A useful complement to Exchange Server 2010's Transport Rules
Creating Outlook Protection Rules
Although Exchange 2010 has powerful IRM features, there's always the concern that a user might send a sensitive email message that's unprotected (e.g., over a public network) until it reaches your Exchange 2010 server and is detected and processed by a Transport Rule. In large organizations, where many sensitive email messages are sent, you might not want to rely on the use of Transport Rules because heavy use can affect performance.
Transport Rules have numerous potential performance problems, ranging from rules that require in-depth analysis of email and attachments, to the actions that must be performed when a rule fires (such as encrypting an email and attachments). The potential performance effect depends on the type of rules, the actions that must be performed, and how often they fire (typically tied to mail volume).
Depending on compliance obligations, your company might need to encrypt certain types of data, including email messages with information about customers, before transmitting it from a desktop or laptop. In addition, you might not have Exchange 2010 fully deployed yet, meaning you can't take advantage of IRM features in Exchange 2010 Transport Rules. For all these reasons, you should consider using the new IRM feature in Outlook 2010 called Outlook protection rules.
Outlook protection rules aren't as sophisticated as Transport Rules and are limited to applying rights protection to email messages based on one or more of the following three criteria: the department or group the sender of the email message is in; the recipient email address; and the scope of the email message (whether the recipients are inside or outside the organization). The protection rules are created on your Exchange 2010 servers using PowerShell scripts. You need Exchange 2010 deployed sufficiently so that rules can be distributed to Outlook 2010 by using Exchange web services.
Outlook protection rules are based on rights policy templates. You need to create these templates on your Active Directory (AD) Rights Management Services (RMS) servers. If you already have existing templates that will apply the policies you need, then you can reuse them. You can enumerate the list of templates available from the Exchange Management Shell (EMS) using the command Get-RMSTemplate. The list returned will always contain the default template named Do Not Forward. You need to be careful, though, when creating or using existing templates because it's possible to create an Outlook protection rule that specifies a particular template be used with a set of users and rights that will render rights-protected email messages unreadable by recipients or might allow recipients to forward the email messages or even print them. Always check the rights specified in a template before using it.
You might find it simpler to create new templates that specify Anyone as a consumer of rights-protected content, rather than specific named users, and ensure that the right to forward an email message isn't selected in those templates. This configuration will ensure that all users can read an email message they receive that was rights protected by an Outlook protection rule but can't forward the email message to anyone else.
After you have your rights policy templates set up, you create your Outlook protection rules using the New-OutlookProtectionRule cmdlet in the EMS. You can't create Outlook protection rules using the Exchange Management Console (EMC) or Exchange Control Panel (ECP). There are only two required parameters to the cmdlet. The first is the name of the Outlook protection rule and is specified by the argument -Name <rule name>. You'll use the rule name to manage the Outlook protection rule. The second required parameter is the name of the rights policy template and is specified by the argument -ApplyRightsProtectionTemplate <rights policy template>. In addition to specifying the rule name and rights policy template to be applied, you need to specify the conditions under which the rule will be applied.
To specify that a rule is applied when the sender is from a particular department, use the -FromDepartment <department name> argument, where <department name> is one or more departments that the rule should apply to. The argument <department name> is checked against the department attribute on the user object corresponding to the user sending the email message to see if a match exists and whether or not the rule should apply. You can set users' departments by editing the Department field on the Organization tab of one or more users' Properties dialog box, which can be viewed in the EMC or in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
To apply a rule based on the recipient, use the -SentTo <recipient name> argument. The <recipient name> parameter can be the names of one or more recipients in Outlook's address book and can be one or more SMTP addresses (which are typically used for external recipients). Note that if you create a rule that specifies a distribution or mail-enabled security group, the rule won't apply when an email message is sent to one or more members of the group without using the group name. The rule will apply only when the group name specified in the rule matches a recipient on the To:, Cc:, or Bcc: lines in Outlook.
