Managing Compliance in Microsoft Exchange Server 2010

  • 11/24/2010

Outlook Protection Rules

If you use Outlook 2010 clients and have AD RMS deployed, you can use a complementary function called Outlook Protection Rules that allows Exchange administrators to create new rules and distribute them to Outlook users to have protection automatically applied at the client rather than waiting for messages to be transmitted to Exchange. Although it adds another layer of security for messages in corporate email systems, this feature is also intended for use in scenarios where companies use Exchange in hosted services and want to ensure that content is protected against snooping or other unauthorized access by the managers of the hosted service. Outlook Protection Rules require you to install an add-on to Outlook 2010 before they work. After that, the administrator creates and distributes new rules using the set of cmdlets described in Table 15-11. You need to be an organization administrator to be able to use these cmdlets.

Table 15-11. Outlook Protection Rule cmdlets




Create a new Outlook Protection Rule


Enable an Outlook Protection Rule and make it available to clients


Return information about a selected Outlook Protection Rule or all of the rules within the organization


Set properties of an existing Outlook Protection Rule


Remove an Outlook Protection Rule from the organization


Disable an Outlook Protection Rule

Essentially, an Outlook Protection Rule establishes the conditions for when to apply the rule, states the scope of recipients for whom the rule applies, and tells Outlook what AD RMS template it should apply when the conditions and scope are satisfied. Outlook monitors new messages as they are created and will load the necessary templates when it first detects that it might need them during a session. The scope can be internal recipients, all recipients, or specific recipients.

To take a practical example, let’s assume that we have been told that we need to protect any message sent to the CEO’s staff. This EMS command creates a new rule that applies the default Do Not Forward AD RMS template to any message sent to the SMTP address specified in the rule (in this case, the address is for the distribution group used to map all of the CEO staff):

New-OutlookProtectionRule -Name "CEO Staff Communications" -SentTo -ApplyRightsProtectionTemplate "Do Not Forward" Priority 1

After an Outlook protection rule is defined, it is distributed to clients using Exchange Web Services. If you make a change to a rule, it will take about an hour to redistribute the rule as they are cached for better performance. You can force a rule to be distributed by recycling the Microsoft Internet Information Services (IIS) process. In addition, you have to restart Outlook to make new rules available to the client.

For the rule to work properly, Outlook must have access to the AD RMS template. The default Do Not Forward template is automatically made available to clients when they contact the AD RMS server for the first time. If you create new templates, they will have to be distributed so that the client can access the XML that describes the template. To check that a template is available to Outlook, create a new message and click the Options tab to view the list of templates available through the Permission list. If the template doesn’t appear here it means that it has not yet been distributed to the client computer.