EXCHANGE DATA LOSS

PREVENTION
Abstract

This guide will help IT Professionals deploy Exchange Data Loss Prevention
available in Exchange server 2013 and Exchange Online for evaluation
purpose.

Step by step guide

Table of Contents
1.

About this Guide.............................................................................................. 1

2.

Prerequisites.................................................................................................... 1

3.

Deployment scenarios..................................................................................... 2

4.

Creating DLP Policies....................................................................................... 2

4.1

Apply an Out of the Box DLP Template......................................................2

4.2

Creating a Custom Policy..........................................................................6

4.3

Importing a Policy from a File....................................................................9

5.

Document Fingerprinting............................................................................... 10

6.

Policy Tips...................................................................................................... 17

7.

Reporting....................................................................................................... 20
7.1

Incident Reports...................................................................................... 20

7.2

Web Based Summary Reports.................................................................21

7.3

Excel Based Reports................................................................................ 23

8.

Testing DLP Policies....................................................................................... 25

9.

Summary....................................................................................................... 27

10.

Appendix.................................................................................................... 27

10.1 List of Acronyms and Abbreviations........................................................27

10.2 References.............................................................................................. 27

1. About this Guide

The data loss prevention (DLP) feature will help you identify, monitor, and protect
sensitive information in your organization through deep content analysis. DLP is
a premium feature that is increasingly important for enterprise message systems
because business-critical email includes sensitive data that needs to be
protected. The DLP feature in Exchange enables you to protect sensitive data
without affecting worker productivity.
This document discusses the Exchange DLP prerequisites and deployment
scenarios. Various configurations options such as creating DLP policies from
template, creating custom DLP policies, document fingerprinting, policy tips and
reporting features are covered in detail in this document. The intended audience
for this guide are IT Professionals responsible for evaluating and deploying
Exchange DLP.

2. Prerequisites
Following are the prerequisites required for successfully completing the
instructions given in this guide.
1) License. DLP is a premium feature requiring any one of the following
licenses.
a. Exchange Online Plan 2 subscription.

b. Exchange Enterprise CAL.

c. Exchange Enterprise CAL with services.
2) Availability of Exchange DLP as part of Exchange Server 2013 SP1 or
Online service.
3) Outlook 2013 (optional)
4) Access to Office 365 admin center and Exchange admin center.
Permissions required are,
a. If using Office 365:
i. Office 365 global admin, which automatically includes
Exchange Organization Management
ii. Office 365 service admin, plus the Organization Management
admin role group in Exchange
iii. Office 365 password admin
b. If using Exchange Server 2013 or Exchange Online only:
i. Compliance Management

3. Deployment scenarios
There are four possible deployment scenarios for Exchange DLP.
1. As part of Exchange Server 2013 SP1.
2. As part of Exchange Online.
3. Exchange Hybrid deployment.
4. Exchange DLP service with prior version of Exchange. (Policy Tips does
not work in this scenario.)

4. Creating DLP Policies

There are three primary ways of creating Exchange DLP policies
1. Apply an out of the box template.
2. Create a custom policy from scratch.
3. Import a policy file created outside of Exchange.

Caution!
In your production environment, you should enable your DLP policies in
test mode before enforcing them. During such tests, we recommend that
you configure sample user mailboxes and send test messages that invoke
your test policies in order to confirm the results.

4.1

Apply an Out of the Box DLP Template

Templates are the quickest way to get started with Exchange DLP. These
templates contain pre-built sets of rules that can help you manage message data
that is associated with several common legal and regulatory requirements. You
can customize any of these DLP templates or use them as-is. The following
instructions provide an example of DLP policy creation by applying an out of the
box template.
1. Sign in to EAC. Permissions required to manage Exchange DLP are
mentioned in the Prerequisites section.
2. Select New DLP policy from template as shown in the figure below.

Figure 1 DLP Page in EAC

3. A new web page appears as shown below. Fill in details such as Name and
Description, and choose a template.

4. Click More options... to choose the state and mode of the policy you
are creating. We recommend that you test the policy prior to setting the

mode to Enforce.

5. The policy that you created should appear immediately in EAC. Open the
policy to see the various rules built into it. You have the option to edit

those rules or add new ones.

4.2

Creating a Custom Policy

A custom data loss prevention (DLP) policy allows you to establish conditions,
rules, and actions that can help meet the specific needs of your organization,
which may not be covered in one of the pre-existing DLP templates.
Perform the following tasks to create a custom policy using EAC.

1. Select the + icon and select New custom DLP policy as shown in the
figure below.

2. The new custom DLP policy page appears. Provide a Name and
Description for your policy. You can leave the other settings at default

value. Save the policy.

3. The policy that you created appears in EAC. Open the policy and select the
rules page. Click the + icon and select Create a new rule as shown
below. This will help you create a new rule with no conditions or actions
pre-configured.

4. The new rule page appears. Here you can see that DLP uses the
Exchange transport rules (ETR) engine. In addition to ETRs you can add
conditions and actions to your new rule as shown below.

5. The following additional options are available in the new rule page. In this
exercise, we will leave all of them at default value. Click Save twice to
close the new rule page and the DLP policy page.
a. Auditing based on severity level.
b. Mode for this rule.
c. Activation and deactivation time.
d. Stop processing more rules.
e. Defer the message if rule processing doesn't complete
f. Where to match sender address in message

4.3

Importing a Policy from a File

You can create a DLP policy by importing an XML file containing policy
information and settings. These XML files must meet specific format
requirements in order to work correctly. The process and details of authoring and
tuning DLP XML files for use within Exchange DLP solution is beyond the scope of
this document. You can find those details in this link
http://technet.microsoft.com/en-us/library/jj674310(v=exchg.150).aspx .

5. Document Fingerprinting
Document Fingerprinting makes it easier to protect sensitive information written
in standard forms used throughout your organization. DLP converts a standard
form into a sensitive information type, which you can use to define transport
rules and DLP policies. Follow the steps mentioned below to convert a standard
form into a sensitive information type in Exchange DLP.
1. Identify a blank form that you want to fingerprint. Here is an example of
a blank employee performance review form.

2. Select the Manage document fingerprints link in EAC as shown below.

3. The new document fingerprint page opens. Provide a Name and

Description.

4. Click on the + icon under Document list and select the form you have
identified in step 1 above.

5. Select save and then select close to complete the configuration. You can
add more than one document form to the list.
6. Now lets create a DLP policy that rejects emails containing files created
using the above form. Create a new custom DLP policy with the
following configuration. Notice the sections marked in red rectangles in the

following image.

7. Open the policy you just created, Employee Performance Files, from EAC.
Select the rules page. Add the rule, Block messages with sensitive

information, as shown in the picture below.

8. The new rule page appears. Review all the configuration and Select
sensitive information types as shown below.

9. The sensitive information types page appears. Select Employee

performance review form and add ->. See the picture below.

10.Configure all the required options

a. Send incident report to select a mailbox

b. Include message properties select all

Click ok twice and then save.

6. Policy Tips
Policy Tips are informative notices that are displayed to email senders while they
are composing a message. The purpose of the Policy Tip is to educate users that
they might be violating the business practices or policies that you are enforcing
with the data loss prevention (DLP) policies that you have established. The
following procedures will help you begin using Policy Tips.
1. Open the policy - Employee Performance Files - that you created in the
previous section.
2. Choose the Test DLP policy with Policy Tips mode for this DLP policy as
highlighted below. Click save. When violations of this policy happen, the

default policy tip will be shown in supported clients.

3. There are some customizations possible with Policy Tips. To do this select
Manage policy tips or Customize Policy Tips as shown below.

4. The Policy Tips page appears. Click the + icon. A new Policy Tips page
appears and you can select the following.
a. Type of Policy Tip
b. Locale.
c. Text or Compliance URL based on the type of Policy Tip you have
selected

5. Here is an example of customized Policy Tips.

6. Policy Tips are available for users with Outlook 2013. They are available
in OWA and OWA for devices as well if the server is Exchange server 2013
SP1 or Exchange Online.

7. Reporting
There are three main methods to view DLP reports.

Incident Reports on Email: You can establish an action to create an

incident report within a DLP policy rule set. Additionally, you can indicate
to whom the report should be sent and what to do with the original
message.
Summary Reports on the Web.
Detailed Reports using Excel.

7.1

Incident Reports

To generate an incident report you need to add an action, Generate incident

report and send it to, to the rules that you create inside DLP policies.
Open the rule Sent to scope Outside the organization inside the DLP policy,
Employee Performance Files, that you created earlier. It is already configured

to generate incident reports.

You can include various message properties including the original mail itself in
the report.

7.2

Web Based Summary Reports

Following are the location from where you can find web-based DLP reports.

Office 365 admin center. See below.

In Exchange admin center at policy level, as shown below.

To view reports at rules level, open the policy from EAC and select the rule
as shown below.

7.3

Excel Based Reports

There is an Excel 2013 reporting workbook available that lets you view both
summary and detailed DLP reports. This workbook allows deeper analysis on the
summary data through the use of filters and slicers.
The Excel 2013 plug-in required for this reporting is available here:
http://www.microsoft.com/en-us/download/details.aspx?id=30716 . The table
below helps you identify the right version for your PC.
File Name
Applicable To
MailProtectionReport_v2_en32.msi Excel 2013 32 bit edition
MailProtectionReport_v2_en64.msi Excel 2013 64 bit edition
Installing the Excel plugin is a straightforward wizard driven process. A shortcut
will be placed on the Desktop to launch the workbook.

When you launch the workbook for the first time it will be empty. To get the data
for your organization, click the Query button and provide your Exchange Online

or EOP admin credentials.

When your query is complete you will be presented with a screen like the one
below.

Here is the summary report. Click on various DLP links to view DLP-specific
reports.

8. Testing DLP Policies

Perform the following tasks to carry out client side testing of the configurations
you have done earlier in this lab.
1. Sign in to Outlook Web App
2. Create a new email with the following details
a. To: external recipient.
b. Attachment Employee1 performance review.docx (any
document created with the blank form used for fingerprinting.)

3. Policy tips will appear as shown below.

4. Click SEND to send the email. The account configured to receive incident
reports should receive one mail as shown below.

9. Summary
This document should have helped you get a basic hands-on experience on
Exchange DLP capabilities. The experienced you have gained will be useful in
deploying Exchange DLP in a production environment. Please note that additional
planning and preparation will be required for a successful deployment of
Exchange DLP in a production environment.

10.

Appendix

10.1

List of Acronyms and Abbreviations

Acronym/Abbreviation
DLP
EAC
EOP
OWA

10.2

Explanation
Data Loss Prevention
Exchange admin center
Exchange Online Protection
Outlook Web App

References

Exchange Data Loss Prevention technical documentation.