TechShizz | All posts tagged 'Security'

Installing Information Right Management for Office 365

IRM needs to be activated first:

Service settings > Rights Management > Manage

Click Activate:

Rights Management is not activated

 

Managing IRM

 

Before we can manage IRM in PowerShell there is an module that needs to be downloaded and installed.

Download the Azure Rights Management Administration Tool - English - United Kingdom

http://www.microsoft.com/en-gb/download/details.aspx?id=30339

 

Remember:

connect-msolservice

 

Then:

 

Import-module aadrm

Connect-aadrmservice -verbose

Enable-aadrm

 

Connect-aadrmservice -verbose

 

Disconnect-aadrmservice

 


Configuring Office 365 Admin Center Administration Roles

Admin Center Admin Roles

 

Global Administrator - All tasks in O365 admin center.

Manage Domains

Manage Organization information

Delegate administrator roles

Use Directory Syncronization

 

 

User Management - Manage users and groups, manage service requests, reset passwords and monitor health.

Cannot create other admins

Cannot delete global administrators

Cannot reset passwords for Billing, Global or Service Admins.

 

Password - Manage passwords, service requests and monitor health. (Not manage passwords of other admin roles)

 

Service - Manage service requests and monitor health. Must assign admin permissions to online service before this role.

 

Billing - Make purchases, manage subscriptions and support tickets and monitor health. (Only if bought from Microsoft).

 

PowerShell to Admin Center


Titles for administration groups vary in Office 365 to sharepoint. Below is a list of the equivelant role for each administraton role in each.PowerShell= left, SharePoint=right.



Company Administrator = Global Administrator

 

User Management Administrator = User Management

 

Helpdesk Administrator = Password Administrator

 

Service Support Administrator = Services Administrator

 

Billing Administrator = Billing Administrator

 

Managing in PowerShell

 

Remember:

connect-msolservice

 

List the role groups:

 

Get-Msolrole

Get-Msolrole

 

Add a member to a role group:

 

Add-msolrolemember -rolename "User Account Administrator" -rolememberemailaddress "kengle@teamrou.onmicrosoft.com"

 

To list who is in a role group:

 

$Roleinfo = get-msolrole -rolename "user account administrator"

 

Get-msolrolemember -roleobjectid $roleinfo.objectid

Get-msolrolemember

 

Remove a member to a role group:

 

Remove-msolrolemember -rolename "User Account Administrator" -rolememberemailaddress "kengle@teamrou.onmicrosoft.com"

 

Remove-msolrolemember

 


Integrating with Exchange


This enables IRM in Office 365 - It will allow the control of content in exchange via use of the menus as shown:

 

Set Permissions - Do Not Forward

It also allows us to create rights protection mail rules in Exchange online:

Apply Right Protecting to Messages

 

 

 

 

 

In order to enable IRM in Exchange online we need to do the following.

 

Open PowerShell as Admin and run the following commands in order.

 

Set-ExecutionPolicy RemoteSigned


$usercred = Get-Credential

$sessioninfo = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/PowerShell -Credential $usercred -Authentication Basic -AllowRedirection


Import-PSSession $sessioninfo


Set-IRMConfiguration -RMSOnlineKeySharingLocation "https://sp.rms.eu.aadrm.com/tenantmanagement/servicepartner.svc"


Import-RMSTrustedPublishingDomain -RMSOnline -Name "RMS Online"


Set-IRMConfiguration -InternalLicensingEnabled $true


Test-IRMConfiguration -RMSOnline


Test-IRMConfiguration -Sender $usercred.username


Remove-PSSession $sessioninfo


Role Based Access in Exchange


 

 

Role groups or Management  Role groups are the groups that we see in the Active Directory "Microsoft Exchange Security groups" OU.

To see a list of Management Roles:

 

Get-ManagementRole

 

This lists all management roles, which are collections of commands. For example:

 

Let's look at Databases: To look at what commands makes up the Databases Managemet role we can run:

 

Get-ManagementRoleEntry "Databases\*"

 

Create a custom role from an existing role by using the following:

 

New-ManagementRole -name "Distribution G Admins" -Parent "Distribution Groups"

 

This command creates a new Management role called "Distribution G Admins" and populates it with the ability to use all the powershell commands that the "Distribution Groups" 

 

To remove a management role entry, we can do this to strip the existing temple down to what access we want to give. You would use:

 

Remove-ManagementRoleEntry "Distribution G Admins\Remove-Distributiongroup"

 

If for some reason this group needs a permission from another Management role we first need to create a Role Group, which contains both ManagementRoleEntry's that we need. 

Because we created this Management role from the Distribution Groups Role, we cant immediately add the role entries from other roles.

 

So to create a New Role Group which in this example will contain Distribution group and Transport Rule group role entries:

 

New-RoleGroup "Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -members rbulloc

 

This creates a group visible in AD with the other Role Groups

 

To remove a role group

 

Remove-RoleGroup "Distros and Transports"

 

If we want to Create a role group, and scope it so that the users in that group can only administer users/mailboxes in a specific OU (in this example this will be the "Liverpool" OU) we can use the following command:

 

New-RoleGroup "Liverpool Distros and Transports" -Roles "Distribution G Admins","Transport Rules" -RecipientOrganizationalUnitScope "contoso.local/Liverpool"

 

 

 

To see which Management Roles make up a management group and also to see it's scope you need to query using this command:

 

Get-ManagementRoleAssignmet | Select Name

 

Find the roles you're looking for:

 

Then run:

 

Get-ManagementRoleAssignment "MANAGEMENTROLENAME" | fl

 

 

This shows the Scope.


Dynamic Access Control

Prerequisites:

 

  • One DC must be on Server 2012 or above however, 2008 DCs will work but require a scheme update.
  • File server must be a domain member
  • File server Resource Manage must be installed on the file server.
  • Clients must be Windows 7 +
  • For Access Denied Remediation (ADR) Clients must be Windows 8 or later.
  • Active Directory Administrative Centre (RSAT Tool)

  1. Claim Type
  2. Resource Properties
  3. Resource Property List
  4. Central Access Rules
  5. Central Access Policy

 

 

 

  1. Create a claim type such as
    1. Company
    2. Department
    3. Manager
  2. Next you need to Enable the resource property. Before this can be done you need to add the properties.

 

Go into each resource and add properties, for example:

Company= Microsoft; Apple; Cisco

Department= Finance; HR; IT

 

  1. Create a Resource property list. This is a list that will be made globally to all supported file servers with the attributes configured previously.
  2. Create a Central Access Rule - This can be called something like "Company-Dept-Match-Required". This rule will dictate what value the department and company attributes must say before the file can be accessed.
    1. Add the target Resources to add the conditions. Choose : Resource > "Attribute" > Exists
    2. Create the "AND" statement and repeat for the next attribute.
    3. Apply permissions. For this to apply to All users the general thing to do is give "Authenticated Users" Full control access. As this is being used in conjunction with NTFS permissions the user will never be able to harness these full control abilities anyway unless they create the document/folder.
    4. Add the condition for the permissions as follows: User > "Attribute" > Equals > Resource > Company
    5. Repeat for Department.
  3. Create a central access policy - This can be named "Company-Dept-Match-Reqd-Policy"
    1. Click add on the Member Central Access section and add the rule into the policy.
  4. Create a group policy to deploy the Central Access Policy to the domain File Servers (wherever they are). The policy is located under: Computer > Policies > Windows Settings > Security Settings > File System > Central Access Policy
    1. Right click to create the policy and add the Access Policy to the configuration. 
    2. Create another policy and link to the domain controllers named "DAC KDC Kerberos Armouring". Add policy located at: Computer > Administrative Templates > System > KDC > KDC Support for claims, compound authentication and Kerberos Armouring"
    3. Set the Policy to "Supported"
    4. In the same policy, Add policy located at: Computer > Administrative Templates > System >Kerberos > Kerberos Client Support for claims, compound authentication and Kerberos armoring. The policy does not need to be linked to the clients to enable the feature for them. As the clients obtain their Kerberos claim from the DC it's only necessary to enable this on the DC which will in turn filer to any client that uses the feature.
  5. To update group policy on the FileServer and FSRM we need to run the following:
    1. Gpupdate /force
    2. Update-FSRMClassificationpropertyDefinition
    3. Klist purge
  6. Go to the fileserver and modify the classifications in the properties of the files/folders.
  7. REMEMBER to apply the Central Policy from the Advanced Security section.