使用端点数据丢失防护Using Endpoint data loss prevention

本文将向你介绍创建和修改将设备用作位置的 DLP 策略的三种情况。This article walks you through three scenarios where you create and modify a DLP policy that uses devices as a location.

DLP 设置DLP settings

在开始之前,你应该先设置 DLP 设置,该设置将应用于设备的所有 DLP 策略。Before you get started you should set up your DLP settings which are applied to all DLP policies for devices. 如果要创建实施以下操作的策略,则必须配置这些策略:You must configure these if you intend to create policies that enforce:

  • 云出口限制cloud egress restrictions
  • 不允许的应用限制unallowed apps restrictions

Or

  • 如果要从监视中排除杂乱的文件路径If you want to exclude noisy file paths from monitoring

    DLP 设置DLP settings

文件路径排除File path exclusions

你可能希望从设备上的 DLP 监视、DLP 警报和 DLP 策略执行中排除某些路径,因为它们太杂乱或未包含你感兴趣的文件。You may want to exclude certain paths from DLP monitoring, DLP alerting, and DLP policy enforcement on your devices because they are too noisy or don’t contain files you are interested in. 系统将不会审核这些位置中的文件,并且在这些位置创建或修改的任何文件都将不受 DLP 策略执行的约束。Files in those locations will not be audited and any files that are created or modified in those locations will not be subject to DLP policy enforcement. 可在 DLP 设置中配置路径排除项。You can configure path exclusions in DLP settings.

可使用此逻辑构建排除路径:You can use this logic to construct your exclusion paths:

  • 以“\”结尾的有效文件路径,仅表示直接位于文件夹下的文件。Valid file path that ends with ‘\’, which means only files directly under folder.
    例如:C:\TempFor example: C:\Temp\

  • 以“*”结尾的有效文件路径,仅表示位于子文件夹下的文件,以及直接位于文件夹下方的文件。Valid file path that ends with ‘*’, which means only files under sub-folders, besides the files directly under the folder.
    例如:C:\Temp*For example: C:\Temp*

  • 以“\”或“*”结尾的有效文件路径,表示直接位于文件夹和所有子文件夹下的所有文件。Valid file path that ends without ‘\’ or ‘*’, which means all files directly under folder and all sub-folders.
    例如:C:\TempFor example: C:\Temp

  • 两端“\”之间带有通配符的路径。A path with wildcard between ‘\’ from each side.
    例如:C:\Users*\DesktopFor example: C:\Users*\Desktop\

  • 两端“\”之间带有通配符,并通过 ‘(number)’ 给出确切的子文件夹数量的路径。A path with wildcard between ‘\’ from each side and with ‘(number)’ to give exact number of subfolders.
    例如:C:\Users*(1)\DownloadsFor example: C:\Users*(1)\Downloads\

  • 带有 SYSTEM 环境变量的路径。A path with SYSTEM environment variables.
    例如:%SystemDrive%\Test*For example: %SystemDrive%\Test*

  • 综合了上述所有情况。A mix of all the above.
    例如:%SystemDrive%\Users*\Documents*(2)\SubFor example: %SystemDrive%\Users*\Documents*(2)\Sub\

不允许的应用Unallowed apps

启用策略的“通过不允许的应用程序和浏览器访问”设置,并且用户尝试使用这些应用程序访问受保护的文件时,活动将被允许、阻止或者阻止,但用户可以覆盖该限制。When a policy's Access by unallowed apps and browsers setting is turned on and users attempt to use these apps to access a protected file, the activity will be allowed, blocked, or blocked but users can override the restriction. 所有活动均经过审核,可在活动资源管理器中查看。All activity is audited and available to review in activity explorer.

重要

不包括可执行文件的路径,而仅包括可执行文件的名称(如 browser.exe)。Do not include the path to the executable, but only the executable name (such as browser.exe).

浏览器和域限制Browser and domain restrictions

限制与策略匹配的敏感文件与不受限制的云服务域共享。Restrict sensitive files that match your policies from being shared with unrestricted cloud service domains.

服务域Service domains

你可以控制受你的策略保护的敏感文件是否可以从 Microsoft Edge 上传到特定服务域。You can control whether sensitive files protected by your policies can be uploaded to specific service domains from Microsoft Edge.

如果列表模式设置为“阻止”,用户将无法向这些域上传敏感项目。If the list mode is set to Block, then user will not be able to upload sensitive items to those domains. 如果由于某项目符合 DLP 策略而阻止了上载操作,则 DLP 会生成警告或阻止敏感项目的上载。When an upload action is blocked because an item matches a DLP policy, DLP will either generate a warning or block the upload of the sensitive item.

如果列表模式设置为“允许”,则用户将 只能 将敏感项目上传到那些域,并且不允许对所有其他域的上传访问。If the list mode is set to Allow, then users will be able to upload sensitive items only to those domains, and upload access to all other domains is not allowed.

重要

服务限制模式设置为“允许”时,在强制执行限制之前,必须至少配置一个服务域。When the service restriction mode is set to "Allow", you must have at least one service domain configured before restrictions are enforced.

不允许的浏览器Unallowed browsers

你将添加由执行文件名标识的浏览器,这些浏览器将被阻止访问与强制 DLP 策略的条件匹配的文件,在该 DLP 策略中,“上载到云服务的限制”设置为“阻止”或“阻止覆盖”。You add browsers, identified by their executable names, that will be blocked from accessing files that match the conditions of an enforced a DLP policy where the upload to cloud services restriction is set to block or block override. 当这些浏览器被阻止访问文件时,最终用户将看到一则定制通知,要求他们通过 Microsoft Edge Chromium 打开文件。When these browsers are blocked from accessing a file, the end users will see a toast notification asking them to open the file through Edge Chromium.

策略提示中的业务理由Business justification in policy tips

可在 DLP 策略提示通知中控制用户与业务理由选项的交互方式。You can control how users interact with the business justification option in DLP policy tip notifications. 当用户执行受 DLP 策略中 以超越阻止 设置所保护的活动时,将出现此选项。This option appears when users perform an activity that's protected by the Block with override setting in a DLP policy. 可从下列选项中进行选择:You can choose from one the following options:

  • 默认情况下,用户可以选择内置理由或输入自己的文本。By default, users can select either a built-in justification, or enter their own text.
  • 用户只能选择内置理由。Users can only select a built-in justification.
  • 用户只能输入自己的理由。Users can only enter their own justification.

将 DLP 设置捆绑在一起Tying DLP settings together

通过终结点 DLP 和 Microsoft Edge Chromium Web 浏览器,可以将意外共享敏感项目限制为不允许的云应用和服务。With Endpoint DLP and Edge Chromium Web browser, you can restrict unintentional sharing of sensitive items to unallowed cloud apps and services. Microsoft Edge Chromium可以了解终结点 DLP 策略何时限制项目,并实施访问限制。Edge Chromium understands when an item is restricted by an Endpoint DLP policy and enforces access restrictions.

在将终结点 DLP 用作正确配置的 DLP 策略和 Microsoft Edge Chromium 浏览器中的位置时,你在这些设置中定义的不允许的浏览器将无法访问与 DLP 策略控件匹配的敏感项目。When you use Endpoint DLP as a location in a properly configured DLP policy and the Edge Chromium browser, the unallowed browsers that you've defined in these settings will be prevented from accessing the sensitive items that match your DLP policy controls. 相反,用户将被重定向以使用 Microsoft Edge Chromium,该浏览器了解 DLP 施加的限制,可以在满足 DLP 策略中的条件时阻止或限制活动。Instead, users will be redirected to use Edge Chromium and Edge Chromium, with its understanding of DLP imposed restrictions, can block or restrict activities when the conditions in the DLP policy are met.

若要使用此限制,需要配置三个重要的部分:To use this restriction you’ll need to configure three important pieces:

  1. 指定要防止敏感项目共享到的位置(服务、域、IP 地址)。Specify the places – services, domains, IP addresses – that you want to prevent sensitive items from being shared to.

  2. 添加出现 DLP 策略匹配时不允许访问某些敏感项目的浏览器。Add the browsers that aren’t allowed to access certain sensitive items when a DLP policy match occurs.

  3. 通过启用“上载到云服务”和“从不允许的浏览器访问”,配置 DLP 策略以定义应限制在这些位置的敏感项目的种类。Configure DLP policies to define the kinds of sensitive items for which upload should be restricted to these places by turning on Upload to cloud services and Access from unallowed browser.

你可以继续添加新的服务、应用和策略,以扩展和扩大你的限制,从而满足业务需求并保护敏感数据。You can continue to add new services, apps, and policies to extend and augment your restrictions to meet your business needs and protect sensitive data.

此配置将帮助确保你的数据安全,同时避免不必要的限制,防止或限制用户访问和共享不敏感的项目。This configuration will help ensure your data remains safe while also avoiding unnecessary restrictions that prevent or restrict users from accessing and sharing non-sensitive items.

终结点 DLP 策略方案Endpoint DLP policy scenarios

为了帮助你熟悉终结点 DLP 功能及其在 DLP 策略中的呈现方式,我们整理了一些方案供你遵循。To help familiarize you with Endpoint DLP features and how they surface in DLP policies, we've put together some scenarios for you to follow.

重要

这些终结点 DLP 方案不是创建和优化 DLP 策略的正式过程。These Endpoint DLP scenarios are not the official procedures for creating and tuning DLP policies. 当你需要在常规情况下使用 DLP 策略,请参阅以下主题:Refer to the below topics when you need to work with DLP policies in general situations:

方案 1:从模板创建策略,仅审核Scenario 1: Create a policy from a template, audit only

这些方案要求你已载入设备并向活动资源管理器浏览器报告。These scenarios require that you already have devices onboarded and reporting into Activity explorer. 如果尚未载入设备,请参阅终结点数据丢失防护入门If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.

  1. 打开数据丢失防护页Open the Data loss prevention page.

  2. 选择 创建策略Choose Create policy.

  3. 在此方案中,依次选择“隐私”和“美国个人身份信息 (PII) 数据”,然后选择“下一步”。For this scenario, choose Privacy, then U.S. Personally Identifiable Information (PII) Data and choose Next.

  4. 将“设备”以外所有位置的“状态”字段切换为“关”。Toggle the Status field to off for all locations except Devices. 选择“下一步”。Choose Next.

  5. 接受默认的“从模板中查看和自定义设置”选择,然后选择“下一步”。Accept the default Review and customize settings from the template selection and choose Next.

  6. 接受默认的“保护操作”值,然后选择“下一步”。Accept the default Protection actions values and choose Next.

  7. 选择“审核或限制 Windows 设备上的活动”,然后将“操作”设置为“仅审核”。Select Audit or restrict activities on Windows devices and leave the actions set to Audit only. 选择“下一步”。Choose Next.

  8. 接受默认的“我想要先测试”值,然后选择“在测试模式下显示策略提示”。Accept the default I'd like to test it out first value and choose Show policy tips while in test mode. 选择“下一步”。Choose Next.

  9. 查看设置,然后选择“提交”。Review your settings and choose Submit.

  10. 新的 DLP 策略将显示在策略列表中。The new DLP policy will appear in the policy list.

  11. 检查活动资源管理器中是否有来自受监视终结点的数据。Check Activity explorer for data from the monitored endpoints. 设置设备的位置筛选器并添加策略,然后按策略名称筛选以查看此策略的影响。Set the location filter for devices and add the policy, then filter by policy name to see the impact of this policy. 如有需要,请参见活动资源管理器(预览)入门See, Get started with activity explorer if needed.

  12. 尝试与组织外的人员共享包含将触发美国个人身份信息 (PII) 数据条件的内容的测试。Attempt to share a test that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. 这应该会触发策略。This should trigger the policy.

  13. 检查活动资源管理器中的事件。Check Activity explorer for the event.

方案 2:修改现有策略,设置警报Scenario 2: Modify the existing policy, set an alert

  1. 打开数据丢失防护页Open the Data loss prevention page.

  2. 选择在方案 1 中创建的“美国个人身份信息 (PII) 数据”策略。Choose the U.S. Personally Identifiable Information (PII) Data policy that you created in scenario 1.

  3. 选择 编辑策略Choose edit policy.

  4. 转到“高级 DLP 规则”页面,然后编辑“检测到少量内容的美国个人身份信息”。Go to the Advanced DLP rules page and edit the Low volume of content detected U.S. Personally Identifiable Inf.

  5. 向下滚动到“事件报告”部分,然后将“在规则匹配出现时向管理员发送警报”设置为“”。Scroll down to the Incident reports section and set Send an alert to admins when a rule match occurs to On. 系统会将电子邮件警报自动发送给管理员,以及你添加到收件人列表的任何其他人员。Email alerts will be automatically sent to the administrator and anyone else you add to the list of recipients.

    turn-on-incident-reportsturn-on-incident-reports

  6. 出于本方案的目的,请选择“每次活动与规则匹配时选择发送警报”。For the purposes of this scenario, choose Send alert every time an activity matches the rule.

  7. 选择“保存”。Choose Save.

  8. 通过选择“下一步”,然后“提交”策略更改来保留所有先前的设置。Retain all your previous settings by choosing Next and then Submit the policy changes.

  9. 尝试与组织外的人员共享包含将触发美国个人身份信息 (PII) 数据条件的内容的测试。Attempt to share a test that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. 这应该会触发策略。This should trigger the policy.

  10. 检查活动资源管理器中的事件。Check Activity explorer for the event.

方案 3:修改现有策略,阻止操作但允许覆盖Scenario 3: Modify the existing policy, block the action with allow override

  1. 打开数据丢失防护页Open the Data loss prevention page.

  2. 选择在方案 1 中创建的“美国个人身份信息 (PII) 数据”策略。Choose the U.S. Personally Identifiable Information (PII) Data policy that you created in scenario 1.

  3. 选择 编辑策略Choose edit policy.

  4. 转到“高级 DLP 规则”页面,然后编辑“检测到少量内容的美国个人身份信息”。Go to the Advanced DLP rules page and edit the Low volume of content detected U.S. Personally Identifiable Inf.

  5. 向下滚动到“审核或限制 Windows 设备上的活动”部分,并对每个活动将相应的操作设置为“阻止但允许覆盖”。Scroll down to the Audit or restrict activities on Windows device section and for each activity set the corresponding action to Block with override.

    设置阻止但允许覆盖操作set block with override action

  6. 选择“保存”。Choose Save.

  7. 检测到大量内容的美国个人身份信息 重复步骤 4-7。Repeat steps 4-7 for the High volume of content detected U.S. Personally Identifiable Inf.

  8. 通过选择“下一步”,然后“提交”策略更改来保留所有先前的设置。Retain all your previous settings by choosing Next and then Submit the policy changes.

  9. 尝试与组织外的人员共享包含将触发美国个人身份信息 (PII) 数据条件的内容的测试。Attempt to share a test that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. 这应该会触发策略。This should trigger the policy.

    客户端设备上将显示如下所示的弹出窗口:You'll see a popup like this on the client device:

    终结点 DLP 客户端阻止覆盖通知endpoint dlp client blocked override notification

  10. 检查活动资源管理器中的事件。Check Activity explorer for the event.

另请参阅See also