使用 Office 365 标签和数据丢失防护保护 SharePoint Online 文件Protect SharePoint Online files with Office 365 labels and Data Loss Prevention

简介Introduction

使用本文中的步骤针对基线、敏感和高度机密的 SharePoint Online 团队网站设计并部署 Office 365 标签和数据丢失防护 (DLP) 策略。Use the steps in this article to design and deploy Office 365 labels and Data Loss Prevention (DLP) policies for baseline, sensitive, and highly confidential SharePoint Online team sites. 有关三层保护的详细信息,请参阅保护 SharePoint Online 网站和文件For more information about these three tiers of protection, see Secure SharePoint Online sites and files.

SharePoint Online 网站的 Office 365 标签Office 365 labels for your SharePoint Online sites

创建并向 SharePoint Online 团队网站分配 Office 365 标签时,必须完成以下三个阶段。You must complete the following three phases when creating and assigning Office 365 labels to SharePoint Online team sites.

阶段 1:确定 Office 365 标签名称Phase 1: Determine the Office 365 label names

在此阶段,对于应用到 SharePoint Online 团队网站的四个级别的信息保护,确定 Office 365 标签的名称。In this phase, you determine the names of your Office 365 labels for the four levels of information protection applied to SharePoint Online team sites. 下表列出了针对每个级别建议的名称。The following table lists the recommended names for each level.

SharePoint Online 团队网站保护级别SharePoint Online team site protection level 标签名称Label name
基线 - 公用Baseline-Public 内部公用Internal public
基线 - 专用Baseline-Private PrivatePrivate
敏感Sensitive 敏感Sensitive
高度机密Highly Confidential 高度机密Highly Confidential

阶段 2:创建 Office 365 标签Phase 2: Create the Office 365 labels

在此阶段中,针对不同的信息保护级别创建并发布确定的标签。In this phase, you create and then publish your determined labels for the different levels of information protection.

若要创建标签,可以使用 Office 365 管理中心或 Microsoft PowerShell。To create the labels, you can use the Office 365 Admin center or Microsoft PowerShell.

使用 Office 365 管理中心创建 Office 365 标签Create Office 365 labels with the Office 365 Admin center

  1. 使用具有安全管理员或公司管理员角色的帐户登录到 Office 365 门户。Sign in to the Office 365 portal with an account that has the Security Administrator or Company Administrator role. 如需帮助,请参阅如何登录到 Office 365For help, see Where to sign in to Office 365.
  2. 在“Microsoft Office 主页”标签页中,单击“管理”磁贴。From the Microsoft Office Home tab, click the Admin tile.
  3. 在浏览器的新“Office 管理中心”标签页中,单击“管理中心”>“安全性和符合性”。From the new Office Admin center tab of your browser, click Admin centers > Security & Compliance.
  4. 在浏览器的新“主页 -安全性和符合性”标签页中,单击“分类”>“标签”。From the new Home – Security & Compliance tab of your browser, click Classifications > Labels.
  5. 在“开始”>“标签”窗格中,单击“创建标签”。From the Home > Labels pane, click Create a label.
  6. 在“命名标签”窗格中,键入标签的名称,然后单击“下一步”。On the Name your label pane, type the name of the label, and click Next.
  7. 在“标签设置”窗格中,单击“下一步”。On the Label settings pane, click Next.
  8. 在“查看设置”窗格中,单击“创建此标签”,然后单击“关闭”。On the Review your settings pane, click Create this label, and click Close.
  9. 对其他标签重复步骤 5-8。Repeat steps 5-8 for your additional labels.

使用 PowerShell 创建 Office 365 标签Create Office 365 labels with PowerShell

  1. 使用远程 PowerShell 连接到 Office 365 安全性和符合性中心并指定具有安全管理员或公司管理员角色的帐户的凭据。Connect to the Office 365 Security & Compliance Center using remote PowerShell and specify the credentials of an account that has the Security Administrator or Company Administrator role.
  2. 填写标签名称列表,然后在 PowerShell 命令提示符下运行以下命令:Fill out the list of label names, and then run these commands at the PowerShell command prompt:
$labelNames=@([list of label names, each enclosed in quotes and separated by commas])
ForEach ($element in $labelNames){ New-ComplianceTag -Name $element }

接下来,使用以下步骤发布新的 Office 365 标签。Next, use these steps to publish the new Office 365 labels.

  1. 在“安全性和符合性”中心的“开始”>“标签”窗格中,单击“发布标签”。From the Home > Labels pane in the Security & Compliance Center, click Publish labels.
  2. 在“选择要发布的标签”窗格中,单击“选择要发布的标签”。On the Choose labels to publish pane, click Choose labels to publish.
  3. 在“选择标签”窗格中,单击“添加”并选择全部四个标签。On the Choose labels pane, click Add and select all four labels.
  4. 单击“完成”。Click Done.
  5. 在“选择要发布的标签”窗格中,单击“下一步”。On the Choose labels to publish pane, click Next.
  6. 在“选择位置”窗格中,单击“下一步”。On the Choose locations pane, click Next.
  7. 在“为策略命名”窗格中,在“名称”中键入标签组的名称,然后单击“下一步”。On the Name your policy pane, type a name for your set of labels in Name, and click Next.
  8. 在“查看设置”窗格中,单击“发布标签”,然后单击“关闭”。On the Review your settings pane, click Publish labels, and click Close.

阶段 3:将 Office 365 标签应用到 SharePoint Online 网站Phase 3: Apply the Office 365 labels to your SharePoint Online sites

使用这些步骤将 Office 365 标签应用到 SharePoint Online 团队网站的文档文件夹。Use these steps to apply the Office 365 labels to the documents folders of your SharePoint Online team sites.

  1. 在浏览器的“Microsoft Office 主页”标签页中,单击“SharePoint”磁贴。From the Microsoft Office Home tab of your browser, click the SharePoint tile.
  2. 在浏览器的新“SharePoint”标签页中,单击需要分配 Office 365 标签的网站。On the new SharePoint tab in your browser, click a site that needs an Office 365 label assigned.
  3. 在浏览器的新“SharePoint 网站”标签页中,单击“文档”。In the new SharePoint site tab of your browser, click Documents.
  4. 单击设置图标,然后单击“库设置”。Click the settings icon, and then click Library settings.
  5. 在“权限和管理”下,单击“向此库中的项应用标签”。Under Permissions and Management, click Apply label to items in this library.
  6. 在“设置-应用标签”中,选择相应的标签,然后单击“保存”。In Settings-Apply Label, select the appropriate label, and click Save.
  7. 关闭 SharePoint Online 网站的选项卡。Close the tab for the SharePoint Online site.
  8. 重复步骤 3-8,将 Office 365 标签分配给其他 SharePoint Online 网站。Repeat steps 3-8 to assign Office 365 labels to your additional SharePoint Online sites.

生成的配置如下。Here is your resulting configuration.

基线保护

适用于 SharePoint Online 网站的 DLP 策略DLP policies for your SharePoint Online sites

使用以下步骤配置 DLP 策略,该策略可在用户在组织外共享关于 SharePoint Online 敏感团队网站的文档时进行通知。Use these steps to configure a DLP policy that notifies users when they share a document on a SharePoint Online sensitive team site outside the organization.

  1. 在浏览器的“Microsoft Office 主页”标签页中,单击“安全性与符合性”磁贴。From the Microsoft Office Home tab in your browser, click the Security & Compliance tile.
  2. 在浏览器的新“安全性与符合性”标签页中,单击“数据丢失防护”>“策略”。On the new Security & Compliance tab in your browser, click Data loss prevention > Policy.
  3. 在“数据丢失防护”窗格中,单击“+ 创建策略”。In the Data loss prevention pane, click + Create a policy.
  4. 在“从模板开始或创建自定义策略”窗格中,单击“自定义”,然后单击“下一步”。In the Start with a template or create a custom policy pane, click Custom, and then Next.
  5. 在“为策略命名”窗格中,在“名称”中键入敏感级别 DLP 策略的名称并单击“下一步”。In the Name your policy pane, type the name for the sensitive level DLP policy in Name, and click Next.
  6. 在“选择位置”窗格中,单击“允许选择特定位置”,然后单击“下一步”。In the Choose locations pane, click Let me choose specific locations, and then click Next.
  7. 在位置列表中,禁用“Exchange 电子邮件”和“OneDrive 帐户位置”,然后单击“下一步”。In the list of locations, disable the Exchange email and OneDrive accounts locations, and click Next.
  8. 在“自定义要保护的敏感信息类型”窗格中,单击“编辑”。In the Customize the types of sensitive info you want to protect pane, click Edit.
  9. 在“选择要保护的内容类型”窗格中,单击下拉框中的“添加”,然后单击“标签”。In the Choose the types of content to protect pane, click Add in the drop-down box, and click Labels.
  10. 在“标签”窗格中,单击“+ 添加”,选择“敏感”标签,然后依次单击“添加”和“完成”。In the Labels pane, click + Add, select the Sensitive label, click Add, and click Done.
  11. 在“选择要保护的内容类型”窗格中,单击“保存”。In the Choose the types of content to protect pane, click Save.
  12. 在“自定义要保护的敏感信息类型”窗格中,单击“下一步”。In the Customize the types of sensitive info you want to protect pane, click Next.
  13. 在“如果检测到敏感信息,希望采取什么操作?”窗格中,单击“自定义提示和电子邮件”。In the What do you want to do if we detect sensitive info? pane, click** Customize the tip and email**.
  14. 在“自定义策略提示和电子邮件通知”窗格中,单击“自定义策略提示文本”。In the Customize policy tips and email notifications pane, click Customize the policy tip text.
  15. 在文本框中,键入或粘贴以下内容:In the text box, type or paste in the following:
    • 要与组织外部的用户共享,请下载并打开文件。To share with a user outside the organization, download the file and then open it. 依次单击“文件”、“保护文档”、“使用密码加密”,然后指定强密码。Click File, then Protect Document, and then Encrypt with Password, and then specify a strong password. 通过单独的电子邮件或其他通信方式发送密码。Send the password in a separate email or other means of communication.
    • 或键入或粘贴自己的策略提示,指示用户如何在组织外共享文件。Or type or paste in your own policy tip that instructs users on how to share a file outside your organization.
  16. 在“如果检测到敏感信息,希望采取什么操作?”窗格中,单击“确定”,清除“阻止共享并将访问限于共享内容”复选框,然后单击“下一步”。Click OK In the What do you want to do if we detect sensitive info? pane, clear the Block people from sharing and restrict access to shared content check box, and click Next.
  17. 在“是否希望立即启用策略或先进行测试?”窗格中,单击“是,立即启用”,然后单击“下一步”。In the Do you want to turn on the policy or test things out first? pane, click Yes, turn it on right away, and click Next.
  18. 在“查看设置”窗格中,单击“创建”,然后单击“关闭”。In the Review your settings pane, click Create, and click Close.

以下为敏感 SharePoint Online 团队网站的配置结果。Here is your resulting configuration for sensitive SharePoint Online team sites.

敏感保护

接下来,使用以下步骤配置 DLP 策略,该策略可在用户在组织外共享关于 SharePoint Online 高度机密团队网站的文档时阻止用户。Next, use these steps to configure a DLP policy that blocks users when they share a document on a SharePoint Online highly confidential team site outside the organization.

  1. 在浏览器的“Microsoft Office 主页”标签页中,单击“安全性与符合性”磁贴。From the Microsoft Office Home tab in your browser, click the Security & Compliance tile.
  2. 在浏览器的新“安全性与符合性”标签页中,单击“数据丢失防护”>“策略”。On the new Security & Compliance tab in your browser, click Data loss prevention > Policy.
  3. 在“数据丢失防护”窗格中,单击“+ 创建策略”。In the Data loss prevention pane, click + Create a policy.
  4. 在“从模板开始或创建自定义策略”窗格中,单击“自定义”,然后单击“下一步”。In the Start with a template or create a custom policy pane, click Custom, and click Next.
  5. 在“为策略命名”窗格中,在“名称”中键入高度敏感级别 DLP 策略的名称并单击“下一步”。In the Name your policy pane, type the name for the highly sensitive level DLP policy in Name, and click Next.
  6. 在“选择位置”窗格中,单击“允许选择特定位置”,然后单击“下一步”。In the Choose locations pane, click Let me choose specific locations, and click Next.
  7. 在位置列表中,禁用“Exchange 电子邮件”和“OneDrive 帐户位置”,然后单击“下一步”。In the list of locations, disable the Exchange email and OneDrive accounts locations, and click Next.
  8. 在“自定义要保护的敏感信息类型”窗格中,单击“编辑”In the Customize the types of sensitive info you want to protect pane, click Edit
  9. 在“选择要保护的内容类型”窗格中,单击下拉框中的“添加”,然后单击“标签”。In Choose the types of content to protect pane, click Add in the drop-down box, and click Labels.
  10. 在“标签”窗格中,单击“+ 添加”,选择“高度机密标签”,依次单击“添加”和“完成”。In the Labels pane, click + Add, select the Highly Confidential label, click Add, and click Done.
  11. 在“选择要保护的内容类型”窗格中,单击“保存”。In the Choose the types of content to protect pane, click Save.
  12. 在“自定义要保护的敏感信息类型”窗格中,单击“下一步”。In the Customize the types of sensitive info you want to protect pane, click Next.
  13. 在“如果检测到敏感信息,希望采取什么操作?”窗格中,单击“自定义提示和电子邮件”。In the What do you want to do if we detect sensitive info? pane, click Customize the tip and email.
  14. 在“自定义策略提示和电子邮件通知”窗格中,单击“自定义策略提示文本”。In the Customize policy tips and email notifications pane, click Customize the policy tip text.
  15. 在文本框中,键入或粘贴以下内容:In the text box, type or paste in the following:
    • 要与组织外部的用户共享,请下载并打开文件。To share with a user outside the organization, download the file and then open it. 依次单击“文件”、“保护文档”、“使用密码加密”,然后指定强密码。Click File, then Protect Document, and Encrypt with Password, and then specify a strong password. 通过单独的电子邮件或其他通信方式发送密码。Send the password in a separate email or other means of communication.
    • 或键入或粘贴自己的策略提示,指示用户如何在组织外共享文件。Or type or paste in your own policy tip that instructs users on how to share a file outside your organization.
  16. 单击" 确定"。Click OK.
  17. 在“如果检测到敏感信息,希望采取什么操作?”窗格中,选择“需要业务理由进行重写”,然后单击“下一步”。In the What do you want to do if we detect sensitive info? pane, select Require a business justification to override, and click Next.
  18. 在“是否希望立即启用策略或先进行测试?”窗格中,单击“是,立即启用”,然后单击“下一步”。In the Do you want to turn on the policy or test things out first? pane, click Yes, turn it on right away, and click Next.
  19. 在“查看设置”窗格中,单击“创建”,然后单击“关闭”。In the Review your settings pane, click Create, and click Close.

以下为高度机密的 SharePoint Online 团队网站的配置结果。Here is your resulting configuration for high confidentiality SharePoint Online team sites.

高度机密保护

后续步骤Next steps

使用 Azure 信息保护来保护 SharePoint Online 文件Protect SharePoint Online files with Azure Information Protection