Jekyll2021-04-23T06:04:36-05:00https://itops.pt/feed.xmlArchitecture and Security in the Hybrid CloudSecurity and Configuration AutomationRicardo GarridoRMS Connector vs. Exchange 2010 IRM2020-03-09T00:00:00-05:002020-03-09T00:00:00-05:00https://itops.pt/2020/03/rmsconnector-vs_exchange_2010<h2 id="scenario">Scenario</h2>
<blockquote>
<p><strong>MSFT on Microsoft Rights Management (RMS) connector</strong></p>
<p>“The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations.”</p>
</blockquote>
<p>To authorize Exchange 2010 servers to use the RMS connector, on the RMS connector administration tool, you specify the “Exchange Servers” Security Group as a group of objects that are authorized, taking advantage of the fact that Exchange automatically manages the membership of this group to maintain a list of all Exchange servers in the forest.</p>
<p>Then you use a script, named “server configuration tool for Microsoft RMS connector (GenConnectorConfig.ps1)”, to set the required registry entries on all servers that will interact with the RMS connector.</p>
<p>For Exchange 2010:</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">.</span><span class="n">\GenConnectorConfig.ps1</span><span class="w"> </span><span class="nt">-ConnectorUri</span><span class="w"> </span><span class="s1">'https://rmsconnector.contoso.com'</span><span class="w"> </span><span class="nt">-SetExchange2010</span><span class="w">
</span></code></pre></div></div>
<h2 id="problem">Problem</h2>
<p>Afterwards, when trying to enable IRM on Exchange 2010, by using the below command, I got the error: <strong>“String cannot be of zero length. Parameter name: oldValue”</strong></p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Set-IRMConfiguration</span><span class="w"> </span><span class="nt">-ClientAccessServerEnabled</span><span class="w"> </span><span class="nv">$True</span><span class="w"> </span><span class="nt">-InternalLicensingEnabled</span><span class="w"> </span><span class="nv">$True</span><span class="w">
</span></code></pre></div></div>
<h2 id="solution">Solution</h2>
<p>Using Process Monitor I couldn’t spot the red flag, given that there wasn’t an obvious failure to access a specific registry entry or another type of system resource.</p>
<p>It ended up being a problem with the <strong>‘(Default)’</strong> key on <strong>‘HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \ExchangeServer \v14 \IRM \CertificationServerRedirection’</strong> and on ‘<strong>HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ ExchangeServer\ v14\ IRM\ LicenseServerRedirection’</strong>, which had a value set by GenConnectorConfig.ps1 for a previously used RMS connector endpoint - ‘http://rmsconnector’. After clearing the data value for both keys the above Powershell command ran successfully.</p>Ricardo GarridoTo authorize Exchange 2010 servers to use the RMS connector...Azure Information Protection - Extending classification and protection2019-09-20T00:00:00-05:002019-09-20T00:00:00-05:00https://itops.pt/2019/09/aip-extending_information_classification_and%20_protection<h1 id="extending-classification-and-protection">Extending classification and protection</h1>
<p>A</p>
<h2 id="classifying-and-protecting-files-created-by-a-specific-application">Classifying (and protecting) files created by a specific application</h2>
<h3 id="sysmon">Sysmon</h3>
<h3 id="trigger-a-powershell-script-from-a-windows-event">Trigger a PowerShell Script from a Windows Event</h3>
<p>https://blogs.technet.microsoft.com/wincat/2011/08/25/trigger-a-powershell-script-from-a-windows-event/</p>
<h3 id="apply-file-classification">Apply file classification</h3>
<p>https://docs.microsoft.com/en-us/azure/information-protection/develop/developers-guide
https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-powershell</p>
<h2 id="sharing-information-outside-the-organization">Sharing information outside the organization</h2>
<p>https://docs.microsoft.com/en-us/azure/information-protection/configure-exo-rules</p>Ricardo GarridoProtecting files as they touch disk