Securing Your Office Documents

Many of us have moved to using portals for sharing documents with clients and other outside agencies.  If you have not started using portals or have never even heard of them, Portals provide a secure encrypted way to share documents and information with groups and individuals outside your office.  Email has never been a very secure method of transmitting data.  It is too easy for a hacker to pick a message out as it travels through the cloud and begin to hack it, without either party involved in the conversation ever knowing.  Portals take care of that shortcoming.  But what if you need more control?  What if what you are sharing has a shelf life or once it is shared with its intended target you don’t want the document to be shared any further.  Enter Microsoft Information Rights Manager (IRM).    IRM is a technology that allows you to grant rights to a document, allowing you to control what others can and cannot do with the document.

Some features of IRM include the ability to limit access to who can open the file.  Once open, the file can be secured even more by giving some people rights to only read the document and grant others the ability to make changes.  Advanced features include the ability to set an expiration date for a document, very mission impossible.  You can grant or deny the ability to print the document or copy its content.  For the more technical, you can even deny access to content programmatically.  This means I cannot use or write another program to access the information in a spreadsheet for example.  Microsoft IRM is, for the most part, restricted to Microsoft Office Documents: Word, Excel, and PowerPoint to be exact.

So how does all this work?   Microsoft has two solutions.  One for most of us, which is a free service that uses Microsoft Live IDs, and the other is a server an enterprise can use to manage their own IRM.  I am going to talk about the first, free solution.  When you elect to secure your first document using Microsoft IRM, there are a few steps involved. In Office 2010, click File then Info.  Click the Protect Document drop down and hover Restrict Permissions by People and choose Restricted Access.  This will start a short wizard that will ask you if you want to set up IRM for use on your computer.  If you have come this far, the answer will be yes.  As part of the wizard, you will be prompted for a Microsoft Live ID user name and password.  If you already have one great; if not, it is a simple process.  I recommend you use your work email address as your user name and don’t create a new one, which only creates headache and a Hotmail email account.  Once all that is done, you will be able to manage the IRM for the document by entering the email address of the people you wish to grant access.  Once access has been restricted, a yellow bar will appear above your document with a button that will allow you to change permissions.

On the receiving end, those you have granted access to will get a message the first time they open an IRM managed document asking them to go through the same wizard we encountered earlier that set up the IRM client on the machine that created the document.  The person opening the message will only have to go through this process once and verify their identity if they don’t have an existing Windows Live ID.  Once completed, the recipient will be able to open the document with all the rights they have been assigned.  One great thing about IRM is it is in the cloud.  You can require the document check permissions every time it is opened, over the internet, so that its list of permissions is updated.  If you want to remove someone’s access, just make the change to the permissions on your local copy and every copy gets updated the next time it is opened.

Securing Office documents is great, but what about PDF documents? There are several technologies available that do the same thing as IRM, and support PFD documents that I may explore in a future article.  Recently however, I was introduced to a solution from Microsoft and a company called Foxit, the maker of a popular PDF reader, which extends PDF documents.   This solution allows them to be managed by Microsoft SharePoint and IRM when the PDF is shared from an IRM protected SharePoint site.  The Foxit reader is the only reader compatible with this IRM solution at the time this article is being written.  For more information on compatible readers, visit this webpage (http://office.microsoft.com/en-us/sharepoint-help/sharepoint-compatible-pdf-readers-that-support-microsoft-information-rights-management-services-HA102925502.aspx).  This solution is compatible with SharePoint Online Enterprise E1, E3, and E4 subscriptions and SharePoint Server 2013 Enterprise.

Many times, getting documents securely to their destination is only half the battle.  Managing your intellectual property once it has left the confines of your local network can be difficult.  Microsoft IRM built into Microsoft Office is a simple, cost effective solution for any small business.

iOS Parental Controls

iOS devices don’t have a Parental controls button, so finding where to go to lock down your iPhone, iPod, or iPad might not be in the most obvious place to some.  iOS devices have a set of settings called Restrictions that allows you to turn on and off all kinds of features, like in-app purchasing. Let’s get started locking down your device.

If you share your device with your child and want to limit when they can use the device, a good first step is to add a password.  I have covered adding a password to your device before, but to refresh your memory tap the Settings icon, then tap General, and finally tap Passcode Lock.  From this screen you can turn passcodes on.  I would also recommend you choose to turn simple passcodes off, so the passcode can be longer than a 4 digit PIN and include letters and numbers.  Turning off the 4 digit PIN and using a more complex password is more secure and more difficult for a child to figure out by watching you unlock the device.

Now, to restrict access to content that you don’t want your child to access,  begin by tapping the Settings icon, then tap General, then tap Restrictions.  On this screen, you will need to tap Enable Restrictions to turn the feature on.  You will be asked to create a 4 digit Restrictions Passcode and confirm it before you can begin changing the Restrictions settings.

Now you can allow access to certain apps like Safari or iTunes. When you turn off one of the apps in this Allow group, the app icon is hidden from the home screen. In the next group, Allowed Content, you can set the content rating allowed for different types of media.  For example, you can set movies to only allow content with a G rating.  You can also turn off In-App Purchases in this group, so that your child doesn’t buy 10,000 cat toys for Talking Tom by accident.  I would recommend also setting Require Password to “Immediately,” so that the device does not temporarily save your password for purchases you do not approve.  Not changing this setting could allow your child to make unapproved purchases during the time the password is cached.  The Privacy group will allow you to choose what apps have access to your personal information like location, contacts, or Facebook.  One setting in the Allow Changes group that might just save your sanity is Volume Limit.  You can set the volume for the device, and when you set this option to Don’t Allow Changes the volume level will be locked at the current setting. There are quite a few options to choose from on the restrictions screen.  Take the time to explore them and choose what works best for you and your family.

One other new feature that is part of iOS 6 is guided access.  Located under Settings>General>Accessibility>Guided Access, this feature allows you to limit your device, on the fly, to a single open app.  You can choose on the fly what app features are turned on and even disable parts of the screen.  When you turn on Guided Access you will have to create another 4 digit passcode.  Once Guided Access is enabled, all you have to do is launch your child’s favorite version of Angry Birds, triple click the Home Button, and adjust the settings for the app. When you hand the device to your child, they will be locked into that single app with no access to the rest of the device.  To exit guided access, just triple click the Home Button again and enter the passcode.

Explore the options in Restrictions and play with Guided Access.  It may take some adjustment and some trial and error to find what is best for your family.  I am glad I took the time to set these controls for my family.  I am more confident when handing over my iPad to any of my 3 young children that their curious roving little fingers will not take them some place they should not be when daddy is not looking.

Windows Server 2012 Remote Desktop Web Access

Much like Istanbul and Constantinople or New York and New Amsterdam, Remote Desktop was once known as Terminal Server.  To borrow a line from the 80’s Alt-Rock band They Might Be Giants, “why they changed it I don’t know. I just guess they liked it better that way.” No matter what it is called Remote Desktop Services has been a part of Windows Server for as long as I can remember.  Over the years, a lot more than just the name of this rockin’ feature has changed.  Today, Remote Desktop Services includes many features and provides remote access to resources in a number of ways.  In this article, I am going to discuss Remote Desktop’s Web Access feature which allows a user to initiate a remote session using little more than a web browser and also went by another name in the past, TS Web Access.

Remote Desktop Web Access allows users to access a feature called RemoteApp and Desktop Connection from the Start menu or through a web browser.  Road Warriors and teleworkers can also connect remotely to the desktop of any computer on the network that they have Remote Desktop access.  RemoteApp is, in my opinion, one of the coolest features of Remote Desktop Web Services.  RemoteApp allows you to install an application on a server then place a shortcut on the Web Access page or in the Start menu of the client machine and stream the application so it looks like it is running on the local machine.  With Web Access turned on, a user can go to your company’s Remote Desktop Web Access website from a computer at their home for example and connect to a desktop in the office.  Depending on how Remote Desktop Web Access is set up, an administrator can allow users to connect to their computer at their desk, a virtual desktop, or to a secure desktop session running on the server. These features greatly simplify the task of allowing mobile workers to be mobile.

Remote Desktop Services in general have undergone an overhaul.  Microsoft has focused on making setup and management of the services easier.  Nearly all the tools for managing Remote Desktop Services have been integrated into server manager.  The Quick Start option for deploying Remote Desktop Services makes setting up Remote Desktop Services and publishing RemoteApp Programs on a single server quick and easy. Additional high availability features now allow the solution to be more scalable and eliminate a single point of failure that could bring a large deployment to its knees.

Remote Desktop Services are not free though they are already a part of Windows Server.  Additional licenses must be purchased in order for your employees to keep rockin’ through the work day no matter where they are.  Licenses can be purchased in blocks of 5 at a minimum and can be either per device or per user.  I generally recommend per user licensing for most installations, because it allows a single user to connect from different devices, whereas per device licenses will allow only certain licensed devices to connect. This will be important to consider when planning how to implement Remote Desktop Services in your environment.

Remote Desktop Services are a powerful tool when trying to give your mobile workforce access to all the resources they would have in the office on the road.  I would recommend looking into Remote Desktop Services  to any of my clients considering letting users work from home or on the road.

Office 365 SharePoint Online

SharePoint is a web based collaboration and document management server from Microsoft.  SharePoint allows users to upload and share documents securely in a web based environment using Internet Explorer.  Employees  can group documents, calendars, and discussions into web based work spaces where they can collaborate easily from anywhere they have an internet connection.  Documents can be stored and archived in websites designed for long-term document management that is compliant with most of the government regulations for document retention.  Businesses can also use SharePoint to build custom applications that improve office productivity by automating and managing document workflows such as document approval.  Office 365 SharePoint Online takes all of these great features and moves them into a cloud managed by Microsoft so your business can get back to doing business and not worrying about managing IT concerns like server backup and software updates.  .

SharePoint Online subscriptions are bundled with many of the Office 365 subscriptions like Office 365 Small Business Premium or can be purchased on their own.  On its own, SharePoint Online comes in 2 flavors.   Plan 1 is $3/user/month, and does not include the archiving and compliance features as well as Enterprise Search and a few other advanced features. Plan 2 is $7/user/month and includes nearly all of the functionality of having a SharePoint Enterprise Server physically in your office.  Each of the Office 365 plans includes SharePoint Online, starting with Office 365 Small Business supporting only the most basic of features for $5/user/month all the way up to the Office 365 Enterprise E3 plan supporting all the features of the SharePoint Online Plan 2 for $20/user/month.

Out of the box, every SharePoint Online subscription allows users to share documents and collaborate with not only other users inside your organization but also with an unlimited number of users outside your organization.  This ability makes SharePoint a very attractive solution for creating client portals for sharing important documents with clients or other organizations and individuals with whom your company might work. The depth of features and the customizability of SharePoint is its greatest strength.  There is a cornucopia of already made plugins available to improve and expand on SharePoint’s already impressive features.  Software developers are also able to build a custom solution that fits exactly what your company needs with no matter how simple or complicated.

SharePoint Online stand alone or bundled subscriptions are a powerful part of the Microsoft Cloud.  If you or your business has not looked into Office 365 and all the tools it has to offer, the only question you should be asking yourself right now is why we didn’t look at this sooner.  Get more info about Office 365 at www.office365.com or call B.I.T.S. today to schedule a consultation and a free trial.