Foxit RMS PDF Protection Tool - 2.1 User Manual

Foxit RMS PDF Protection Tool

User Manual

1

Foxit RMS PDF Protection Tool

User Manual

Copyright © 2015 Foxit Software Incorporated. All Rights Reserved.

No part of this document can be reproduced, transferred, distributed or stored in any format

without the prior written permission of Foxit.

Anti-Grain Geometry - Version 2.3, Copyright (C) 2002-2005 Maxim Shemanarev

(http://www.antigrain.com).

FreeType2 (freetype2.4.9), Copyright (C) 1996-2001, 2002, 2003, 2004| David Turner , Robert

Wilhelm, and Werner Lemberg.

LibJPEG (jpeg V6b 27-Mar-1998), Copyright (C) 1991-1998 Independent JPEG Group.

ZLib (zlib 1.2.5), Copyright (C) 1995-2003 Jean-loupGailly and Mark Adler.

Little CMS, Copyright (C) 1998-2004 Marti Maria.

Kakadu - Version 4.5.1, Copyright (C) 2001, David Taubman, The University of New South Wales

(UNSW).

PNG, Copyright (C) 1998-2009 Glenn Randers-Pehrson.

LibTIFF, Copyright (C) 1988-1997 Sam Leffler and Copyright (C) 1991-1997 Silicon Graphics, Inc.

Jbig2enc 0.27, Copyright (C) 2006 Google Inc.

Lleptonlib 1.63, Copyright (C) 2001 Leptonica.

Lcms 2.0, Copyright (c) 1998-2010 Marti Maria Saguer.

WCELIBCEX 1.0, Copyright (c) 2006 Mateusz Loskot.

libjpeg-turbo 1, Copyright (C)2011 D. R. Commander.

Microsoft AD RMS SDK 2.0, Copyright (C) 2012 Microsoft Corporation.

Permission to copy, use, modify, sell and distribute this software is granted provided this
copyright notice appears in all copies. This software is provided "as is" without express or

im-plied warranty, and with no claim as to its suitability for any purpose.

2

Foxit RMS PDF Protection Tool

User Manual

Content

Pre-installation Information ..................................................................... 4

System requirements ............................................................................... 4

RMS Command Line Tool Commands ....................................................... 4

Examples .................................................................................................. 6

Using the RMS Protection Tool in Conjunction with the Windows Server

File Classification Infrastructure ............................................................... 7

Add Security Dynamic Watermark to the File Encrypted by RMS ........... 17

Contact Us .............................................................................................. 26

3

Foxit RMS PDF Protection Tool

User Manual

User Manual

Foxit RMS PDF Protection Tool provides a command-line interface that can decrypt multiple AD
RMS protected PDF files or encrypt multiple PDF files by a predefined official rights-policy
template. This tool can be used to safeguard existing sensitive data on company shares. It also
works in conjunction with the File Classification Infrastructure (FCI) feature in Windows Server
2008/2012 to classify and protect sensitive company data.

Pre-installation Information

To run this tool, you must have the latest version of the AD RMS client installed. If you have an
existing older version of the AD RMS client installed, you will need to uninstall the old version first
and then download and install the latest version of the AD RMS client from below:

For X86：

http://us-request.foxitservice.com/products/redirect.php?title=ad_rms_sdk_x86&language=en_
us

For X64：

http://us-request.foxitservice.com/products/redirect.php?title=ad_rms_sdk_x64&language=en_
us

As for using Windows Azure AD Right Management (AAD RMS), please refer to the Quick Start

for Using Windows Azure AD Right Management.

System requirements

Supported operating systems: Windows 7, Windows 8 Release Preview, Windows Server 2008,
and Windows Server 2008 R2, Windows Vista, Windows Server 2012
The following list identifies client and server platforms that can install Active Directory Rights

Management Services SDK 2.0: • Windows Server 2008 R2 • Windows 7 • Windows Server 2008
with Service Pack 2 (SP2) • Windows Vista with Service Pack 2 (SP2) • Windows Server 2012

RMS Command Line Tool Commands

The following syntax, parameter description, and example sections describe the Foxit RMS
Command Line Tool commands.

4

Foxit RMS PDF Protection Tool

Format

Meaning

Monospace

Elements that the user must type exactly as shown.

Between angle brackets < >

Placeholders for values that the user must supply.

Between square brackets [ ]

Optional items.

Parameter

Description

/decrypt <location>

Performs a batch decryption. This will decrypt all of the PDF files that
reside in the location that is specified with this parameter.

/encrypt <location>

</template <name>

[issuer] > [/highstrength]

Performs a batch encryption. This will encrypt all of the PDF files that
reside in the location based on the rights policy template that is
specified along with this parameter.
The <issuer> argument lets you specify an issuer of rights policy
template.
The /highstrength is an updated and enhanced AD RMS cryptographic
implementation.

/revoke

This parameter is used to revoke a document that has been issued, or
revoke a user that has been authorized with access rights. If you want
to use this command, you need to configure the web service first. For
detailed configuration steps, please refer to Web Service
Configuration.

/showencyrption
location

This parameter will show user permission information for the
encrypted files.

/showtemplates [/sync]

The /showtemplates parameter can show the available templates.
The /sync parameter will download the rights policy template from
the server synchronously.

/preserveattributes

This parameter preserves all the original file attributes. These
attributes includes the following: Owner, Creation Time, Modified
Time, and Accessed Time. For example, when this parameter is used
with the File Classification Infrastructure in Windows Server 2008 R2,

User Manual

Syntax

RMSProtector [/decrypt <location>]
[/encrypt <location> </template <name> [issuer]> [/highstrength]

[/revoke] [/MicrosoftIRMV1]]

[/encrypt <location> </user <name> /rights <rights> [issuer]>

[/highstrength] [/revoke] [/MicrosoftIRMV1]]
[/showtemplates [/sync]] [/preserveattributes]
[/showencryption <location>]
[/log <log_file> [/append] [/simple]] [/silent]

Parameters

5

Foxit RMS PDF Protection Tool

there can be a rule in place to delete all files that were not modified
or accessed in the last 10 years. This option preserves all these
original attributes.

/log <log_file> [/append]
[/simple]

Performs an output to a log file. The log file contains a header that
will show the status during the prerequisite stage and a footer that
will shows the summary of the run. The log file will also show the file
count information.
The /simple flag allows the header, footer, and file numbering
information to be left out of the log file. This is useful when the tool is
used together with File Classification Infrastructure, because it will let
you append the log file without the header, footer, and file numbering
information.
The /append flag will add the new information to a pre-existing log
file. By default, if the /simple or /append flag is not specified when
you are using a pre-existing log file, the log file will be overwritten.

/silent

This parameter disables console logging.

/MicrosoftIRMV1

This parameter is used to encrypt PDFs with Microsoft IRM Protection
Version 1, which is a Microsoft extension to the PDF format to support
Microsoft IRM protection. The extension allows PDFs to be encrypted

by Microsoft IRM technology that is implemented by Microsoft’s

Active Directory Rights Management Server as well as by Azure Rights
Management. If not defined, Microsoft IRM Protection Version 2
(PPDF) will be used.

User Manual

Examples

The following shows an example of decrypting files on a network share:

RMSProtector.exe /decrypt \\Share\Folder /log RMSProtector.log

The following shows an example of encrypting local files:

RMSProtector.exe /encrypt C:\Documents\Folder /template TemplateName /log
C:\Logs\RMSProtector.log

The following shows an example of encrypting an individual file on a network share.

RMSProtector.exe /encrypt \\Share\file.pdf /template TemplateName IssuerName /log
C:\Logs\RMSProtector.log /append /simple/preserveattributes

The following shows an example of directly encrypting files:

RMSProtector.exe /encrypt C:\Documents\Folder /user user01@frms.com,user02@frms.com
/rights VIEW,ANNOTATE /revoke

User Rights include the following:

ALL: Full control

6

Foxit RMS PDF Protection Tool

User Manual

VIEW: View document
PRINTLOW: Print with low resolution
PRINTHIGH: Print with high resolution
FILLFORM: Fill in a form
ANNOTATE: Comment in the document
ASSEMBLE: Manage pages and bookmarks
MODIFY: Modify document
EXTRACTACCESS: Content copying for accessibility
EXTRACT: Extract the contents of the document
RUNJAVASCRIPT: Run JavaScript

Using the RMS Protection Tool in Conjunction with the Windows

Server File Classification Infrastructure

The following steps will guide you through setting up the RMS Command Line Tool and FCI.

1. Unzip installation package to the specified directory.

a. Log on to the FCI Server as Administrator.
b. Unzip command line tool to: C:\Windows\SysWOW64
c. If you have purchased the product, please place the key file in this directory.

2. Grant FCI Machine Account Read and Execute Permissions.
a. Log on to the AD RMS Server as an Administrator.
b. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification, right-click on

ServerCertification.asmx and select Properties.

c. On the ServerCertification.asmx properties, select the Security tab, and then click Edit.
d. On the Permissions for ServerCertification.asmx screen, click Add.
e. On the Select Users, Computers, or Groups screen, to the right, click the Object Types…

button.

f. On the Object Types screen, place a check in Computers and click Ok.
g. On the Select Users, Computers, or Groups screen, under Enter the object names to select,

type <domain>\<machinename> and then click Check Names. This should validate the
machine with an underline. Click Ok.

h. On the Permissions for ServerCertification.asmx screen, select the newly added

machinename and verify it has a check in Read & execute. Click Apply and then OK.

i. On the ServerCertification.asmx properties, click Ok.

3. Grant AD RMS Service Group Read and Execute Permissions
a. On the Select Users, Computers, or Groups screen, under Enter the object names to select,

enter ADRMS\AD RMS Service Group and click Check Names. This should resolve with an
underline. Click Ok.

7

Foxit RMS PDF Protection Tool

4. To create the Shared Folder
a. Log on to FCI Server as Administrator
b. Click Start, click Computer, and then double-click Local Disk (C:).
c. Click File, point to New, and then select Folder.
d. Type SharedFolder for the new folder's name, and then press ENTER.
e. Right-click SharedFolder, click Share with, and then click Specific people.
f. On the File Sharing window, in the box under Type a name and then click Add, or click the

arrow to find someone select Everyone, then and click Add.

The Everyone group should now appear in the box below. Under Permission Level, select

Read/Write.

g. Click Share. The window should change and you should now see Your folder is shared.

h. Click Done.

a. Log on to FCI server as Administrator
b. Copy the script from Appendix 1 into notepad and save it as

c:\windows\system32\FoxitProtect.ps1.

c. Click Start, click Administrative Tools, and click File Server Resource Manager.

User Manual

b. On the Permissions for ServerCertification.asmx screen, select the newly added AD RMS

Service Group and verify it has a check in Read & execute. Click Apply and then Click Ok.

c. On the ServerCertification.asmx properties, click Ok.
d. Restart the AD RMS server.

5. Restrict Files

8