Office 文件案例:分類型加密Scenario: Classification-Based Encryption for Office Documents

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

保護的機密資訊是主要緩和組織的風險。Protection of sensitive information is mainly about mitigating risk for the organization. 健康保證移植性責任動作 (HIPAA) 及付款卡片 Industry 資料安全標準 (PCI-DSS),例如不同 compliance 法規聽寫加密的詳細資訊,並有許多企業原因加密機密資訊。Various compliance regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI-DSS), dictate encryption of information, and there are numerous business reasons to encrypt sensitive business information. 不過,資訊加密很高,或其可能會影響生產力。However, encrypting information is expensive, and it might impair business productivity. 因此,組織通常會有不同的方式與加密其資訊的優先順序。Thus, organizations tend to have different approaches and priorities for encrypting their information.

案例描述Scenario description

Windows Server 2012 提供會自動加密機密 Microsoft Office 檔案,根據其分類的能力。Windows Server 2012 provides the ability to automatically encrypt sensitive Microsoft Office files, based on their classification. 這是透過叫用 Active Directory Rights Management Services (AD RMS) 保護的機密文件幾秒後檔案被視為敏感的檔案,檔案伺服器上的檔案管理工作。This is done through file management tasks that invoke Active Directory Rights Management Services (AD RMS) protection for sensitive documents a few seconds after the file is identified as being a sensitive file on the file server. 這可協助來連續檔案管理工作檔案伺服器上。This is facilitated by continuous file management tasks on the file server.

AD RMS 加密提供一層保護的檔案。AD RMS encryption provides another layer of protection for files. 即使存取敏感檔案的人員不小心傳送電子郵件透過該檔案,檔案受 AD RMS 加密。Even if a person with access to a sensitive file inadvertently sends that file through email, the file is protected by the AD RMS encryption. 想要存取檔案,使用者必須先驗證本身接收加密金鑰 AD RMS 伺服器。Users who want to access the file must first authenticate themselves to an AD RMS server to receive the decryption key. 下圖顯示此程序。The following figure shows this process.

方案指南

圖 6架構分類 RMS 保護Figure 6 Classification-based RMS protection

非 Microsoft 廠商透過使用非 Microsoft 的檔案格式的支援。Support for non-Microsoft file formats is available through non-Microsoft vendors. AD RMS 加密的受保護檔案後之後,已不再提供該檔案的資料例如搜尋或 content 為基礎分類的管理功能。After a file has been protected by AD RMS encryption, data management features such as search- or content-based classification are no longer available for that file.

本案例中In this scenario

以下是本案例可指導方針:Following is the guidance that is available for this scenario:

角色與包含在本案例中的功能Roles and features included in this scenario

下表列出的角色與本案例的功能,並告訴他們支援的方式。The following table lists the roles and features that are part of this scenario and describes how they support it.

角色/功能Role/feature 它如何支援此案例How it supports this scenario
Active Directory Domain Services 角色 (AD DS)Active Directory Domain Services role (AD DS) AD DS 提供分散式的資料庫來儲存及管理網路資源和應用程式特定資料的相關資訊從 directory 功能的應用程式。AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. 在本案例中,Windows Server 2012 中的 AD DS 引進了可讓使用者宣告裝置宣告、複合身分(使用者加上裝置宣告),新的中央存取原則模型,並在 [授權決策檔案分類資訊的使用建立宣告為基礎的授權平台。In this scenario, AD DS in Windows Server 2012 introduces a claims-based authorization platform that enables the creation of user claims and device claims, compound identity (user plus device claims), a new central access policies model, and the use of file-classification information in authorization decisions.
檔案與儲存空間服務的角色File and Storage Services role

檔案伺服器資源管理員File Server Resource Manager
檔案與儲存空間服務提供技術,以協助您設定及管理您的網路位置您可以將檔案儲存並分享的使用者提供中央位置的一或多個檔案伺服器。File and Storage Services provides technologies to help you set up and manage one or more file servers that provide central locations on your network where you can store files and share them with users. 若您的網路使用者的存取權的相同的檔案和應用程式,或如果備份與檔案的集中的管理您的組織重要,您應該設定一或多部電腦做為檔案伺服器來將檔案與儲存空間服務角色與適當的角色服務新增到電腦。If your network users need access to the same files and applications, or if centralized backup and file management are important to your organization, you should set up one or more computers as a file server by adding the File and Storage Services role and the appropriate role services to the computers. 在本案例中,檔案伺服器的系統管理員可以設定叫用 AD RMS 保護的機密文件幾秒後檔案被視為敏感的檔案,檔案伺服器(連續檔案管理工作檔案伺服器上)上的檔案管理工作。In this scenario, file server administrators can configure file management tasks that invoke AD RMS protection for sensitive documents a few seconds after the file is identified as being a sensitive file on the file server (continuous file management tasks on the file server).
Active Directory Rights Management Services (AD RMS) 角色Active Directory Rights Management Services (AD RMS) role AD RMS 讓個人和系統管理員(透過資訊 Rights Management (IRM) 原則),指定的文件、活頁簿及簡報的存取權限。AD RMS enables individuals and administrators (through Information Rights Management (IRM) policies) to specify access permissions to documents, workbooks, and presentations. 這可協助防止機密資訊列印、轉送,或複製未經授權的人員。This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. 使用 IRM 受到檔案的使用權限之後,存取和使用量限制無論資訊的地方,因為本身文件檔案中儲存檔案的使用權限。After permission for a file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself. 在本案例中,AD RMS 加密提供一層保護的檔案。In this scenario, AD RMS encryption provides another layer of protection for files. 即使存取敏感檔案的人員不小心傳送電子郵件透過該檔案,檔案受 AD RMS 加密。Even if a person with access to a sensitive file inadvertently sends that file through email, the file is protected by the AD RMS encryption. 想要存取檔案,使用者必須先驗證本身接收加密金鑰 AD RMS 伺服器。Users who want to access the file must first authenticate themselves to an AD RMS server to receive the decryption key.