Emails are a reliable medium for business communication used by all kinds of organizations, irrespective of their size. However, they often contain sensitive or confidential data or information you don't want to leak outside the organization. Thus, it's important to define mail flow policies to ensure fair usage of the organization's messaging system and protect sensitive information that can severely affect business and reputation.
Data Loss Prevention (DLP) policies in Exchange Server are collections of mail flow rules that help Exchange or IT administrators filter email messages and protect sensitive information. DLP policies contain specific conditions, exceptions, and actions to detect and filter email messages, attachments, or other mail items based on the content. This helps avoid data leakage outside the organization or corporate network and protects the Exchange database from malicious emails or attachments that can cause Exchange database corruption or result in a ransomware attack.
DLP is an inbuilt premium feature in on-premises Exchange Server 2013 and later versions, available only with Exchange Enterprise Client Access License (CAL). Before Exchange 2013, there were transport rules to detect and filter incoming and outgoing messages. However, they were meant for simple searches and weren't reliable.
DLP continuously monitors (checks & scans) incoming and outgoing email contents based on keywords, regular expressions, or dictionaries to identify whether the message contains sensitive or non-sensitive information and early signs of ransomware.
You may also use the document fingerprinting feature to define or create DLP policies for detecting sensitive information or malicious emails/ransomware in emails or attachments with unique patterns or file extensions.
One of the best features of DLP is that once defined, it detects and displays 'Policy Tips' to the user that they might be violating the policy before sending the email containing sensitive information. By enforcing DLP policies, you also ensure that your organization meets the required local, national, or international data security and regulatory compliances.
Steps to Configure or Establish DLP Policies in Exchange Server
There are three ways to define or create Exchange DLP policies using the Exchange Admin Center (EAC). You can also use the Exchange Management Shell (EMS) to enable or disable the DLP policies.
- Use Policy Templates
Microsoft provides default policy templates in Exchange Server that you can choose and enforce. You may also edit these policies as per your organization's requirements before deploying. There are 40 different policy templates you can choose from. This is the fastest way to enable DLP in your organization.
- Create Custom Policies
You may create new DLP policies if you don't find the predefined Policy Templates that meet your organization's requirements or needs.
- Use Policies from a Vendor
These are also 'readymade' DLP policies you can get from third-party vendors or Microsoft partners and import into the Exchange Server.
Below are the steps you can follow to choose, import, and edit or create Data Loss Prevention policies using the Exchange Admin Center (EAC).
Steps to Choose and Edit Policy Template
- Open Exchange Admin Center and log in as an administrator.
- Navigate to compliance management > data loss prevention, click the + icon, and choose New DLP policy from template. A new popup browser window will open.
- Check and select the policy template from Choose a template list. If you found one that meets your requirements, enter the policy name and description.
- Click More options… and choose the desired option. Before enforcing the DLP policy, we recommend you test it with and without Policy Tips.
- Click Save.
- After saving the policy, select it and click the edit (pencil)
- Go to rules. Here, you can edit the policy rules, such as conditions, actions, and exceptions.
- You may also copy, delete, or disable particular rules based on the requirements.
Steps to Import Custom DLP Policy
- Open Exchange Admin Center (EAC) and navigate to Compliance > data loss prevention.
- Click + and choose New DLP Policy from Custom Template.
- Click More options… to decide whether to enforce the policy immediately or test it.
- Click Save.
- After saving, select the policy and click the edit icon to edit or modify the policy rules, conditions, actions, and exceptions as per your organization's requirements.
Steps to Create a New Custom DLP Policy
- In EAC, go to compliance > data loss prevention. Then, click + and choose New Custom DLP Policy.
- Enter the policy name and description and click Save.
- Select the custom DLP policy from the list and click the edit (pencil)
- Click rules.
- Click + Select sensitive information types to choose the information that needs to be filtered or prevent users from sending or sharing outside the organization.
- Choose as many conditions as you need and then add action to notify the user or perform any other action.
- Add exceptions to prevent false positives.
- Save the policy.
Exchange DLP Policy Tips
You may also add the Policy Tips for all DLP policies.
You can choose one of the four options in the Policy Tip:
- Notify the sender
A notification is displayed to the user in the compose window if the DLP detects or policy matches the sensitive information in the email being composed. This helps users fix the message by removing the info and sending emails without any sensitive information.
- Allow the sender to override
The Policy Tip appears to block the email with an option to override and send the message.
- Block the message
The message is blocked and not sent. There is no override or any other option available to the user.
- Link to the compliance URL
If you choose this Policy Tip, you only have to add a link to your compliance policy for the user to read, understand, and then compose the email.
Once the Exchange DLP policies are defined or created, you can test them and enforce them when satisfied. Otherwise, you can edit and make necessary changes to the policy, test it again, and enforce it.
Data Loss Prevention (DLP) policies are an important part of Exchange Server deployment to prevent data leakage and ensure your messaging environment is not being misused by users or employees. It can also help detect unusual activities. Using the document fingerprinting feature, you can further enhance the DLP policy to detect sensitive or hidden information based on patterns.
However, if the malicious or infected email or attachment bypasses the mail flow policies, you may end up with a broken server. In such cases, you should immediately remove the server from the network and use an Exchange recovery tool, such as Stellar Repair for Exchange, to recover mailboxes from the database and restore them to a newly setup Exchange Server. This can help restore the email services quickly with no missing mailboxes or items.