Exchange 2013 SP1: Testing DLP Part1

Exchange 2013 introduced, among other features, the feature known as DLP – Data Loss Prevention (http://technet.microsoft.com/en-us/library/jj150527%28v=exchg.150%29.aspx). I did some tests of this feature and would like to share with you the results I’ve got.

Document Fingerprinting  (http://technet.microsoft.com/library/dn635176%28v=exchg.150%29.aspx) added the ability to create user-based templates wich could help define sensitive types of documents used in an organization – that was what I was keen to test in my test lab. Here’s my first scenario: suppose there’s a highly sensitive document (or documents that are created based on it) that an organization would never permit to be sent as an attachment (.docx file). So my goal is to ensure a user can not send that sensitive docx file (and any docx files derived from it as well) while having the ability to send other docx files (the ones not containing sensitive information).

First of all please take a look at my sensitive document SensitiveDOC.docx

00

…and on the docx file that’s similar to the SensitiveDOC.docx but with completly different wording (NonSensitive.docx):

Non-Secret-DOC

Now we must “fingerprint” the SensitiveDOC.docx and create a DLP policy that prevents users from sending such information. Here I’d like to draw your attention to the following:

1) as this page (http://technet.microsoft.com/en-us/library/dn635176%28v=exchg.150%29.aspx) says  “The patent template contains the blank fields “Patent title,” “Inventors,” and “Description” and descriptions for each of those fields—that’s the word pattern. When you upload the original patent template, it’s in one of the supported file types and in plain text. The DLP agent uses an algorithm to convert this word pattern into a document fingerprint, …

– the words being used in a template DO MATTER !!! According to this explanation I’m expecting to have sending of  SensitiveDOC.docx prohibited while sending of NonSensitiveDOC.docx allowed.

2) http://technet.microsoft.com/en-us/library/jj150512%28v=exchg.150%29.aspx

The transport rule agent that enforces DLP policies does not differentiate between email message attachments, body text, or subject lines while evaluating messages and the conditions within your policies. ” – that’s why sensitive information contained in an attachment must be examined by the transport rule agent: it does not matter whether it is contained in a email body or in an attachment.

Let’s start Exchange ECP and go to the “data loss prevention” page:

02

02 03

40

04

05

…and add the Policy Tip (although in this configuration it won’t show up):

06

 

07-1

08

Now let’s create a custom DLP policy:

10

11

…create the rule:

12

13

14

We must choose “The message contains sensitive information” in the “Apply this rule if…” field:

15

16-1

Here’s the dialog that allows us to load our template:

17

19

 

21

22

23

We’ve completed adding the DLP policy and can proceed to testing this policy in Outlook 2013:

I compose a message to Administrator with the template itself as an attachment:

25

The result: delivery has failed as expected:

261
This time I’m sending a non-sensitive file – NonSensitive.docx:

27

The result: DLP policy has prevented this message from being sent too!

 

29

Despite the fact that NonSensitive.docx file has completely different wording it was subject to be processed by our DLP policy!!!

Now I’ll try to send a file (Test.docx) that has a different formatting, not just different wording:

0000

31

The result:

32– the file Test.docx has been successfully sent!

 

Conclusion: Document fingerprinting in Exchnage 2013 SP1 can be not as accurate as it should be and, as we can see, it may not take into consideration the words containing in the template, although Exchnage documentation states it should.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: