EXCHANGE DATA LOSS PREVENTION

Step by step guide

AbstractThis guide will help IT Professionals deploy Exchange Data Loss Prevention

available in Exchange server 2013 and Exchange Online for evaluation purpose.

Table of Contents1. About this Guide......................................................................................................................1

2. Prerequisites.............................................................................................................................1

3. Deployment scenarios...........................................................................................................2

4. Creating DLP Policies.............................................................................................................2

4.1 Apply an Out of the Box DLP Template...................................................................2

4.2 Creating a Custom Policy.............................................................................................6

4.3 Importing a Policy from a File.....................................................................................9

5. Document Fingerprinting...................................................................................................10

6. Policy Tips................................................................................................................................17

7. Reporting.................................................................................................................................20

7.1 Incident Reports............................................................................................................20

7.2 Web Based Summary Reports..................................................................................21

7.3 Excel Based Reports.....................................................................................................23

8. Testing DLP Policies.............................................................................................................25

9. Summary..................................................................................................................................27

10. Appendix..............................................................................................................................27

10.1 List of Acronyms and Abbreviations.......................................................................27

10.2 References.......................................................................................................................27

1. About this GuideThe data loss prevention (DLP) feature will help you identify, monitor, and protect sensitive information in your organization through deep content analysis. DLP is a premium feature that is increasingly important for enterprise message systems because business-critical email includes sensitive data that needs to be protected. The DLP feature in Exchange enables you to protect sensitive data without affecting worker productivity.This document discusses the Exchange DLP prerequisites and deployment scenarios. Various configurations options such as creating DLP policies from template, creating custom DLP policies, document fingerprinting, policy tips and reporting features are covered in detail in this document. The intended audience for this guide are IT Professionals responsible for evaluating and deploying Exchange DLP.

2. PrerequisitesFollowing are the prerequisites required for successfully completing the instructions given in this guide.

1) License. DLP is a premium feature requiring any one of the following licenses.

a. Exchange Online Plan 2 subscription.b. Exchange Enterprise CAL.c. Exchange Enterprise CAL with services.

2) Availability of Exchange DLP as part of Exchange Server 2013 SP1 or Online service.

3) Outlook 2013 (optional) 4) Access to Office 365 admin center and Exchange admin center.

Permissions required are,a. If using Office 365:

i. Office 365 global admin , which automatically includes Exchange Organization Management

ii. Office 365 service admin , plus the Organization Management admin role group in Exchange

iii. Office 365 password admin b. If using Exchange Server 2013 or Exchange Online only:

i. Compliance Management

3. Deployment scenariosThere are four possible deployment scenarios for Exchange DLP.

1. As part of Exchange Server 2013 SP1.2. As part of Exchange Online.3. Exchange Hybrid deployment.4. Exchange DLP service with prior version of Exchange. (Policy Tips does

not work in this scenario.)

4. Creating DLP PoliciesThere are three primary ways of creating Exchange DLP policies

1. Apply an out of the box template.2. Create a custom policy from scratch.3. Import a policy file created outside of Exchange.

Caution!In your production environment, you should enable your DLP policies in test mode before enforcing them. During such tests, we recommend that you configure sample user mailboxes and send test messages that invoke your test policies in order to confirm the results.

4.1 Apply an Out of the Box DLP TemplateTemplates are the quickest way to get started with Exchange DLP. These templates contain pre-built sets of rules that can help you manage message data that is associated with several common legal and regulatory requirements. You can customize any of these DLP templates or use them as-is. The following instructions provide an example of DLP policy creation by applying an out of the box template.

1. Sign in to EAC. Permissions required to manage Exchange DLP are mentioned in the Prerequisites section.

2. Select New DLP policy from template as shown in the figure below.

Figure 1 DLP Page in EAC

3. A new web page appears as shown below. Fill in details such as Name and Description, and choose a template.

4. Click More options... to choose the state and mode of the policy you are creating. We recommend that you test the policy prior to setting the

mode to Enforce.

5. The policy that you created should appear immediately in EAC. Open the policy to see the various rules built into it. You have the option to edit

those rules or add new ones.

4.2 Creating a Custom PolicyA custom data loss prevention (DLP) policy allows you to establish conditions, rules, and actions that can help meet the specific needs of your organization, which may not be covered in one of the pre-existing DLP templates.Perform the following tasks to create a custom policy using EAC.

1. Select the + icon and select New custom DLP policy as shown in the figure below.

2. The new custom DLP policy page appears. Provide a Name and Description for your policy. You can leave the other settings at default

value. Save the policy.

3. The policy that you created appears in EAC. Open the policy and select the rules page. Click the + icon and select Create a new rule as shown below. This will help you create a new rule with no conditions or actions pre-configured.

4. The new rule page appears. Here you can see that DLP uses the Exchange transport rules (ETR) engine. In addition to ETRs you can add conditions and actions to your new rule as shown below.

5. The following additional options are available in the new rule page. In this exercise, we will leave all of them at default value. Click Save twice to close the new rule page and the DLP policy page.

a. Auditing based on severity level.b. Mode for this rule.c. Activation and deactivation time.d. Stop processing more rules.e. Defer the message if rule processing doesn't completef. Where to match sender address in message

4.3 Importing a Policy from a FileYou can create a DLP policy by importing an XML file containing policy information and settings. These XML files must meet specific format requirements in order to work correctly. The process and details of authoring and tuning DLP XML files for use within Exchange DLP solution is beyond the scope of this document. You can find those details in this link http://technet.microsoft.com/en-us/library/jj674310(v=exchg.150).aspx .

5. Document FingerprintingDocument Fingerprinting makes it easier to protect sensitive information written in standard forms used throughout your organization. DLP converts a standard form into a sensitive information type, which you can use to define transport rules and DLP policies. Follow the steps mentioned below to convert a standard form into a sensitive information type in Exchange DLP.

1. Identify a blank form that you want to ‘fingerprint’. Here is an example of a blank employee performance review form.

2. Select the Manage document fingerprints link in EAC as shown below.

3. The new document fingerprint page opens. Provide a Name and Description.

4. Click on the + icon under Document list and select the form you have identified in step 1 above.

5. Select save and then select close to complete the configuration. You can

add more than one document form to the list.6. Now let’s create a DLP policy that rejects emails containing files created

using the above form. Create a new custom DLP policy with the following configuration. Notice the sections marked in red rectangles in

the following image.

7. Open the policy you just created, Employee Performance Files, from EAC. Select the rules page. Add the rule, Block messages with sensitive

information, as shown in the picture below.

8. The new rule page appears. Review all the configuration and Select sensitive information types… as shown below.

9. The sensitive information types page appears. Select Employee performance review form and add ->. See the picture below.

10.Configure all the required optionsa. Send incident report to select a mailbox

b. Include message properties select all

Click ok twice and then save.

6. Policy TipsPolicy Tips are informative notices that are displayed to email senders while they are composing a message. The purpose of the Policy Tip is to educate users that they might be violating the business practices or policies that you are enforcing with the data loss prevention (DLP) policies that you have established. The following procedures will help you begin using Policy Tips.

1. Open the policy - Employee Performance Files - that you created in the previous section.

2. Choose the Test DLP policy with Policy Tips mode for this DLP policy as highlighted below. Click save. When violations of this policy happen,

the default policy tip will be shown in supported clients.

3. There are some customizations possible with Policy Tips. To do this select Manage policy tips or Customize Policy Tips as shown below.

4. The Policy Tips page appears. Click the + icon. A new Policy Tips page appears and you can select the following.

a. Type of Policy Tipb. Locale.c. Text or Compliance URL based on the type of Policy Tip you have

selected

5. Here is an example of customized Policy Tips.

6. Policy Tips are available for users with Outlook 2013. They are available in OWA and OWA for devices as well if the server is Exchange server 2013 SP1 or Exchange Online.

7. ReportingThere are three main methods to view DLP reports.

Incident Reports on Email: You can establish an action to create an incident report within a DLP policy rule set. Additionally, you can indicate to whom the report should be sent and what to do with the original message.

Summary Reports on the Web. Detailed Reports using Excel.

7.1 Incident ReportsTo generate an incident report you need to add an action, Generate incident report and send it to…, to the rules that you create inside DLP policies.Open the rule Sent to scope Outside the organization inside the DLP policy, Employee Performance Files, that you created earlier. It is already configured

to generate incident reports.

You can include various message properties including the original mail itself in the report.

7.2 Web Based Summary ReportsFollowing are the location from where you can find web-based DLP reports.

Office 365 admin center. See below.

In Exchange admin center at policy level, as shown below.

To view reports at rules level, open the policy from EAC and select the rule as shown below.

7.3 Excel Based ReportsThere is an Excel 2013 reporting workbook available that lets you view both summary and detailed DLP reports. This workbook allows deeper analysis on the summary data through the use of filters and slicers.The Excel 2013 plug-in required for this reporting is available here: http://www.microsoft.com/en-us/download/details.aspx?id=30716 . The table below helps you identify the right version for your PC.File Name Applicable ToMailProtectionReport_v2_en32.msi Excel 2013 32 bit editionMailProtectionReport_v2_en64.msi Excel 2013 64 bit edition

Installing the Excel plugin is a straightforward wizard driven process. A shortcut will be placed on the Desktop to launch the workbook.

When you launch the workbook for the first time it will be empty. To get the data for your organization, click the Query button and provide your Exchange Online or EOP admin credentials.

When your query is complete you will be presented with a screen like the one below.

Here is the summary report. Click on various DLP links to view DLP-specific reports.

8. Testing DLP PoliciesPerform the following tasks to carry out client side testing of the configurations you have done earlier in this lab.

1. Sign in to Outlook Web App2. Create a new email with the following details

a. To: external recipient.b. Attachment Employee1 performance review.docx (any

document created with the blank form used for fingerprinting.)

3. Policy tips will appear as shown below.

4. Click SEND to send the email. The account configured to receive incident reports should receive one mail as shown below.

9. SummaryThis document should have helped you get a basic hands-on experience on Exchange DLP capabilities. The experienced you have gained will be useful in deploying Exchange DLP in a production environment. Please note that additional planning and preparation will be required for a successful deployment of Exchange DLP in a production environment.

10. Appendix10.1 List of Acronyms and Abbreviations

Acronym/Abbreviation ExplanationDLP Data Loss PreventionEAC Exchange admin centerEOP Exchange Online ProtectionOWA Outlook Web App

10.2 References Exchange Data Loss Prevention – technical documentation.