select Properties.

  5. 按一下分類索引標籤,並注意,的個人辨識資訊屬性目前有不值。Click the Classification tab, and notice that the Personally Identifiable Information property currently has no value. 按一下取消Click Cancel.

  6. 切換至 CLIENT1。Switch to CLIENT1. 關閉任何登入的使用者登入並再登入為 Contoso\MReid 密碼pass@word1Sign off any user who is signed in, and then sign in as Contoso\MReid with the password pass@word1.

  7. 從桌面,請打開財經文件共用的資料夾。From the Desktop, open the Finance Documents shared folder.

  8. 開放財經備的文件。Open the Finance Memo document. 靠近底部的 [文件,您將會看到該文字機密Near the bottom of the document, you will see the word Confidential. 修改朗讀:以 Contoso 機密Modify it to read: Contoso Confidential. 將文件,並將它關閉。Save the document and close it.

  9. 開放申請核准雇用以的文件。Open the Request for Approval to Hire document. 證 #:區段中,輸入:777-77-7777。In the Social Security#: section, type: 777-77-7777. 將文件,並將它關閉。Save the document and close it.

    注意

    您可能需要等待分類發生 30 秒。You may need to wait 30 seconds for the classification to occur.

  10. 切換回 ID_AD_FILE1。Switch back to ID_AD_FILE1. 在 [Windows 檔案總管] 瀏覽至 D:\Finance 文件。In Windows Explorer, navigate to D:\Finance Documents.

  11. 財經備文件,以滑鼠右鍵按一下,按屬性Right-click the Finance Memo document, and click Properties. 按一下分類索引標籤。Click the Classification tab. 請注意,影響屬性現在已設定為Notice that the Impact property is now set to High. 按一下取消Click Cancel.

  12. 以雇用文件,並按一下滑鼠右鍵按一下 \ [核准要求屬性Right-click the Request for Approval to Hire document and click Properties.

  13. .. 按一下分類索引標籤。Click the Classification tab. 請注意,個人辨識資訊屬性現在已設定為Notice that the Personally Identifiable Information property is now set to High. 按一下取消Click Cancel.

步驟 5:檢查 AD RMS 的保護Step 5: Verify protection with AD RMS

若要確認受到文件To verify that the document is protected

  1. 切換回 ID_AD_CLIENT1。Switch back to ID_AD_CLIENT1.

  2. 開放申請核准雇用以的文件。Open the Request for approval to Hire document.

  3. 按一下[確定]允許連接到您的 AD RMS 伺服器的文件。Click OK to allow the document to connect to your AD RMS server.

  4. 您現在可以查看的文件已受到 AD RMS 因為它包含社會安全。You can now see that the document has been protected by AD RMS because it contains a Social Security number.