Symantec Enterprise Vault: filtering features. Theory.

Today I would like to talk about filtering features which available for us with Symantec Enterprise Vault. Usually we are happy with default configuration on Enterprise Vault: we configure Exchange Journaling task on EV, target it to some specific journaling mailbox and this task ingests all journal reports from there (to be fair task ingested even standard email, not a journal report). But sometimes, in some specific cases we need to do archiving process more granular. Symantec propose 4 features to help us meet our business, regulatory and any other requirements:

  • Selecritve Journaling
  • Group Journaling
  • Custom Filtering
  • Custom Properties

I am going to concentrate you attention on the last 2 features as the one of most interesting and effective. It isn’t really big deal to figure out itself with Selective and Group journaling, but it requires some time to understand what we can do with Custom Filtering and Custom Properties.

Diagram below explain briefly each of these features.


I said that usually we are happy with default EV configuration ,but in some cases we need to do more granular archiving. Which cases I was mentioning? Let’s see which cases Symantec proposes. This list isn’t limited only with the cases below, it might be much much bigger.

So, you would like to configure specific Custom Filtering (“custom rule” for better understanding) which:

Example Rule 1: This rule will exclude any email from archiving if it originates from someone in the Employee Benefits distribution

Example Rule 2: This rule will exclude any email from archiving if it is sent to someone in the Employee Benefits distribution list.

Example Rule 3: (Available for Exchange Server archiving only) This rule will move email to the wastebasket if it comes from any of the sources listed, and is about any of the subjects listed

As you can see rule might contain one or more attribute filters.

Example Rule 4: Delete mail from known junk-mail sources, (and others), if it contains certain common spam subjects

Example Rule 5: Take default action (ARCHIVE_ITEM) if the subject matches the composite rule: Must start with “MEMO”, contain “INTERNAL” and end in “OurCompany” e.g. “MEMO : Contains information internal to OurCompany” would match, but “MEMO : do not distribute” would not match. Also allocates the message to a content category “Memoranda”

Example Rule 6: Take default action (ARCHIVE_ITEM) on any email from management members included here. Email from management will be categorized under “ManagementMail” and retained as “Important”

Example Rule 7: Take default action (ARCHIVE_ITEM) if an email is addressed to any of the managers AND NO ONE ELSE The message will be archived in a special archive reserved only for this kind of email – specified by the ARCHIVEID

Example Rule 8: Do not archive mail that was sent to someone outside OurCompany

Example Rule 9: Archive and give the existing Retention Category, Internal, to any email that was sent only to employees in OurCompany.

Example Rule 10: Use a special retention category for mail addressed to any members of the specified DL.

Example Rule 11: (Available for Exchange Server archiving only) Delete MP3 attachments before archiving

Example Rule 12: (This example is specific to Exchange Server archiving, but filtering on document properties is also available for Domino Server archiving). Match against named MAPI properties defined in Custom Properties.xml

Example Rule 13: This rule will exclude any email from archiving if 3-rd party attribute “X-S\MIME-Available” has value “True”.

Etc, etc, etc…

The Rule 13 is a specific case, because Custom Filtering should be “aware” about your 3-rd party attribute. It means that EV must index this attribute to manipulate (use in comparison function) with it. Your 3-rd party application, or Exchange server (with transport rules) might add a lot of extra attributes in email properties.



But if Custom Properties isn’t configured then EV will never index these attribute. It means that you can’t do query in Discovery Accelerator e.g. to fetch only messages with specific value in your custom attribute. EV does know nothing about custom attributes\properties until Custom Properties is configured.

Custom Filtering it is XML file which contains CONDITIONS and ACTION. For example in rule#10 above:

  • CONDITION(s): mail addressed to any members of the specified DL.
  • ACTION: use a special retention category

If you want to use in Custom Filtering in conditions values of custom attributes then you have to configured Custom Properties as well.

How to configure it and which challenges we have here I propose to discuss next time.

AD RMS: Document consumption overview.

How recipient gets access to RMS-protect file\email? What does it send to RMS server? How to decrypt symmetric key and decrypt document? These questions will be answered within this post today.

Numeration on a diagram below is continuing from previous post. The first 6 steps explain document protection process. Our recipient (User#2 on a diagram) received somehow RMS-protected document. User#2 might copy it from network share, or get it by email, etc. Since document protected with appropriate RMS-template this protected document isn’t available for operation unless these rights were granted in RMS-template, or granted directly to this user. Even if abuser receives protected document it won’t be available for opening. How safe is our protection? Insofar as RSA 1024 encryption protocol safe (with this protocol protected symmetric key).

User#2 got:

  • Original document protected with symmetric key
  • Publish license (encrypted with SLC public key and signed with user’s CLC private key):
  •     Symmetric key encrypted with SLC public key
  •     List of rights expressed in XrML format
  •     Copy of user’s CLC certificate

How Consume protected document_partII_v.1.0



7. User “unpacks” protected document takes out Publish License

8. User sends copy of its own RAC certificate (as you remember RAC is used to identity user) & Publish License to RMS server.

IMPORTANT: content (RMS-protected file\email) is never sent to RMS server. NEVER.

9. RMS server using its own private key decrypts Publish License and symmetric key. As of now RMS server has symmetric key, but hasn’t decrypted content (still on User#2 computer).

10. RMS server extracts list of rights from Publish License  and compares list of rights with user identity (RMS server has user’s RAC file, so RMS server knows exactly who asks for right to open a file).

11. RMS server generates Use License and puts there:

  • Symmetric key protected with RAC public key. As of now only RAC private key owner can decrypt this symmetric key.
  • New list of rights with appropriate entries only (e.g.User#2 – Read & Print)
  • RMS server signs Use License with its private key (SLC).

12. RMS server sends Use License back to requester (User#2).

13. User#2 (actually RMS-client) retrieves symmetric key from Use License and decrypt it with its own CLC private key.

14. Using symmetric key RMS-client finally decrypts document.

15. User’s rights are applied for decrypted document. As of now user can manage document according to his right in Use License (list of rights XrML document).

That is all.

AD RMS: Document protection overview.

What happens when you press Protect Document button in your MS Office applications? What should be completed first, before you decide to protect document?

Protect Document button

Today I am going to dig little bit deep in this process and show you all processes which still transparent for end users, but MUST be clear for technical specialist (RMS-administrator).

So, first of all is diagram:

How Consume protected document_v.1.0


Comparison with previous diagrams (AD RMS server activation e.g.) this diagram looks not so scary. In fact protection process is really simple than previous activation processes on server\client sides.


Client did activation successfully (see previous post about it) and has:

  • Client Licencor Certificate (CLC)
  • Service Licencor Certificate (SLC) (public key only)

Let’s protect our document:

1. AD RMS client generates RANDOM AES-128 symmetric key. So, RMS-encryption is symmetric method of encryption: one key in use to encrypt and decrypt content.

2. Client applies symmetric AES-128 key for original document (plaintext) and encrypt it. As an output we have protected document (ciphertext). Using the same key we can do reverse operation and decrypt content to original state. Actually that is all, document is protected. The general idea of next efforts here is protect and hand over safety and securely symmetric key to recipient. We are not going to work with original\encrypted document, but only symmetric key.

3. AD RMS client encrypts symmetric key with a public key from SLC. As of know only SLC private key’s owner can decrypt symmetric key and use it afterwards to decrypt target encrypted file. AD RMS server is SLC’s private key owner, and this key is stored (safety, securely and encrypted) in SQL DB or HSM device (see AD RMS Root cluster installation post). Another words RMS server here is intermediator between document owner and document recipient. The both sides of this communication model trust to AD RMS server.

4. Rights Management Server isn’t just encryption system as you can see, because you also grant permission for end-users assigning rights on a document: allow\prohibit printing, saving, forwarding, copying content, etc.  Here is 2 options available:

4.1. User creates (indirectly) list of rights choosing “Manage Credentials” in Office application menu. See first diagram in this post.

4.3. User uses existing RMS-template with predefined (by RMS administrator) groups\users and rights. For example, template  Confidential might grant prohibit rights to print document to Anyone group.

All these rights are saved in *.xml file withing XrML formatting.

5. AD RMS client generates publish licensing and puts there:

  • List of rights from previous step\or RMS-template content
  • Copy of CLC from a document owner
  • Encrypted symmetric key

All these data are signed with CLC private key, and is encrypted by SLC public key. As of know (and again) only RMS server can decrypt this publish license and nobody else.

6. AD RMS client merges publish license with encrypted document and sends it to recipient. By the way this is a reason why protected document has bigger size than original file. You see, not because of encryption, it is because of publishing license. Pay attention please, that all there manipulations around original file (excluding PREREQUISITES section) doesn’t require network connection or collaborations with any other servers outside of local system.

Read my next post how recipient consumes RMS-protected file. More interesting, more difficult, more complex. )

AD RMS: Client machine activation

It’s time for client activation. As of now we have:

  • Client PC with Security Processor Certificate (SPC)
  • AD RMS server with Service Licensing Certificate (SLC)
  • Server with Active Directory Domain Service role.
  • SQL server with RMS databases.

So, client has to be activate first to start protect documents. As you remember when you installed AD RMS server role you also registered Service Connection Point. This is specially entry in Active Directory which allows clientsto identifies the connection URL for the service to the AD RMS-enabled clients.

1. Client “asks” AD DS for Service Connection Point, looks like “give me the URL where AD RMS role is hosted”. This step is very important: if client activation doesn’t happen I recommend to start first of all with “Get RMS SCP” command from AD RMS Toolkit . Here you can find some trick how to force RMS activation on client side without appropriate entry in Active Directory. The secret in client registry.

2. As the answer on client request it gets appropriate URL AD RMS Certification pipeline: https://<RMS>/certification.asmx

3. Using URL which client got on a step above, it asks RMS server for Rights Account Certificate (RAC). This request for RAC contains user’s Security Processor Certificate (SPC). Understanding AD RMS Ceritificates. 

4. AD RMS server unpack public key from user’s SPC for future purposes (step 9).

5. AD RMS server sends request to AD DS for user’s email address. Why does RMS require SMTP address for user? Why RMS require SMTP entry at least (instead of real email address in your email exchange system)? Good questions, think so? I’ll publish answer at next post, just leaving this question for you…

6. Probably this isn’t a first user’s attempt to ask for RAC, probably RMS server already had issued RAC for user earlier? RMS checks RAC for appropriate user in SQL server. The next step depends on RAC availability in SQL server: if RAC already exist server brings it back for user (not interesting case for us), otherwise server generates new RAC.

7. Server generates key pair: private and public key for RAC. The key length might be up to RSA 2048 bit if your RMS server already was patched and configured for Cryptographic Mode 2

8. AD RMS server encrypts new key pair with SLC public key and store result (BLOB) in SQL. So, next time when RMS-client asks for RAC , RMS server will bring back certificate with these public\private keys in it (see step 6).

9. Finally (for this stage) RMS generates new RAC certificate and put there:

  • public key
  • private key encrypted with user’s public key from SPC (server got this SPC public key on step#4).

Server signs RAC certificate with public key from SLC.

RAC certificate is ready to be sent to user. Done!

10. It’s time to order Client Licensor Certificate (CLC), which can be submitted only with RMS licensing web role. What the URL for this licensing role?

It is obvious from AD RMS console, but it isn’t obvious for client. Client asks for licensing URL and substitutes “Certification.amsx” in pipeline for “Publishing.asmx”

RMS COnsole2


11. Client asks fro CLC using URL address which it got on a step above.

12. RMS server generates key pair: public and private key for CLC, generates new certificate and put there these 2 keys:

  • public key
  • private key protected with public key from RAC. So, only RAC’s private key owner can decrypt CLC private key.

Server signs new CLC certificate with public key from SLC.

Pay attention that CLC certificate, neither keys aren’t saved in SQL, it means that RMS server generate these keys\certificate each time when client asks for them. How often it happens? Obviously not so often: when end-user uses new client PC. In the rest cases end-users uses CLC to sing Publishing license which was requested earlier.

CLS is done and ready to be sent to user back with RMS server SLC.

Congratulation. We are ready to protect and consume protected documents.


Machine Activation_v.1.0



AD RMS: Machine activation. Independent process.

Hello everybody.

What happens when our end-user open protected document\email? Which process happens when end-user create protected document. I think each of you have observed some delay when you first time use right protection button in RMS-aware application (e.g. Outlook, Word). So, something happen there in background, let’s look more in details on RMS activation. Hereinafter I will user WIndows 7 OS as a end-user operation system and Windows 2008R2 as RMS platform. Why do I do an accent on it? Because here some deviations (in end-user and server platforms) between operating systems versions.

1. As usually client gererates key pair – public and private keys (green and red colors accordingly). The key length is 1024 bit (RSA). And this key length parameter isn’t configurable. These key don’t use for document encryption, so, 1024 bit is more that enough. AD RMS client. secproc.dll is a library which responsible for machine activation process. “The client lockbox for the Production hierarchy.”  So, if activation doesn’t happen, be aware this file:

  • available;
  • not corrupter, or wasn’t substituted with another *.dll file.

BTW, don’t delete it. This file is a part of files which are installed with operation system (not SDK).

2. Using DPAPI (see below) client encrypts private key using user’s password.

“The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential. 

DPAPI is not responsible for storing the confidential information it protects. It is only responsible for encrypting and decrypting data for programs that call it, such as Windows Credential manager, the Private Key storage mechanism, or any third-party programs …. “

3. Client preserve final result as a BLOB in the following registry key: HKCU\Software\Classes\Local Settings\Software\Microsoft\uDRM

4. Client issues Security Processor Certificate (SPC) and put there private key. The final result is signed by client public key Done. We have selfsigned certificate 🙂

5. Final result is CERT-Machine.drm file in the following location: %LocalAppData%\Microsoft\DRM\CERT-Machine.drm

“Each certificate typically contains the following elements:

  • The issuance date and time.
  • A certificate type ID and name.
  • The name and ID of the issuer.
  • The location from which the certificate was retrieved.
  • The principal ID, public key, digest and security processor.
  • A signature created by using the private key of the AD RMS activation service.
  • A certificate chain that contains the server licensor certificate and one or more CA certificates.”

Client Bootstrapping


TIP1: on your computer you can easily find rmactivation.exe file, it responsible forRetrieves a machine certificate that signs the computer into the Production hierarchy. This is artificial way to do RMS activation without interaction with end-user applications (Word, Excel, etc). I recommend to use this executable file when you want to skip RMS-aware application from activation process. Just delete CERT-Machine.drm file from target folder (if it exist) and run rmactiavtion.exe.  New CERT-Machine.drm file should be created in a folder, otherwise… you have a problem. I’ve even met situations when OS had to be reinstalled because of RMS activation fails. But in fact it depends on time which you are ready to devote to solve this problem.

TIP2: I do an accent that this process is fully autonomous and doesn’t require connection with RMS server, or any other servers in your environment. If you know what happens during client activation (and hopefully after reading this article you know) than it should be clear for you.

Good luck.

AD RMS licensing cluster installation

I am pretty sure that you are aware about 2 types of clusters within RMS – root and licensing only. In fact that companies in 90% are happy with root cluster only. At the same time Microsoft says to deploy licensing-only cluster only if required:

  • When departments need to have independent licensing due to legal or regulatory concerns.
  • When departments have poor connectivity and generate and consume content generally in an isolated manner.

Let’s look what the difference between root and licensing clusters installation process. As i said earlier, I am not going to copy-paste information which you easily can find by yourself using google.

1. The same as with root cluster installation, the same standard Microsoft wizard: Next -> Next -> Next… I have to say that wizard doesn’t provide you option like “Install Licensing only cluster” instead of this you have to choose “Create a new AD RMS cluster” option. It means don’t use existing cluster (don’t add new node to RMS root cluster) and instead of this install new cluster. Because 2 clusters types only exist – the second “new cluster” will be Licensing only cluster. End of story…

2. The rest of the steps look the same as with root installation. So, where the difference?

The main difference that Service Licensor Certificate (SLC) on a new cluster is signed with a root private key, so the licensing certificate isn’t self-signed like SLC on a root cluster. It means that licensing server more “depends” on a root cluster during certificate chain checking.

I tried to merge both installation process on a one diagram. It isn’t only one difference between cluster, I didn’t mentioned about deviation between existing webservices on a both cluster (certifiication and licensing on a root, and only-licensing on a another cluster). But as I said I want to do accent on a details which aren’t obvious from the rest installation manuals.

Server Bootstraping_v.1.0

AD RMS root cluster installation

I am not going to explain here each installation wizard step, you can find at least one guide on microsoft technet. I have explained here RMS installation within Windows Server 2008r2. Installation on a previous OS has some deviations.

First of all, don’t even try understanding diagram without text explanation below. I tried to do simple diagram with a simple description. Hopefully I did it successfully, But I am not entitled to judge myself here… you can do it… 🙂

So, you marked “Active Directory Rights Management Server” checkbox in Server Manager and pressed Next button…

Server Bootstraping_Root_Only


1. Next-next-next…

2. On almost the last step installation wizard asks you to put a password. Read carefully text: “AD RMS uses the cluster key password to encrypt the cluster key…”. Later, or even right now you can observe on a diagram where and for which purposes this password will be in use. By the way, you need access to cluster key every time when you join other RMS servers to cluster, or restore server from backup. This password isn’t assigned with any user in AD DS, it isn’t the same password as you use to restore AD DS. You can’t reset this password even if you are member of Enterprise Administrators group. It is fully new password. Remember it. If you don’t remember it, or lost it somehow, please, keep your CV up to date. 🙂

3. AD RMS server generates key pair: public (green) and privat (red) keys. Previously with installation wizard (Configure AD RMS Cluster  Key Storage) you defined key length : Use AD RMS centrally managed key storage or Use CSP key storage (“CSP” means Cryptographic Service Provider). To tell the truth if Hardware Security Module is unavailable for you, only one option you can use – AD RMS Centrally Managed Storage, at it means RSA 1024 key length.

4.  AD RMS server generates first certificate – Service Licensor Certificate (SLC). This certificate contains public key which was generated on previous step. This certificate is selfsigned.

5. The rest of the servers in scope of one cluster (root in my example) use  the same SLC. It means if your environment contains 5 RMS root cluster each of them in this case use the same SLC. RMS servers in licensing only cluster share the different SLC. Licensing only cluster will be explained later.

6. Meanwhile AD RMS server protects private key with a password which you set previously. I think now it should be clear why it is so important to know (remember) this password. I don’t know any official or unofficial method how to get private key if you don’t remember the encryption password.

7. Private key encryption result RMS server stores as a BLOB.

8. RMS server during installation creates 3 databases on SQL server: configuration, directory and logging. Actually configuration DB contains private key encryption BLOB.  The private key is decrypted each server reboot\start.

The order isn’t strict here. In fact private key encryption and saving should be earlier then SLC creation. But all these processes happen transparently, and I’ve never met any troubles during these installation steps, I propose to consider about SLC creation and private key encryption tasks as simultaneous processes.


1. AD RMS Server has selfsigned certificate – Service Licensor Certificate

2. You must remember cluster key password.

3. All servers in scope of one cluster share the same SLC.

To be continued…

AD Rights Management Server

I decided to start my blog with articles about Rights Management Server role. You can find a lot of blogs and technical articles where authors try explaining how to install RMS server in your environment, but very rarely (almost never) you can find explanation – what happens from technical point of view during this process. In fact that this knowledge will help you afterwards to do troubleshouting and fix your RMS-environment. Microsoft does so much efforts to provide for us very simple installation wizard, so, installation isn’t a problem at all. Even if you missed some requirements smart wizard in very polite form explains you what you missed, and what you have to do to continue installation process. Thus even my grandma can install any windows role on a server, but which processes happened during installation and what to do next? This is actually main difference between real IT-professional and “any-key” specialist.

Let’s go…