什麼是 Azure 資訊保護的統一標籤掃描器? (英文)What is the Azure Information Protection unified labeling scanner?

*適用于Azure 資訊保護、Windows Server 2019、Windows Server 2016、windows server 2012 R2 **Applies to: Azure Information Protection, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2*

*適用于僅 AIP 統一標籤用戶端*Relevant for: AIP unified labeling client only. 若為傳統用戶端,請參閱 什麼是 Azure 資訊保護傳統掃描器?*For the classic client, see What is the Azure Information Protection classic scanner?*

注意

若要掃描和標示雲端存放庫上的檔案,請使用 Cloud App Security,而非掃描器。To scan and label files on cloud repositories, use Cloud App Security instead of the scanner.

您可以使用本節中的資訊,瞭解 Azure 資訊保護的統一標籤掃描器,以及如何成功安裝、設定、執行,以及在必要時進行疑難排解。Use the information in this section to learn about the Azure Information Protection unified labeling scanner, and then how to successfully install, configure, run and if necessary, troubleshoot it.

AIP 掃描器是在 Windows Server 上以服務方式執行,可讓您探索、分類及保護下列資料存放區上的檔案:The AIP scanner runs as a service on Windows Server and lets you discover, classify, and protect files on the following data stores:

  • 使用 SMB 或 NFS (預覽版) 通訊協定之網路共用的 UNC 路徑UNC paths for network shares that use the SMB or NFS (Preview) protocols.

  • Sharepoint 文件庫和 sharepoint server 2019 到 sharepoint server 2013 的資料夾。SharePoint document libraries and folder for SharePoint Server 2019 through SharePoint Server 2013. SharePoint 2010 也支援具有此版本 SharePoint 延伸支援的客戶。SharePoint 2010 is also supported for customers who have extended support for this version of SharePoint.

為了分類和保護檔案,掃描器會使用其中一個 Microsoft 365 標籤系統管理中心所設定的 敏感度標籤 ,包括 Microsoft 365 的「安全性中心」、「Microsoft 365 合規性中心」和「Microsoft 365 安全性與合規性中心」。To classify and protect your files, the scanner uses sensitivity labels configured in one of the Microsoft 365 labeling admin centers, including the Microsoft 365 Security Center, the Microsoft 365 Compliance Center, and the Microsoft 365 Security and Compliance Center.

Azure 資訊保護統一標籤掃描器總覽Azure Information Protection unified labeling scanner overview

AIP 掃描器可以檢查任何 Windows 可編制索引的檔案。The AIP scanner can inspect any files that Windows can index. 如果您已設定敏感度標籤來套用自動分類,則掃描器可標示探索到的檔案以套用該分類,並選擇性地套用或移除保護。If you've configured sensitivity labels to apply automatic classification, the scanner can label discovered files to apply that classification, and optionally apply or remove protection.

下圖顯示 AIP 掃描器架構,此為掃描器在內部部署和 SharePoint 伺服器上探索檔案的位置。The following image shows the AIP scanner architecture, where the scanner discovers files across your on-premises and SharePoint servers.

Azure 資訊保護統一標籤掃描器架構

掃描器會使用安裝在電腦上的 Ifilter 來檢查您的檔案。To inspect your files, the scanner uses IFilters installed on the computer. 為了判斷檔案是否需要加上標籤,掃描器會使用 Microsoft 365 內建的資料遺失防護 (DLP) 敏感性資訊類型和模式偵測,或 Microsoft 365 RegEx 模式。To determine whether the files need labeling, the scanner uses the Microsoft 365 built-in data loss prevention (DLP) sensitivity information types and pattern detection, or Microsoft 365 regex patterns.

掃描器會使用 Azure 資訊保護用戶端,而且可以分類和保護與用戶端相同的檔案類型。The scanner uses the Azure Information Protection client, and can classify and protect the same types of files as the client. 如需詳細資訊,請參閱 Azure 資訊保護統一標籤用戶端支援的檔案類型For more information, see File types supported by the Azure Information Protection unified labeling client.

請執行下列其中一項動作,以視需要設定您的掃描:Do any of the following to configure your scans as needed:

  • 只以探索模式執行掃描器 來建立報告,以查看標記檔案時所發生的情況。Run the scanner in discovery mode only to create reports that check to see what happens when your files are labeled.
  • 執行掃描器以探索具有敏感性資訊 的檔案,而不設定套用自動分類的標籤。Run the scanner to discover files with sensitive information, without configuring labels that apply automatic classification.
  • 自動執行掃描器 ,以套用已設定的標籤。Run the scanner automatically to apply labels as configured.
  • 定義檔案類型清單 ,以指定要掃描或排除的特定檔案。Define a file types list to specify specific files to scan or to exclude.

注意

掃描器無法即時探索和標示。The scanner does not discover and label in real time. 它會有系統地在您指定的資料存放區上,透過檔案進行編目。It systematically crawls through files on data stores that you specify. 將此迴圈設定為執行一次或重複執行。Configure this cycle to run once, or repeatedly.

提示

統一標籤掃描器支援具有多個節點的掃描器叢集,讓您的組織可以相應放大,以加快掃描時間及更廣泛的範圍。The unified labeling scanner supports scanner clusters with multiple nodes, enabling your organization to scale out, achieving faster scan times and broader scope.

從一開始就立即部署多個節點,或從單一節點叢集開始,然後在您成長時新增其他節點。Deploy multiple nodes right from the start, or start with a single-node cluster and add additional nodes later on as you grow. 使用 install-aipscanner Cmdlet 的相同叢集名稱和資料庫,部署多個節點。Deploy multiple nodes by using the same cluster name and database for the Install-AIPScanner cmdlet.

AIP 掃描流程AIP scanning process

掃描檔案時,AIP 掃描器會執行下列步驟:When scanning files, the AIP scanner runs through the following steps:

1. 判斷是否要包含或排除檔案以進行掃描1. Determine whether files are included or excluded for scanning

2. 檢查和標記檔案2. Inspect and label files

3. 標示無法檢查的檔案3. Label files that can't be inspected

如需詳細資訊,請參閱 掃描器未標記的檔案。For more information, see Files not labeled by the scanner.

1. 判斷是否要包含或排除檔案以進行掃描1. Determine whether files are included or excluded for scanning

掃描器會自動略過從分類和保護排除的檔案,例如可執行檔和系統檔案。The scanner automatically skips files that are excluded from classification and protection, such as executable files and system files. 如需詳細資訊,請參閱 從分類和保護中排除的檔案類型For more information, see File types that are excluded from classification and protection.

掃描器也會考慮明確定義為掃描或排除掃描的任何檔案清單。The scanner also considers any file lists explicitly defined to scan, or exclude from scanning. 依預設,檔案清單適用于所有資料存放庫,而且也只能針對特定存放庫定義。File lists apply for all data repositories by default, and can also be defined for specific repositories only.

若要定義掃描或排除的檔案清單,請使用 [ 檔案類型] 來掃描 內容掃描工作中的設定。To define file lists for scanning or exclusion, use the File types to scan setting in the content scan job. 例如:For example:

設定要針對 Azure 資訊保護掃描器掃描的檔案類型

如需詳細資訊,請參閱 部署 Azure 資訊保護掃描器以自動分類和保護檔案。For more information, see Deploying the Azure Information Protection scanner to automatically classify and protect files.

2. 檢查和標記檔案2. Inspect and label files

識別排除的檔案之後,掃描器會再次篩選以識別支援檢查的檔案。After identifying excluded files, the scanner filters again to identify files supported for inspection.

這些額外的篩選器是作業系統用來 Windows Search 和編制索引的相同專案,不需要額外的設定。These additional filters are the same ones used by the operating system for Windows Search and indexing, and require no additional configuration. Windows IFilter 也用來掃描 Word、Excel 和 PowerPoint 所使用的檔案類型,以及 PDF 檔和文字檔。Windows IFilter is also used to scan file types that are used by Word, Excel, and PowerPoint, and for PDF documents and text files.

如需支援檢查的檔案類型完整清單,以及設定篩選以包含 .zip 和 tiff 檔案的其他指示,請參閱 支援檢查的檔案類型For a full list of file types supported for inspection, and additional instructions for configuring filters to include .zip and .tiff files, see File types supported for inspection.

檢查之後,會使用針對標籤所指定的條件來標記支援的檔案類型。After inspection, supported file types are labeled using the conditions specified for your labels. 如果您使用探索模式,則可以報告這些檔案以包含針對標籤所指定的條件,或回報為包含任何已知的敏感性資訊類型。If you're using discovery mode, these files can either be reported to contain the conditions specified for your labels, or reported to contain any known sensitive information types.

停止的掃描器進程Stopped scanner processes

如果掃描器停止但未完成掃描存放庫中的大量檔案,您可能需要為裝載檔案的作業系統增加動態埠數目。If the scanner stops and doesn't complete a scan for a large number of files in your repository, you may need to increase the number of dynamic ports for the operating system hosting the files.

例如,SharePoint 的伺服器強化是為什麼掃描器會超過允許的網路連線數,因此停止的原因之一。For example, server hardening for SharePoint is one reason why the scanner would exceed the number of allowed network connections, and therefore stop.

若要檢查這是否為掃描器停止的原因,請在 %localappdata%\Microsoft\MSIP\Logs\MSIPScanner.iplog 的掃描器記錄中檢查下列錯誤訊息 (多個記錄檔會壓縮成 zip 檔案) :To check whether this is the cause of the scanner stopping, check for the following error message in the scanner logs at %localappdata%\Microsoft\MSIP\Logs\MSIPScanner.iplog (multiple logs are compressed into a zip file):

Unable to connect to the remote server ---> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted IP:port

如需如何查看目前埠範圍並在需要時增加它的詳細資訊,請參閱 可修改以改善網路效能的設定For more information about how to view the current port range and increase it if needed, see Settings that can be modified to improve network performance.

提示

若為大型 SharePoint 伺服器陣列,您可能需要增加清單查看閾值(預設值為 5000)。For large SharePoint farms, you may need to increase the list view threshold, which has a default of 5,000.

如需詳細資訊,請參閱 管理 SharePoint 中的大型清單和文件庫For more information, see the Manage large lists and libraries in SharePoint.

3. 標示無法檢查的檔案3. Label files that can't be inspected

對於任何無法檢查的檔案類型,AIP 掃描器會將預設標籤套用 Azure 資訊保護原則,或針對掃描器設定的預設標籤。For any file types that can't be inspected, the AIP scanner applies the default label in the Azure Information Protection policy, or the default label configured for the scanner.

掃描器未標記的檔案Files not labeled by the scanner

在下列情況下,AIP 掃描器無法標記檔案:The AIP scanner cannot label files under the following circumstances:

  • 當標籤套用分類(但不是保護)時,且檔案類型不支援用戶端的僅限分類。When the label applies classification, but not protection, and the file type does not support classification-only by the client. 如需詳細資訊,請參閱 統一標籤用戶端檔案類型For more information, see Unified labeling client file types.

  • 當標籤套用分類和保護時,但掃描器不支援檔案類型。When the label applies classification and protection, but the scanner does not support the file type.

    根據預設,掃描器只會保護 Office 檔案類型,以及使用 ISO 標準進行 PDF 加密而受到保護的 PDF 檔案。By default, the scanner protects only Office file types, and PDF files when they are protected by using the ISO standard for PDF encryption.

    當您 變更要保護的檔案類型時,也可以新增其他類型的檔案來進行保護。Other types of files can be added for protection when you change the types of files to protect.

範例:檢查 .Txt 檔案之後,掃描器無法套用設定為分類的標籤,因為 .txt 檔案類型不支援僅分類。Example: After inspecting .txt files, the scanner can't apply a label that's configured for classification only, because the .txt file type doesn't support classification only.

但是,如果標籤是設定為分類和保護,而包含的 .txt 檔案類型是要保護掃描器,掃描器就可以標記檔案。However, if the label is configured for both classification and protection, and the .txt file type is included for the scanner to protect, the scanner can label the file.

後續步驟Next steps

如需有關部署掃描器的詳細資訊,請參閱下列文章:For more information about deploying the scanner, see the following articles:

詳細資訊More information: