了解 Microsoft 365 终结点数据丢失防护Learn about Microsoft 365 Endpoint data loss prevention

可以使用 Microsoft 365 数据丢失防护 (DLP) 来监视对确定为敏感的项目执行的操作,并帮助防止意外共享这些项目。You can use Microsoft 365 data loss prevention (DLP) to monitor the actions that are being taken on items you've determined to be sensitive and to help prevent the unintentional sharing of those items. 有关 DLP 的更多详细信息,请参阅 了解数据丢失防护(预览版)For more information on DLP, see Learn about data loss prevention.

终结点数据丢失防护(终结点 DLP)可将 DLP 的活动监视和保护功能扩展到 Windows 10 设备上的敏感项目。Endpoint data loss prevention (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are on Windows 10 devices. 将设备加入 Microsoft 365 合规性解决方案中后,即可在活动资源管理器中看到有关用户对敏感项目执行的操作的信息,你可以通过 DLP 策略对这些项目执行保护性操作。Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in activity explorer and you can enforce protective actions on those items via DLP policies.

可监视并对其执行操作的终结点活动Endpoint activities you can monitor and take action on

Microsoft 终结点 DLP 使你可以审核和管理用户对运行 Windows 10 的设备上的敏感项目进行的以下类型的活动。Microsoft Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items on devices running Windows 10.

活动Activity 说明Description 可审核/可限制Auditable/restictable
上传到云端服务,或通过不允许的浏览器访问upload to cloud service, or access by unallowed browsers 当用户试图将项目上传到受限服务域或通过浏览器访问项目时进行检测。Detects when a user attempts to upload an item to a restricted service domain or access an item through a browser. 若他们使用的浏览器在DLP中列为不允许的浏览器,则将阻止上传活动,并将重新定向用户到使用Edge Chromium。If they are using a browser that is listed in DLP as an being an unallowed browser, the upload activity will be blocked and the user is redirected to use Edge Chromium. Microsoft Edge Chromium将根据DLP策略配置,允许或阻止上传或访问。Edge Chromium will then either allow or block the upload or access based on the DLP policy configuration 可审核且可限制auditable and restrictable
复制至其他应用copy to other app 当用户试图从受保护项目中复制信息,然后将其粘贴到另一个应用程序、进程或项目中时进行检测。Detects when a user attempts to copy information from a protected item and then paste it into another app, process or item. 该活动无法检测到在同一应用程序、进程或项目中复制和粘贴信息。Copying and pasting information within the same app, process, or item is not detected by this activity. 可审核且可限制auditable and restrictable
复制到 USB 可移动媒体copy to USB removable media 检测用户何时尝试将项目或信息复制到可移动媒体或 USB 设备。Detects when a user attempts to copy an item or information to removable media or USB device. 可审核且可限制auditable and restrictable
拷贝到网络共享copy to a network share 当用户试图将项目复制到网络共享或映射的网络驱动器时,检测该项目Detects when a user attempts to copy an item to a network share or mapped network drive 可审核且可限制auditable and restrictable
打印文档print a document 当用户试图将受保护的项目打印到本地或网络打印机上时,检测该项目。Detects when a user attempts to print a protected item to a local or network printer. 可审核且可限制auditable and restrictable
复制到远程会话copy to a remote session 检测用户是否尝试将项目复制到远程桌面会话Detects when a user attempts to copy an item to a remote desktop session 可审核且可限制auditable and restrictable
复制到蓝牙设备copy to a Bluetooth device 检测用户尝试将项目复制到未启用的蓝牙应用(如在终结点 DLP 设置中不允许的蓝牙 aps 列表中所定义)。Detects when a user attempts to copy an item to an unallowed Bluetooth app (as defined in the list of unallowed Bluetooth aps in Endpoint DLP settings). 可审核且可限制auditable and restrictable
创建项create an item 当用户创建项目时,检测该项目Detects when a user creates an item 可审核auditable
重命名项rename an item 当用户重命名一个项目时,检测该项目Detects when a user renames an item 可审核auditable

受监视的文件Monitored files

终结点 DLP 支持监视以下文件类型:Endpoint DLP supports monitoring of these file types:

  • Word 文件Word files
  • PowerPoint 文件PowerPoint files
  • Excel 文件Excel files
  • PDF 文件PDF files
  • .csv 文件.csv files
  • .tsv 文件.tsv files
  • .txt 文件.txt files
  • .rtf 文件.rtf files
  • .c 文件.c files
  • .class 文件.class files
  • .cpp 文件.cpp files
  • .cs 文件.cs files
  • .h 文件.h files
  • .java 文件.java files

默认情况下,即使没有匹配的策略,终结点 DLP 也会审核这些文件类型的活动。By default, endpoint DLP audits the activities for these file types, even if there isn't a policy match. 如果只想从策略匹配项中监视数据,你可以关闭终结点 DLP 全局设置中的 始终为设备审核文件活动If you only want monitoring data from policy matches, you can turn off the Always audit file activity for devices in the endpoint DLP global settings. 如果此设置已打开,则即使设备不是任何策略的目标,也始终会审核任何 Word、PowerPoint、Excel、PDF 和 .csv 文件上的活动。If this setting is on, activities on any Word, PowerPoint, Excel, PDF, and .csv file are always audited even if the device is not targeted by any policy.

终结点 DLP 会监视基于活动的 MIME 类型,因此即使文件扩展名已更改也会捕获活动。Endpoint DLP monitors activity-based on MIME type, so activities will be captured even if the file extension is changed.

终结点 DLP 中的区别What's different in Endpoint DLP

在深入研究终结点 DLP 之前,你需要了解一些其他概念。There are a few extra concepts that you need to be aware of before you dig into Endpoint DLP.

启用设备管理Enabling Device management

设备管理是一项功能,可从设备收集遥测并将其纳入 Microsoft 365 合规解决方案,如终结点 DLP 和内部风险管理Device management is the functionality that enables the collection of telemetry from devices and brings it into Microsoft 365 compliance solutions like Endpoint DLP and Insider Risk management. 你需要载入所有要用作 DLP 策略中位置的设备。You'll need to onboard all devices you want to use as locations in DLP policies.

启用设备管理enable device management

载入和载出通过你从设备管理中心下载的脚本来处理。Onboarding and offboarding are handled via scripts you download from the Device management center. 中心为每种部署方法提供了自定义脚本:The center has custom scripts for each of these deployment methods:

  • 本地脚本(最多 10 台机器)local script (up to 10 machines)
  • 组策略Group policy
  • System Center Configuration Manager(版本 1610 或更高版本)System Center Configuration Manager (version 1610 or later)
  • 移动设备管理/Microsoft IntuneMobile Device Management/Microsoft Intune
  • 非持久性计算机的 VDI 载入脚本VDI onboarding scripts for non-persistent machines

设备加入页面device onboarding page

使用 Microsoft 365 终结点 DLP入门中的程序载入设备。Use the procedures in Getting started with Microsoft 365 Endpoint DLP to onboard devices.

如果你已通过 Microsoft Defender for Endpoint 加入设备,则这些设备将自动显示在设备列表中。If you have onboarded devices through Microsoft Defender for Endpoint, those devices will automatically show up in the list of devices.

托管设备列表managed devices list

查看终结点 DLP 数据Viewing Endpoint DLP data

可通过进入 DLP 警报管理仪表板查看与在端点设备上强制实施的 DLP 策略有关的警报。You can view alerts related to DLP policies enforced on endpoint devices by going to the DLP Alerts Management Dashboard.

警报信息Alert info

你还可以在同一仪表板中查看关联事件的详细信息以及丰富元数据You can also view details of the associated event with rich metadata in the same dashboard

事件信息event info

设备一旦载入,有关已审核活动的信息就会流入活动资源管理器,即使在配置和部署将设备作为位置的任何 DLP 策略之前也不例外。Once a device is onboarded, information about audited activities flows into Activity explorer even before you configure and deploy any DLP policies that have devices as a location.

活动资源管理器中的终结点 DLP 事件endpoint dlp events in activity explorer

终结点 DLP 会收集有关已审核活动的大量信息。Endpoint DLP collects extensive information on audited activity.

例如,如果将文件复制到可移动 USB 媒体,你将在活动详细信息中看到以下属性:For example, if a file is copied to removable USB media, you'd see these attributes in the activity details:

  • 活动类型activity type
  • 客户端 IPclient IP
  • 目标文件路径target file path
  • 发生时间戳happened timestamp
  • 文件名file name
  • 用户user
  • 文件扩展名file extension
  • 文件大小file size
  • 敏感信息类型定义(如适用)sensitive information type (if applicable)
  • sha1 值sha1 value
  • sha256 值sha256 value
  • 以前的文件名previous file name
  • 位置location
  • 父级parent
  • filepathfilepath
  • 源位置类型source location type
  • 平台platform
  • 设备名称device name
  • 目标位置类型destination location type
  • 执行了副本的应用程序application that performed the copy
  • Microsoft Defender for Endpoint 设备 ID (如适用)Microsoft Defender for Endpoint device ID (if applicable)
  • 可移动媒体设备制造商removable media device manufacturer
  • 可移动媒体设备模型removable media device model
  • 可移动媒体设备序列号removable media device serial number

复制到 USB 活动属性copy to usb activity attributes

后续步骤Next steps

现在,你已了解有关终结点 DLP 的内容,接下来要学习:Now that you've learned about Endpoint DLP, your next steps are:

  1. Microsoft 终结点数据丢失防护入门Getting started with Microsoft Endpoint data loss prevention
  2. 使用 Microsoft 终结点数据丢失防护Using Microsoft Endpoint data loss prevention

另请参阅See also