使用文档指纹保护表单数据Protect form data with document fingerprinting

如果贵组织使用表单收集敏感信息,用户可能会尝试将这些表单通过电子邮件发送给外部联系人,这就构成了安全风险。Exchange 中的数据丢失防护 (DLP) 可以帮助您通过文档指纹检测此风险,以保护这些敏感信息。要使用文档指纹,只需上载一个空白表单,例如知识产权文档、政府表单或组织内使用的其他标准表单。然后将生成的文档指纹添加到 DLP 策略或传输规则。方法如下:If your organization uses forms to collect sensitive information, users might try emailing those forms to outside contacts, which creates a security risk. Data loss prevention (DLP) in Exchange helps you protect that information by detecting it with Document Fingerprinting. To use document fingerprinting, simply upload a blank form, such as an intellectual property document, government form, or other standard form used in your organization. Then, add the resulting document fingerprint to a DLP policy or transport rule. Here's how.

使用 EAC 创建文档指纹Use the EAC to create a document fingerprint

EAC 中文档指纹的路径已突出显示

  1. 在 Exchange 管理中心中心 EAC 中,转到合规性管理 > 数据丢失防护In the Exchange Administration Center EAC, go to compliance management > data loss prevention.

  2. 单击管理文档指纹Click Manage document fingerprints.

  3. 在文档指纹页上,单击新建添加图标创建新的文档指纹。On the document fingerprints page, click NewAdd Icon to create a new document fingerprint.

  4. 为指定的文档指纹的名称说明。(您选择的名称将显示敏感信息类型列表中。)Give the document fingerprint a Name and Description. (The name you choose will appear in the sensitive information types list.)

  5. 若要上载表单,单击添加添加图标To upload a form, click AddAdd Icon.

  6. 选择窗体,然后单击打开。(不受保护,密码和传输规则中支持的文件类型之一是,确保您上载的文件包含文本。有关受支持的文件类型的列表,请参阅Use 邮件流 rules to inspect message attachments 位于 Office 365。否则,您将收到错误时您尝试创建的指纹。)对要添加到此文档指纹的文档列表任何其他文件重复。您可以还添加或删除文件从此文档指纹以后如果您希望。Choose a form, and click Open. (Make sure that the file you upload contains text, isn't password protected, and is in one of the file types that are supported in transport rules. For a list of supported file types, see Use mail flow rules to inspect message attachments in Office 365. Otherwise, you'll get an error when you try creating the fingerprint.) Repeat for any additional files you want to add to the document list for this document fingerprint. You can also add or remove files from this document fingerprint later if you want.

  7. 键入所需的项目保留天数。Click Save.

文档指纹现在是您的敏感信息类型的一部分,您可以将其添加到 DLP 策略或将其添加到邮件包含敏感信息... 条件通过传输规则。The document fingerprint is now part of your sensitive information types, and you can add it to a DLP policy or add it to a transport rule via the The message contains sensitive information… condition.

'Apply this rule if'条件已突出显示

有关添加到 DLP 策略规则的详细信息,请参阅"更改 DLP 策略"部分管理 DLP 策略,以及有关详细信息修改传输规则,请参阅Integrating 敏感信息与传输规则的规则。如果您想要创建新策略,请参阅Create DLP 策略模板For more information about adding rules to a DLP policy, see the "Change a DLP policy" section of Manage DLP Policies, and for more information about modifying transport rules, see Integrating sensitive information rules with transport rules. If you want to create a new policy, see Create a DLP policy from a template.

使用 Shell 创建基于文档指纹的分类规则包Use the Shell to create a classification rule package based on document fingerprinting

提示

尽管您可以在 Shell 中创建和修改分类规则包,但您会发现在 EAC 中创建文档指纹更简单一点。我们建议您先在 EAC 中尝试,然后再在 Shell 中尝试执行此过程。Even though you can create and modify classification rule packages in the Shell, you might find that creating document fingerprints is a little simpler in the EAC. We recommend you try it there before trying this procedure in the Shell.

DLP 使用分类规则包来检测邮件中的敏感内容。若要创建基于文档指纹的分类规则包,使用新建指纹New-dataclassification cmdlet。新建指纹的结果不会存储外部数据分类规则,因为您始终运行新建指纹New-dataclassificationSet-dataclassification相同的 PowerShell 会话中。下面的示例创建新基于文件 C:\My Documents\Contoso Employee Template.docx 的文档指纹。以便您可以使用它使用New-dataclassification cmdlet 相同的 PowerShell 会话中,可以作为变量存储的新的指纹。DLP uses classification rule packages to detect sensitive content in messages. To create a classification rule package based on a document fingerprint, use the New-Fingerprint and New-DataClassification cmdlets. Because the results of New-Fingerprint aren't stored outside the data classification rule, you always run New-Fingerprint and New-DataClassification or Set-DataClassification in the same PowerShell session. The following example creates a new document fingerprint based on the file C:\My Documents\Contoso Employee Template.docx. You store the new fingerprint as a variable so you can use it with the New-DataClassification cmdlet in the same PowerShell session.

$Employee_Template = Get-Content "C:\My Documents\Contoso Employee Template.docx" -Encoding byte
$Employee_Fingerprint = New-Fingerprint -FileData $Employee_Template -Description "Contoso Employee Template"

现在,我们可以一起创建名为"Contoso Employee Confidential"的新数据分类规则,该规则使用文件 C:\My Documents\Contoso Customer Information Form.docx 的文档指纹。Now, let's create a new data classification rule named "Contoso Employee Confidential" that uses the document fingerprint of the file C:\My Documents\Contoso Customer Information Form.docx.

$Employee_Template = Get-Content "C:\My Documents\Contoso Customer Information Form.docx" -Encoding byte
$Customer_Fingerprint = New-Fingerprint -FileData $Customer_Form -Description "Contoso Customer Information Form"
New-DataClassification -Name "Contoso Customer Confidential" -Fingerprints $Customer_Fingerprint -Description "Message contains Contoso customer information." 

您现在可以使用Get-dataclassification cmdlet 查找所有 DLP 数据分类规则包,并在此示例中,"Contoso Customer Confidential"是数据分类规则包列表的一部分。You can now use the Get-DataClassification cmdlet to find all DLP data classification rule packages, and in this example, "Contoso Customer Confidential" is part of the data classification rule packages list.

最后,将"Contoso Customer Confidential"数据分类规则包添加到 DLP 策略。Finally, add the "Contoso Customer Confidential" data classification rule package to a DLP policy.

New-TransportRule -Name "Notify :External Recipient Contoso confidential" -NotifySender NotifyOnly -Mode Enforce -SentToScope NotInOrganization -MessageContainsDataClassification @{Name=" Contoso Customer Confidential"}

DLP 代理现在可以检测匹配 Contoso Customer Form.docx 文档指纹的文档。The DLP agent now detects documents that match the Contoso Customer Form.docx document fingerprint.

有关语法和参数的信息,请参阅 New-FingerprintNew-DataClassificationSet-DataClassificationGet-DataClassificationFor syntax and parameter information, see New-Fingerprint, New-DataClassification, Set-DataClassification, and Get-DataClassification.

详细信息For more information

文档指纹Document Fingerprinting

管理 DLP 策略Manage DLP Policies

将敏感信息规则与传输规则集成Integrating sensitive information rules with transport rules