Work Smart by Microsoft IT

Securing Your Business InformationCustomization note: This document contains guidance and/or step-by-step instructions that can be reused, customized, or deleted entirely if they do not apply to your organization’s environment or installation scenarios. Any text marked by yellow highlighting indicates either customization guidance or organization-specific variables. All of the highlighted text in this document should either be deleted or replaced prior to distribution.

Whether you are exchanging emails, sharing documents, or having a phone conversation, it is your responsibility to help protect your company’s confidential information from any unauthorized disclosure.

In this Work Smart guide, you will learn how to use four Microsoft technologies that help protect business information. These technologies include Information Rights Management (IRM), Secure/Multipurpose Mail Extensions (S/MIME), BitLocker Drive Encryption, and Encrypted File System (EFS).

Note: For more information about how to classify business information and data according to the potential impact of unintentional disclosure read the “Classifying and Protecting Your Business Information” Work Smart guide at http://aka.ms/customerworksmart.

Topics in this guide include:

For more information

Protecting data with EFS

Protecting data with BitLocker

Applying S/MIME to email messages

Using IRM to protect information

2 | Securing Your Business Information

3 | Securing Your Business Information

Using IRM to protect informationWhen a company has configured their systems to use Information Rights Management (IRM), employees using Microsoft Office can apply permissions to messages or documents by using options on the ribbon. The protection options that are available are based on permission policies that are customized for an organization. Office 2013 also provides several predefined groups of rights, such as Do Not Forward in Outlook 2013. More information about IRM is available at http://technet.microsoft.com/en-us/library/cc179103.aspx.

Protecting documents on SharePoint Online

To learn more about applying IRM on SharePoint Online using RMS, see http://office.microsoft.com/en-us/sharepoint-server-help/apply-information-rights-management-to-a-list-or-library-HA010154148.aspx and the Work Smart Guide "Secure Collaboration using SharePoint Online" at http://aka.ms/customerworksmart.

Using IRM to protect email messages

To restrict permissions on email messages and prevent recipients from forwarding, printing, or copying sensitive data, do the following:

1. In Outlook 2013, on the Mail page, select the Home tab, and click New Email.

2. In the new message, click the Options ribbon tab, and click Permissions.

Note: If you are not connected to your corporate network, you may first need to click Connect to Rights Management Servers to get templates. Once connected to the server, a list of permissions displays.

3. Select the appropriate permission for the email message.

Configuring a message to expire

4 | Securing Your Business Information

1. In Outlook 2013, on the Mail Home tab, click New Email.

2. In the new message, click the Options ribbon tab.

3. In the More Options section, click Delay Delivery.

4. Select the Expires after check box and enter date and time.

5. Click Close.

Using IRM to protect emails in Outlook Web App

To restrict permissions on email messages and to prevent recipients from forwarding, printing, or copying sensitive data, when using Exchange 2013, do the following:

1. In OWA, on the Outlook page, click new mail.

2. In the new message, click the ellipses (…).

3. In the drop-down list, select set permissions, and then select the appropriate permission for the email message.

5 | Securing Your Business Information

Note: When users send an IRM-protected message from OWA, any files attached to the message also receive the same IRM protection and are protected by using the same rights policy template as the message. In Exchange 2013, IRM protection is applied to files associated with Microsoft Office Word, Excel, and PowerPoint, as well as .xps files and email messages. IRM protection is applied to an attachment only if it's not already IRM-protected.

Using IRM to protect a document

You also can protect Microsoft Office Word, Microsoft Office Excel, and Microsoft Office PowerPoint files by applying IRM:

1. In Word 2013, click File, and on the Info page, click Protect Document.

2. Select Restrict Access and click to select the appropriate restriction to apply.

Note: If you are not connected to your corporate network, you may first need to click Connect to Rights Management Servers to get templates. Once connected to the server, a list of permissions displays.

Specifying who can access or change a document

1. In Word 2013, click File, and on the Info page, click Protect Document.

2. Under Restrict Access click Restricted Access.

3. In the Permissions window, select the Restrict Permissions to this document check box.

6 | Securing Your Business Information

4. Add users in the Read or Change boxes and click OK.

Configuring a file to expire

Use IRM to enforce an expiration date so that recipients cannot access the file after a specific date:

1. In Word 2013, click File, and on the Info page, click Protect Document.

2. Under Restrict Access click Restricted Access.

3. In the Permissions window, select the Restrict Permissions to this document check box.

4. In the Permissions window, click More Options.

5. Select the This document expires on: check box, enter an expiration date, and click OK.

6. When the date has passed, the user will not be able to open the document.

7 | Securing Your Business Information

How to password protect a section in OneNote 2013

1. In OneNote, open the section you wish to protect and select the Review

tab.

2. Under Password Protection, select Set Password.

3. In the Password Protection window, enter and confirm your new password and click OK.

4. A pop-up window appears. Select whether to keep or delete existing backups of the section that do not have the assigned password.

How to change or remove a password from a section in OneNote 2013

1. In OneNote, open the section that is password protected and select the Review tab.

2. Under Password Protection, select Change Password or Remove Password.

a. If changing the password, enter the old and new password and confirm the new password. Then, click OK.

b. If removing the password, enter the password and click OK.

Applying S/MIME to email messagesSecure/Multipurpose Mail Extensions (S/MIME) enables you to encrypt and/or digitally sign your email messages. Encrypting your messages converts regular text data with an encrypted text so that only people who you specify can read it. Digitally signing an email message helps ensure that no tampering occurs while your message and its attachments are in transit.

Signing a message digitally with S/MIME

Signing a message digitally applies an authorized certificate to it that validates that the message is from you and is unaltered. To sign a message digitally:

1. In Outlook 2013, in an open message, click the Options tab.

2. In the More Options group, click the arrow in the lower-right corner to

8 | Securing Your Business Information

expand options box.

3. Under Security, click Security Settings.

4. Select the Add digital signature to this message check box.

5. Select the following options, if applicable:

Select the Send this message as clear text signed check box to enable recipients who do not have S/MIME security to read the message.

Select the Request S/MIME receipt for this message check box to verify that the recipient validates the digital signature and receives the message unaltered, and for you to receive an email notification about who opens the message and when it is opened.

6. Click OK.

Notes:

For more information about S/MIME in Office 2010, see http://office.microsoft.com/en-us/outlook-help/send-an-email-message-with-an-s-mime-receipt-request-HP010356428.aspx.

For more information about S/MIME in Office 2013, see http://office.microsoft.com/en-us/outlook-help/send-an-email-message-with-an-s-mime-receipt-request-HA102748933.aspx.

Encrypting a message with S/MIME

Encrypting a message with S/MIME means that recipients cannot access it unless they have a private key that matches the public key that you used for encryption. To encrypt a message with S/MIME:

1. In Outlook 2013, in an open message, click the Options tab.

2. In the More Options group, click the arrow in the lower-right corner to expand options box.

3. Under Security, click Security Settings.

9 | Securing Your Business Information

4. Select Encrypt message contents and attachments.

5. To change additional settings, such as selecting a specific certificate to use, click Change Settings, make the changes, click OK twice, and then click Close.

Enabling recipients to access encrypted files

When you send an encrypted message, S/MIME uses the recipient’s certificate and public key to encrypt the file. Therefore, you have to exchange certificates and keys before you can send and access encrypted messages from a specific person.

If you plan to send an encrypted message to someone:

1. Send the person an email that you sign digitally by following the directions in the previous section “Signing a Message Digitally with S/MIME”. Signing your message digitally ensures that your public encryption key is included. This enables the person to send you encrypted email.

2. Ask the person to send you a digitally signed email that includes their public encryption key. This enables you to send them encrypted email.

3. Create an entry in your Outlook contacts for the person, which saves that person’s encryption key. After that, Outlook uses this key every time that you send this person an encrypted message. To create a contact entry:

4. Open a digitally signed email from the person, right-click the person’s name or email address, and select Add to Outlook Contacts.

Important: If you want to exchange encrypted messages with an external party that does not have a secure email certificate, refer them to Thawte at http://www.thawte.com/home.html or VeriSign at http://www.verisign.com/index.html.

10 | Securing Your Business Information

Protecting data with BitLockerBitLocker Drive Encryption is a data protection feature available in Windows Vista, Windows 7, and Windows 8. BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost, stolen, or decommissioned. More information about BitLocker is available at http://technet.microsoft.com/en-us/library/hh831713.aspx.

BitLocker To Go provides drive encryption helps protect against unauthorized access on your portable storage drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other removable drives formatted by using the NTFS, FAT, or exFAT file systems.

Note: For step-by-step guidance about how to enable BitLocker and BitLocker To Go in Windows 8, download the “Work Smart: Protecting Data with Windows 8 BitLocker” guide available at http://aka.ms/customerworksmart.

Protecting data with EFSIf your computer is not BitLocker compatible, you can use Encrypted File System (EFS) to encrypt your files and folders by using a certificate. EFS requires that users with whom you share information enter the appropriate decryption key before they can access the encrypted content.

Although you can encrypt files individually, it is recommended that you designate a specific folder to store your encrypted files, and to encrypt that folder. All files that are created in or moved to the encrypted folder will automatically obtain the encrypted attribute.

How to encrypt a folder:

1. Right-click a folder you want to encrypt, and then click Properties.

2. On the General tab, click Advanced.

3. In the Advanced Attributes dialog box, click the Encrypt contents to help secure data checkbox and click OK.

11 | Securing Your Business Information

4. You will be returned to the General tab. Click Apply.

5. In the Confirm Attribute Changes dialog box, select Apply changes to this folder, subfolders, and files and click OK.

Important Note:

Encryption of the My Documents folder is not recommended.

If you move, copy, or save a file to an encrypted folder, the file becomes encrypted.

If you move, copy, or save an encrypted file to a location that is not on your computer, the file becomes decrypted.

For more informationInformation Rights Management (IRM)http://technet.microsoft.com/en-us/library/cc179103.aspx

Introduction to IRM for email messageshttp://office.microsoft.com/en-us/outlook-help/introduction-to-irm-for-email-messages-HA102749366.aspx

Secure/Multipurpose Internet Mail Extensions (S/MIME)http://technet.microsoft.com/en-us/library/jj891023.aspx

BitLockerhttp://technet.microsoft.com/en-us/library/hh831713.aspx

Encrypted File System (EFS)http://technet.microsoft.com/en-us/library/bb457116.aspx

Video: Getting Started with Encrypting File System in Windows 7http://technet.microsoft.com/en-us/windows/how-do-i-get-started-with-the-encrypting-file-system-in-windows-7.aspx

12 | Securing Your Business Information

International Data Protection Standardshttp://download.microsoft.com/download/B/8/2/B8282D75-433C-4B7E-B0A0-FFA413E20060/international_privacy_standards.pdf

Work Smart by Microsoft IThttp://aka.ms/customerworksmart

Modern IT Experience featuring IT Showcasehttp://microsoft.com/microsoft-IT

This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. © 2014 Microsoft Corporation. All rights reserved.