Do not Forward and the protection of attachments

Maybe I am the only one who has misunderstood this, but if not, this may be useful for you. I've been wrong about this for a while, and since it is not a feature we have used, I didn't really look into it until today. I always thought that using Do not Forward in a label would make sure attachments where given the same DNF rights. 

Unfortunately I was shown the error of my ways by one of my customers today, when I answered (with some confidence) that, yes: Attachments get the same protection. He then replied that he was able to do all kinds of things with the attachment, and I started to look into it more closely.

Microsoft has many great articles about protecting information, and this article is no exception. I guess you just have to read it carefully. They say: 

“When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it. For example, in the Outlook client, the Forward button is not available, the Save As and Print menu options are not available, and you cannot add or change recipients in the To, Cc, or Bcc boxes.”

And this is what I thought it did. So far so good. They go on saying this: 

“Unprotected Office documents that are attached to the email automatically inherit the same restrictions.”

And this must have been when I stopped reading, because I interpreted the same restrictions as Do not Forward, which as we read over means: the recipients cannot forward it, print it, or copy from it.

 Distracted - Photo

But for those of you who are not as easily distracted as me, and are able to complete things, you will have seen this as you kept reading: 

“The usage rights applied to these documents are Edit Content, Edit; Save; View, Open, Read; and Allow Macros."

Now these are not the same restrictions, are they? Here you are free to download, copy the content, forward the attachment and much more. So how do we make sure the attachment has the protection we want it to have? Well, if we read on, we can see this:

"If you want different usage rights for an attachment, or your attachment is not an Office document that supports this inherited protection, protect the file before you attach it to the email. You can then assign the specific usage rights that you need for the file.”

So, if you are like me and believed that the attachment was also given the Do not Forward rights, then you now know that it isn't necessarily so, and that you may have to protect the document before you add it as an attachment.

It is also important to know that only documents that supports rights management will automatically have their permissions restricted to match the restrictions on the e-mail. All other file types are attached unprotected as we can see when we send e-mails from the full Outlook client.

At this time I am testing a whole bunch of different scenarios with this feature, and see some pretty interesting results that will end up in another blog post.


Post a Comment

Popular posts from this blog

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label