Prepare Symantec DLP and Microsoft RMS environment for monitoring

book

Article ID: 178960

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Discover Data Loss Prevention Network Prevent for Web Data Loss Prevention Endpoint Discover

Issue/Introduction

 

Resolution

With DLP 14.6, it has become possible to perform detection and monitoring on Microsoft RMS protected files. The detection and content extraction will be performed on detection servers only.
It is required to prepare AD RMS/Azure RMS and Symantec DLP environment for monitoring Microsoft RMS files which can be achieved by following below mentioned steps.

Prepare the AD RMS environment for RMS monitoring

Complete the following steps to prepare your AD RMS environment for monitoring

  1. Confirm the latest AD RMS client is installed
  2. Confirm the AD RMS account has Read and Execute permissions to access ServerCertification.asmx.
    For additional details, refer to the Microsoft Developer Network article: https://msdn.microsoft.com/en-us/library/mt433203.aspx
  3. Confirm the AD RMS super user group and Service Group both have Read and Execute permissions
  4. Add each detection server to the AD RMS domain.

Complete the following to change the VontuMonitor service account to a domain user that has access to the AD RMS super user group

  1. Shut down all services on the detection server except VontuUpdate before updating the service user
  2. Run the ChangeServiceUser.exe utility to change the service user:
  3. Restart all services after updating the service user

Prepare the Azure RMS environment for RMS monitoring

Complete the following steps to prepare your Azure RMS environment for RMS monitoring

  1. Confirm the latest Azure RMS client is installed
  2. Create a local or domain user on each detection server that can access the Azure RMS

After you upgrade the detection server, you enable the Microsoft Rights Management plugin to complete the process to monitor Microsoft Rights Management files.

Enabling Microsoft Rights Management file monitoring

Symantec Data Loss Prevention can detect files encrypted using Microsoft Rights Management (RMS) administered by Azure or Active Directory (AD). Before you enable Microsoft Rights Management file monitoring, confirm prerequisites for the RMS environment and detection server have been completed.

Enable RMS decryption for Azure

To enable Azure RMS, complete the following on each detection server

  1. Run the Enable-Plugin.ps1 (located in C:\SymantecDLP\Protect\bin on the Enforce Server) from the local machine user (protect user).
    • Example: powershell -Executionpolicy Remotesigned -File Enable-Plugin.ps1
  2. Run the Configuration Creator utility (ConfigurationCreator.exe) to add the service user. Run the utility as the protect user. Enter your Azure RMS licensing information when running the script.
  3. Restart each detection server on the Enforce Server administration console to complete the process to enable RMS monitoring.
  4. Confirm that Symantec Data Loss Prevention is monitoring RMS content by reviewing the ContentExtractionHost_FileReader.log file (located at \SymantecDLP\Protect\Logs\debug) and confirming the MicrosoftRightsManagementPlugin item has been initialized

Enable RMS decryption for AD

Complete the following steps on each detection server

  1. Run the Enable-Plugin.ps1 located here: \SymantecDLP\Protect\plugins\contentextraction\MicrosoftRightsManagementPlugin
    • ​​Example:​ powershell -Executionpolicy Remotesigned -File Enable-Plugin.ps1
  2. Restart each detection server on the Enforce Server administration console to complete the process to enable RMS monitoring.
  3. ​Confirm the MicrosoftRightsManagementPlugin item has been initialized by reviewing the ContentExtractionHost_FileReader.log file.
    • Log location: \SymantecDLP\Protect\Logs\debug