快速入門:尋找內部部署所儲存檔案中的敏感性資訊Quickstart: Find what sensitive information you have in files stored on-premises

適用對象: Azure 資訊保護Applies to: Azure Information Protection

在此快速入門中,您將安裝和設定 Azure 資訊保護掃描器,以尋找儲存在內部部署資料存放區的檔案中的機密資訊。In this quickstart, you'll install and configure the Azure Information Protection scanner to find what sensitive information you have in files that are stored in an on-premises data store. 例如,本機資料夾、網路共用或 SharePoint 伺服器。For example, a local folder, network share, or SharePoint Server.

注意

您可以搭配目前正式運作的 Azure 資訊保護用戶端 (傳統) 版本,或 Azure 資訊保護統一標籤用戶端的目前預覽版本,使用本快速入門。You can use this quickstart with the current general availability version of the Azure Information Protection client (classic) or the current preview version of the Azure Information Protection unified labeling client.

不確定這些用戶端之間的差異嗎?Not sure of the difference between these clients? 請參閱這份常見問題集See this FAQ.

您可以在 10 分鐘內完成此設定。You can finish this configuration in less than 10 minutes.

必要條件Prerequisites

若要完成此快速入門,您需要:To complete this quickstart, you need:

  1. 包含 Azure 資訊保護方案 1 或方案 2 的訂用帳戶。A subscription that includes Azure Information Protection Plan 1 or Plan 2.

    如果您沒有這些訂用帳戶,您可以為您的組織建立免費帳戶。If you don't have one of these subscriptions, you can create a free account for your organization.

  2. 下列其中一個 Azure 資訊保護用戶端已安裝在您的電腦上:One of the following Azure Information Protection clients is installed on your computer:

    • 傳統用戶端:若要安裝此用戶端,請前往 Microsoft 下載中心,從 [Azure 資訊保護] 頁面下載 AzInfoProtection.exeThe classic client: To install this client, go to the Microsoft download center and download AzInfoProtection.exe from the Azure Information Protection page.

    • 統一標籤用戶端:若要安裝此用戶端,請前往 Microsoft 下載中心,從 [Azure 資訊保護] 頁面下載 AzInfoProtection_UL_Preview.exeThe unified labeling client: To install this client, go the Microsoft download center and download AzInfoProtection_UL_Preview.exe from the Azure Information Protection page.

  3. SQL Server Express 也會在您的電腦上安裝。SQL Server Express is also installed on your computer.

    如果尚未安裝此 SQL Server 版本,可以從 Microsoft 下載中心下載它,並選取 [基本] 安裝。If this SQL Server edition isn't already installed, you can download it from the Microsoft Download Center and select a Basic installation.

  4. 您的網域帳戶會同步處理至 Azure AD。Your domain account is synchronized to Azure AD.

如需使用 Azure 資訊保護之先決條件的完整清單,請參閱 Azure 資訊保護需求For a full list of prerequisites to use Azure Information Protection, see Requirements for Azure Information Protection.

準備測試資料夾和檔案Prepare a test folder and file

進行初始測試以確認掃描器正在運作:For an initial test to confirm that the scanner is working:

  1. 在您的電腦上建立本機資料夾。Create a local folder on your computer. 例如,本機 C 磁碟機上的 TestScannerFor example, TestScanner on your local C drive.

  2. 在該資料夾中建立並儲存包含以下字樣的 Word 文件:信用卡:4242-4242-4242-4242Create and save a Word document in that folder, which has the text Credit card: 4242-4242-4242-4242.

設定掃描器的設定檔Configure a profile for the scanner

安裝掃描器之前,請先在 Azure 入口網站中為它建立設定檔。Before you install the scanner, create a profile for it in the Azure portal. 此設定檔包含掃描器設定與要掃描的資料存放庫位置。This profile contains scanner settings and locations of the data repositories to scan.

  1. 開啟新的瀏覽器視窗,並登入 Azure 入口網站Open a new browser window and sign in to the Azure portal. 然後瀏覽至 [Azure Information Protection] 刀鋒視窗。Then navigate to the Azure Information Protection blade.

    例如,在中樞功能表按一下 [所有服務] ,然後開始在 [篩選] 方塊中鍵入資訊For example, on the hub menu, click All services and start typing Information in the Filter box. 選取 [Azure 資訊保護] 。Select Azure Information Protection.

  2. 從左側刀鋒視窗中找出 [掃描器] 選項,然後選取 [設定檔] 。Locate the Scanner options from the left blade, and select Profiles.

  3. 在 [Azure 資訊保護 - 設定檔] 刀鋒視窗上,選取 [新增] :On the Azure Information Protection - Profiles blade, select Add:

    將設定檔新增至 Azure 資訊保護掃描器

  4. 在 [新增設定檔] 刀鋒視窗上,指定掃描器名稱,以用來識別其組態設定和要掃描的資料存放庫。On the Add a new profile blade, specify a name for the scanner that is used to identify its configuration settings and data repositories to scan. 例如,針對此快速入門,您可以指定 [快速入門] 。For example, for this quickstart, you might specify Quickstart. 當您稍後安裝掃描器時,必須指定相同的設定檔名稱。When you later install the scanner, you will need to specify the same profile name.

    選擇性地指定用於系統管理目的之說明,以協助您識別掃描器的設定檔名稱。Optionally, specify a description for administrative purposes, to help you identify the scanner's profile name.

  5. 找出 [原則強制執行] 區段,在此快速入門中僅選取一個設定:針對 [強制] ,選取 [關閉] 。Locate the Policy enforcement section, where for this quickstart, select just one setting: For Enforce, select Off. 接著選取 [儲存] 按鈕以關閉刀鋒視窗。Then select Save but do not close the blade.

    此設定會將掃描器設定為對指定的資料存放庫中的所有檔案進行單次性探索。The settings configure the scanner to do a one-time discovery of all files in your specified data repositories. 此掃描就會尋找所有已知的機密資訊類型,並且不需要您先設定您的 Azure 資訊保護標籤或原則設定。This scan looks for all known sensitive information types, and doesn't require you to first configure your Azure Information Protection labels or policy settings.

  6. 現在會建立並儲存設定檔,而您已準備好返回 [設定存放庫] 選項來指定您的本機資料夾作為要掃描的資料存放區。Now that the profile is created and saved, you're ready to return to the Configure repositories option to specify your local folder as the data store to be scanned.

    一樣是在 [新增設定檔] 刀鋒視窗上,選取 [設定存放庫] 以開啟 [存放庫] 刀鋒視窗:Still on the Add a new profile blade, select Configure repositories to open the Repositories blade:

    設定 Azure 資訊保護掃描器的資料存放庫

  7. 在 [存放庫] 刀鋒視窗中,選取 [新增] :On the Repositories blade, select Add:

    新增 Azure 資訊保護掃描器的資料存放庫

  8. 在 [存放庫] 刀鋒視窗上,指定您在第一個步驟中建立的本機資料夾。On the Repository blade, specify your local folder that you created in the very first step. 例如:C:\TestScannerFor example: C:\TestScanner

    針對此刀鋒視窗上的其餘設定,請不要變更它們,而是將它們保留為設定檔預設值For the remaining settings on this blade, do not change them but keep them as Profile default. 這表示資料存放庫會繼承來自掃描器設定檔的設定。This means that the data repository inherits the settings from the scanner profile.

    選取 [儲存] 。Select Save.

  9. 回到 [Azure 資訊保護 - 設定檔] 刀鋒視窗中,您現在會看到已列出您的設定檔,連同顯示 [手動] 的 [排程] 欄,而 [強制] 欄會是空白。Back on the Azure Information Protection - Profiles blade, you now see your profile listed, together with the SCHEDULE column showing Manual and the ENFORCE column is blank.

    [節點] 欄會顯示 0,因為您尚未安裝此設定檔的掃描器。The NODES column shows 0 because you haven't yet installed the scanner for this profile.

您現在已準備好使用剛建立的掃描器設定檔來安裝掃描器。You're now ready to install the scanner with the scanner profile that you've just created.

安裝掃描器Install the scanner

  1. 使用 [以系統管理員身分執行] 選項來開啟 PowerShell 工作階段。Open a PowerShell session with the Run as an administrator option.

  2. 使用下列命令來安裝掃描器,指定您自己的電腦名稱,以及您儲存在 Azure 入口網站中的設定檔名稱。Use the following command to install the scanner, specifying your own computer name, and the profile name that you saved in the Azure portal:

     Install-AIPScanner -SqlServerInstance <your computer name>\SQLEXPRESS -Profile <profile name>
    

    當系統提示您時,請使用 <網域\使用者名稱> 格式,然後您的密碼,為掃描器提供您自己的認證。When you're prompted, provide your own credentials for the scanner by using the <domain\user name> format, and then your password.

開始掃描並確認它已完成Start the scan and confirm it finished

  1. 回到 Azure 入口網站,重新整理 [Azure 資訊保護 - 設定檔] 刀鋒視窗,您應該會看到 [節點] 欄現在顯示 1Back in the Azure portal, refresh the Azure Information Protection - Profiles blade, and you should see the NODES column now display 1.

  2. 選取您的設定檔名稱,然後選取 [立即掃描] 選項:Select your profile name, and then the Scan now option:

    起始對 Azure 資訊保護掃描器的掃描

    選取您的設定檔之後,如果此選項無法使用,掃描器就不會連線到 Azure 資訊保護。If this option is not available after selecting your profile, the scanner is not connected to Azure Information Protection. 檢查您的設定和網際網路的連線能力。Review your configuration and Internet connectivity.

  3. 只有一個小的檔案需要檢查,因此這個初步測試掃描將會非常快速:There's only one small file to inspect, so this initial test scan will be very quick:

    請等候,直到您看到顯示 [上次掃描結果 ] 和 [上次掃描 (結束時間)] 欄的值為止。Wait until you see values displayed for the LAST SCAN RESULTS and LAST SCAN (END TIME) columns.

    或者,查看本機 Windows 應用程式及服務事件記錄檔:Azure 資訊保護Alternatively, check the local Windows Applications and Services event log, Azure Information Protection. 確認 MSIP.Scanner 處理序的資訊事件識別碼 911Confirm the informational event ID 911 for the MSIP.Scanner process. 事件記錄檔項目還包含掃描結果的摘要。The event log entry also has a summary of results from the scan.

查看詳細結果See detailed results

使用 [檔案總管],在 %localappdata%\Microsoft\MSIP\Scanner\Reports 中找到掃描器報告。Using File Explorer, locate the scanner reports in %localappdata%\Microsoft\MSIP\Scanner\Reports. 開啟 .csv 檔案格式的詳細資料報表檔案。Open the detailed report file that has a .csv file format.

在 Excel 中,前兩欄會顯示您的資料存放區存放庫與檔案名稱。In Excel, the first two columns display your data store repository and file name. 在查看欄時,您將看到一個名為資訊類型名稱的資料行,這是您最感興趣的資料行。As you look through the columns, you'll see one named Information Type Name, which is the column you're most interested in. 針對我們的初始測試,它會顯示信用卡號碼,這是掃描器可以找到的許多機密資訊類型的其中一個。For our initial test, it displays Credit Card Number, one of many sensitive information types that the scanner can find.

掃描您自己的資料Scan your own data

  1. 編輯您的掃描器設定檔並新增資料存放庫,這次指定您想要掃描敏感性資訊的內部部署資料存放區。Edit your scanner profile and add a new data repository, this time specifying your own on-premises data store that you want to scan for sensitive information.
    您可以為 SharePoint 網站或程式庫指定本機資料夾、網路共用 (UNC 路徑) 或 SharePoint Server URL。You can specify a local folder, a network share (UNC path), or a SharePoint Server URL for a SharePoint site or library.

    • 本機資料夾的範例:Example for a local folder:

        D:\Data\Finance
      
    • 網路共用的範例Example for a network share

        \\NAS\HR
      
    • SharePoint 資料夾的範例:Example for a SharePoint folder:

        http://sp2016/Shared Documents
      
  2. 再次重新啟動掃描器:在 [Azure 資訊保護 - 設定檔 ] 刀鋒視窗中,確認已選取您的設定檔,然後選取 [立即掃描] 選項:Restart the scanner again: From the Azure Information Protection - Profiles blade, make sure your profile is selected, and then select the Scan now option:

    起始對 Azure 資訊保護掃描器的掃描

  3. 當掃描完成後,請檢視新的結果。View the new results when the scan is complete.

    掃描需要多長時間,取決於資料存放區中有多少檔案、這些檔案有多大,以及檔案類型。How long this scan takes depends on how many files there are in your data store, how large those files are, and the type of file.

清除資源Clean up resources

在生產環境中,您將使用以無訊息方式對 Azure 資訊保護服務進行驗證的服務帳戶,在 Windows 伺服器上執行掃描器。In a production environment, you would run the scanner on a Windows Server, using a service account that silently authenticates to the Azure Information Protection service. 您也會使用企業級版本的 SQL Server,並可能指定數個資料存放庫。You would also use an enterprise-grade version of SQL Server, and likely specify several data repositories.

若要清除資源,為該生產部署做好準備,請在 PowerShell 工作階段中執行下列命令以解除安裝掃描程式:To clean up resources, ready for that production deployment, in your PowerShell session, run the following command to uninstall the scanner:

Uninstall-AIPScanner

重新啟動您的電腦。Then restart your computer.

此命令並不會移除下列項目,如果您在此快速入門之後不需要它們,則必須以手動方式移除它們:This command doesn't remove the following items and you must manually remove them if you don't want them after this quickstart:

  • 在 Azure 資訊保護掃描器安裝時,透過執行 Install-AIPScanner Cmdlet 所建立的 SQL Server 資料庫:The SQL Server database that was created by running the Install-AIPScanner cmdlet when the Azure Information Protection scanner was installed:

    • 若是傳統用戶端:AIPScanner_<設定檔>For the classic client: AIPScanner_<profile>
    • 若是統一標籤用戶端:AIPScannerUL_<設定檔名稱>For the unified labeling client: AIPScannerUL_<profile_name>
  • 掃描器報告位於 %localappdata%\Microsoft\MSIP\Scanner\Reports 中。The scanner reports located in %localappdata%\Microsoft\MSIP\Scanner\Reports.

  • 針對您的本機電腦,已授與您網域帳戶的以服務方式登入使用者權限指派。The Log on as a service user right assignment that your domain account was granted for your local computer.

後續步驟Next steps

此快速入門包含最低設定,以便您可以快速查看掃描器如何在內部部署資料存放區中尋找機密資訊。This quickstart includes the minimum configuration so that you can quickly see how the scanner can find sensitive information in on-premises data stores. 如果您已準備好在生產環境中安裝掃描器,請參閱部署 Azure 資訊保護掃描器以自動分類和保護檔案If you're ready to install the scanner in a production environment, see Deploying the Azure Information Protection scanner to automatically classify and protect files.

如果要對包含機密資訊的檔案進行分類及保護,您必須設定標籤以進行自動分類和保護:If you want to classify and protect the files that contain sensitive information, you must configure labels for automatic classification and protection: