Exchange DLP - Step-by-step guide

advertisement
EXCHANGE DATA LOSS
PREVENTION
Step by step guide
Abstract
This guide will help IT Professionals deploy Exchange Data Loss Prevention available
in Exchange server 2013 and Exchange Online for evaluation purpose.
Table of Contents
1.
About this Guide ........................................................................................................................... 1
2.
Prerequisites .................................................................................................................................. 1
3.
Deployment scenarios.................................................................................................................. 2
4.
Creating DLP Policies ................................................................................................................... 2
4.1
Apply an Out of the Box DLP Template ............................................................................. 2
4.2
Creating a Custom Policy .................................................................................................... 6
4.3
Importing a Policy from a File ............................................................................................. 9
5.
Document Fingerprinting .......................................................................................................... 10
6.
Policy Tips .................................................................................................................................... 17
7.
Reporting ..................................................................................................................................... 20
7.1
Incident Reports .................................................................................................................. 20
7.2
Web Based Summary Reports .......................................................................................... 21
7.3
Excel Based Reports............................................................................................................ 23
8.
Testing DLP Policies.................................................................................................................... 25
9.
Summary ...................................................................................................................................... 27
10.
Appendix .................................................................................................................................. 27
10.1
List of Acronyms and Abbreviations ................................................................................ 27
10.2
References ........................................................................................................................... 27
1. About this Guide
The data loss prevention (DLP) feature will help you identify, monitor, and protect sensitive
information in your organization through deep content analysis. DLP is a premium feature
that is increasingly important for enterprise message systems because business-critical email
includes sensitive data that needs to be protected. The DLP feature in Exchange enables you
to protect sensitive data without affecting worker productivity.
This document discusses the Exchange DLP prerequisites and deployment scenarios. Various
configurations options such as creating DLP policies from template, creating custom DLP
policies, document fingerprinting, policy tips and reporting features are covered in detail in
this document. The intended audience for this guide are IT Professionals responsible for
evaluating and deploying Exchange DLP.
2. Prerequisites
Following are the prerequisites required for successfully completing the instructions given in
this guide.
1) License. DLP is a premium feature requiring any one of the following licenses.
a. Exchange Online Plan 2 subscription.
b. Exchange Enterprise CAL.
c. Exchange Enterprise CAL with services.
2) Availability of Exchange DLP as part of Exchange Server 2013 SP1 or Online service.
3) Outlook 2013 (optional)
4) Access to Office 365 admin center and Exchange admin center. Permissions required
are,
a. If using Office 365:
i. Office 365 global admin, which automatically includes Exchange
Organization Management
ii. Office 365 service admin, plus the Organization Management admin
role group in Exchange
iii. Office 365 password admin
b. If using Exchange Server 2013 or Exchange Online only:
i. Compliance Management
3. Deployment scenarios
There are four possible deployment scenarios for Exchange DLP.
1. As part of Exchange Server 2013 SP1.
2. As part of Exchange Online.
3. Exchange Hybrid deployment.
4. Exchange DLP service with prior version of Exchange. (Policy Tips does not work in
this scenario.)
4. Creating DLP Policies
There are three primary ways of creating Exchange DLP policies
1. Apply an out of the box template.
2. Create a custom policy from scratch.
3. Import a policy file created outside of Exchange.
Caution!
In your production environment, you should enable your DLP policies in test mode
before enforcing them. During such tests, we recommend that you configure sample
user mailboxes and send test messages that invoke your test policies in order to
confirm the results.
4.1 Apply an Out of the Box DLP Template
Templates are the quickest way to get started with Exchange DLP. These templates contain
pre-built sets of rules that can help you manage message data that is associated with several
common legal and regulatory requirements. You can customize any of these DLP templates
or use them as-is. The following instructions provide an example of DLP policy creation by
applying an out of the box template.
1. Sign in to EAC. Permissions required to manage Exchange DLP are mentioned in the
Prerequisites section.
2. Select New DLP policy from template as shown in the figure below.
Figure 1 DLP Page in EAC
3. A new web page appears as shown below. Fill in details such as Name and
Description, and choose a template.
4. Click More options... to choose the state and mode of the policy you are creating.
We recommend that you test the policy prior to setting the mode to Enforce.
5. The policy that you created should appear immediately in EAC. Open the policy to
see the various rules built into it. You have the option to edit those rules or add new
ones.
4.2 Creating a Custom Policy
A custom data loss prevention (DLP) policy allows you to establish conditions, rules, and
actions that can help meet the specific needs of your organization, which may not be
covered in one of the pre-existing DLP templates.
Perform the following tasks to create a custom policy using EAC.
1. Select the + icon and select New custom DLP policy as shown in the figure below.
2. The new custom DLP policy page appears. Provide a Name and Description for
your policy. You can leave the other settings at default value. Save the policy.
3. The policy that you created appears in EAC. Open the policy and select the rules
page. Click the + icon and select Create a new rule as shown below. This will help
you create a new rule with no conditions or actions pre-configured.
4. The new rule page appears. Here you can see that DLP uses the Exchange transport
rules (ETR) engine. In addition to ETRs you can add conditions and actions to your
new rule as shown below.
5. The following additional options are available in the new rule page. In this exercise,
we will leave all of them at default value. Click Save twice to close the new rule page
and the DLP policy page.
a. Auditing based on severity level.
b. Mode for this rule.
c. Activation and deactivation time.
d. Stop processing more rules.
e. Defer the message if rule processing doesn't complete
f. Where to match sender address in message
4.3 Importing a Policy from a File
You can create a DLP policy by importing an XML file containing policy information and
settings. These XML files must meet specific format requirements in order to work correctly.
The process and details of authoring and tuning DLP XML files for use within Exchange DLP
solution is beyond the scope of this document. You can find those details in this link
http://technet.microsoft.com/en-us/library/jj674310(v=exchg.150).aspx .
5. Document Fingerprinting
Document Fingerprinting makes it easier to protect sensitive information written in standard
forms used throughout your organization. DLP converts a standard form into a sensitive
information type, which you can use to define transport rules and DLP policies. Follow the
steps mentioned below to convert a standard form into a sensitive information type in
Exchange DLP.
1. Identify a blank form that you want to ‘fingerprint’. Here is an example of a blank
employee performance review form.
2. Select the Manage document fingerprints link in EAC as shown below.
3. The new document fingerprint page opens. Provide a Name and Description.
4. Click on the + icon under Document list and select the form you have identified in
step 1 above.
5. Select save and then select close to complete the configuration. You can add more
than one document form to the list.
6. Now let’s create a DLP policy that rejects emails containing files created using the
above form. Create a new custom DLP policy with the following configuration.
Notice the sections marked in red rectangles in the following image.
7. Open the policy you just created, Employee Performance Files, from EAC. Select the
rules page. Add the rule, Block messages with sensitive information, as shown in the
picture below.
8. The new rule page appears. Review all the configuration and Select sensitive
information types… as shown below.
9. The sensitive information types page appears. Select Employee performance review
form and add ->. See the picture below.
10. Configure all the required options
a. Send incident report to  select a mailbox
b. Include message properties  select all
Click ok twice and then save.
6. Policy Tips
Policy Tips are informative notices that are displayed to email senders while they are
composing a message. The purpose of the Policy Tip is to educate users that they might be
violating the business practices or policies that you are enforcing with the data loss
prevention (DLP) policies that you have established. The following procedures will help you
begin using Policy Tips.
1. Open the policy - Employee Performance Files - that you created in the previous
section.
2. Choose the Test DLP policy with Policy Tips mode for this DLP policy as highlighted
below. Click save. When violations of this policy happen, the default policy tip will be
shown in supported clients.
3. There are some customizations possible with Policy Tips. To do this select Manage
policy tips or Customize Policy Tips as shown below.
4. The Policy Tips page appears. Click the + icon. A new Policy Tips page appears and
you can select the following.
a. Type of Policy Tip
b. Locale.
c. Text or Compliance URL based on the type of Policy Tip you have selected
5. Here is an example of customized Policy Tips.
6. Policy Tips are available for users with Outlook 2013. They are available in OWA and
OWA for devices as well if the server is Exchange server 2013 SP1 or Exchange Online.
7. Reporting
There are three main methods to view DLP reports.



Incident Reports on Email: You can establish an action to create an incident report
within a DLP policy rule set. Additionally, you can indicate to whom the report should
be sent and what to do with the original message.
Summary Reports on the Web.
Detailed Reports using Excel.
7.1 Incident Reports
To generate an incident report you need to add an action, Generate incident report and
send it to…, to the rules that you create inside DLP policies.
Open the rule Sent to scope Outside the organization inside the DLP policy, Employee
Performance Files, that you created earlier. It is already configured to generate incident
reports.
You can include various message properties including the original mail itself in the report.
7.2 Web Based Summary Reports
Following are the location from where you can find web-based DLP reports.

Office 365 admin center. See below.

In Exchange admin center at policy level, as shown below.

To view reports at rules level, open the policy from EAC and select the rule as shown
below.
7.3 Excel Based Reports
There is an Excel 2013 reporting workbook available that lets you view both summary and
detailed DLP reports. This workbook allows deeper analysis on the summary data through
the use of filters and slicers.
The Excel 2013 plug-in required for this reporting is available here:
http://www.microsoft.com/en-us/download/details.aspx?id=30716 . The table below helps
you identify the right version for your PC.
File Name
Applicable To
MailProtectionReport_v2_en32.msi
Excel 2013 32 bit edition
MailProtectionReport_v2_en64.msi
Excel 2013 64 bit edition
Installing the Excel plugin is a straightforward wizard driven process. A shortcut will be
placed on the Desktop to launch the workbook.
When you launch the workbook for the first time it will be empty. To get the data for your
organization, click the Query button and provide your Exchange Online or EOP admin
credentials.
When your query is complete you will be presented with a screen like the one below.
Here is the summary report. Click on various DLP links to view DLP-specific reports.
8. Testing DLP Policies
Perform the following tasks to carry out client side testing of the configurations you have
done earlier in this lab.
1. Sign in to Outlook Web App
2. Create a new email with the following details
a. To:  external recipient.
b. Attachment  Employee1 performance review.docx (any document created
with the blank form used for fingerprinting.)
3. Policy tips will appear as shown below.
4. Click SEND to send the email. The account configured to receive incident reports
should receive one mail as shown below.
9. Summary
This document should have helped you get a basic hands-on experience on Exchange DLP
capabilities. The experienced you have gained will be useful in deploying Exchange DLP in a
production environment. Please note that additional planning and preparation will be
required for a successful deployment of Exchange DLP in a production environment.
10.
Appendix
10.1
List of Acronyms and Abbreviations
Acronym/Abbreviation
DLP
EAC
EOP
OWA
10.2

Explanation
Data Loss Prevention
Exchange admin center
Exchange Online Protection
Outlook Web App
References
Exchange Data Loss Prevention – technical documentation.
Download