建立 DLP 原則來保護具有 FCI 或其他屬性的文件Create a DLP policy to protect documents with FCI or other properties

Microsoft 365 資料遺失防護 (DLP) 原則可以使用分類屬性或專案屬性來識別敏感專案。Microsoft 365 data loss prevention (DLP) policies can use classification properties or item properties to identify sensitive items. 例如,您可以使用:For example you can use:

  • Windows Server File 分類基礎結構 (FCI) 屬性Windows Server File Classification infrastructure (FCI) properties
  • SharePoint 檔案屬性SharePoint document properties
  • 協力廠商的系統檔案屬性third-party system document properties

圖表顯示 Office 365 及外部的分類系統

例如,您的組織可能會使用 Windows Server FCI 來識別具有個人資料(如社會保險號碼)的專案,然後根據檔中找到的個人資料類型和數量,將 [ 個人身分識別資訊 ] 屬性設定為 [ ]、[ 適中]、[ ]、[ 公用] 或 [ 不是 PII ],以分類檔。For example, your organization might use Windows Server FCI to identify items with personal data such as social security numbers, and then classify the document by setting the Personally Identifiable Information property to High, Moderate, Low, Public, or Not PII based on the type and number of occurrences of personal data found in the document.

在 Microsoft 365 中,您可以建立一個 DLP 原則,識別具有該屬性設定為特定值的檔,例如 [ ] 和 [ ],然後採取諸如封鎖對這些檔案的存取等動作。In Microsoft 365, you can create a DLP policy that identifies documents that have that property set to specific values, such as High and Medium, and then takes an action such as blocking access to those files. 如果屬性設定為 [ ] (例如傳送電子郵件通知),相同的原則可以有另一個規則採用其他的動作。The same policy can have another rule that takes a different action if the property is set to Low, such as sending an email notification. 如此一來,DLP 便會與 Windows Server FCI 整合,並協助保護從 Windows Server 檔案伺服器上傳或共用至 Microsoft 365 的 Office 檔。In this way, DLP integrates with Windows Server FCI and can help protect Office documents uploaded or shared to Microsoft 365 from Windows Server-based file servers.

DLP 原則只會尋找特定的屬性名稱/值對。A DLP policy simply looks for a specific property name/value pair. 只要屬性具有對應的 managed 屬性 SharePoint 搜尋,就可以使用任何檔案屬性。Any document property can be used, as long as the property has a corresponding managed property for SharePoint search. 例如,SharePoint 網站集合可能會使用名為「客戶」之必要欄位的「行程報告」內容類型。For example, a SharePoint site collection might use a content type named Trip Report with a required field named Customer. 每當人員建立行程報告時,他們必須輸入客戶名稱。Whenever a person creates a trip report, they must enter the customer name. 您也可以在 DLP 原則中使用此屬性名稱/值組,例如,如果您想要在 客戶 欄位包含 Contoso 時,封鎖檔存取權的規則。This property name/value pair can also be used in a DLP policy—for example, if you want a rule that blocks access to the document for guests when the Customer field contains Contoso.

如果您想要將 DLP 原則套用至特定 Microsoft 365 標籤的內容,請勿遵循這裡的步驟。If you want to apply your DLP policy to content with specific Microsoft 365 labels, you should not follow the steps here. 請改為了解如何 使用保留標籤做為 DLP 原則中的條件Instead, learn how to Using a retention label as a condition in a DLP policy.

建立 DLP 原則之前Before you create the DLP policy

您必須先在 SharePoint 系統管理中心建立 managed 屬性,才能使用 DLP 原則中的 Windows Server FCI 屬性或其他屬性。Before you can use a Windows Server FCI property or other property in a DLP policy, you need to create a managed property in the SharePoint admin center. 原因如下。Here's why.

在 SharePoint Online 和商務 OneDrive 中,搜尋索引會透過編目您網站上的內容來建立。In SharePoint Online and OneDrive for Business, the search index is built up by crawling the content on your sites. 編目程式會以編目屬性的形式挑選檔中的內容和中繼資料。The crawler picks up content and metadata from the documents in the form of crawled properties. 搜尋架構可協助編目程式決定要挑選的內容和中繼資料。The search schema helps the crawler decide what content and metadata to pick up. 中繼資料的範例包括作者及檔的標題。Examples of metadata are the author and the title of a document. 不過,若要將檔中的內容和中繼資料取得搜尋索引,編目屬性必須對應至 managed 屬性。However, to get the content and metadata from the documents into the search index, the crawled properties must be mapped to managed properties. 只有 managed 屬性會保留在索引中。Only managed properties are kept in the index. 例如,與 author 相關的編目屬性會對應至與 author 相關的 managed 屬性。For example, a crawled property related to author is mapped to a managed property related to author.

注意

使用條件建立 DLP 規則時,請務必使用 managed 屬性名稱,而不是編目屬性名稱 ContentPropertyContainsWordsBe sure to use a managed property name and not a crawled property name when creating DLP rules using the ContentPropertyContainsWords condition.

這一點很重要,因為 DLP 會使用搜尋編目程式來識別和分類您網站上的機密資訊,然後將該機密資訊儲存在搜尋索引的安全部分。This is important because DLP uses the search crawler to identify and classify sensitive information on your sites, and then store that sensitive information in a secure portion of the search index. 當您將檔上傳至 Office 365 時,SharePoint 會根據檔案屬性,自動建立編目屬性。When you upload a document to Office 365, SharePoint automatically creates crawled properties based on the document properties. 不過,若要使用 DLP 原則中的 FCI 或其他屬性,該編目屬性必須對應至 managed 屬性,這樣該屬性的內容就會保留在索引中。But to use an FCI or other property in a DLP policy, that crawled property needs to be mapped to a managed property so that content with that property is kept in the index.

如需搜尋及 managed 屬性的詳細資訊,請參閱 Manage the search schema in SharePoint OnlineFor more information on search and managed properties, see Manage the search schema in SharePoint Online.

步驟1:將具有必要屬性的檔上傳至 Office 365Step 1: Upload a document with the needed property to Office 365

您必須先將檔上傳至您要在 DLP 原則中參考的屬性。You first need to upload a document with the property that you want to reference in your DLP policy. Microsoft 365 會偵測屬性,並自動從該屬性建立編目屬性。Microsoft 365 will detect the property and automatically create a crawled property from it. 在下一個步驟中,您將建立 managed 屬性,然後將 managed 屬性對應至此編目屬性。In the next step, you'll create a managed property, and then map the managed property to this crawled property.

步驟2:建立 managed 屬性Step 2: Create a managed property

  1. 登入 Microsoft 365 系統管理中心。Sign in to the Microsoft 365 admin center.

  2. 在左側導覽中,選擇 [系統 管理中心] > SharePointIn the left navigation, choose Admin centers > SharePoint. You're now in the SharePoint admin center.You're now in the SharePoint admin center.

  3. 在左側導覽中,選擇 > [搜尋 管理] 頁面上的 [搜尋] [ > 管理搜尋架構]。In the left navigation, choose search > on the search administration page > Manage Search Schema.

    SharePoint 系統管理中心的搜尋管理頁面

  4. 在 [ Managed 屬性 ] 頁面的 [ > 新增 managed 屬性]。On the Managed Properties page > New Managed Property.

    受管理屬性頁面上有以反白顯示的新增受管理的屬性按鈕

  5. 輸入屬性的名稱和描述。Enter a name and description for the property. 此名稱會顯示在您的 DLP 原則中。This name is what will appear in your DLP policies.

  6. 針對 [ 類型],選擇 [ 文字]。For Type, choose Text.

  7. 在 [ 主要特性] 底下,選取 [可 查詢 及可 檢索]。Under Main characteristics, select Queryable and Retrievable.

  8. 在 [對應至編目屬性] 底下 > 新增對應Under Mappings to crawled properties > Add a mapping.

  9. 在 [編目 屬性選項 ] 對話方塊中 > ,尋找並選取對應至您將在 DLP 原則 OK 中使用的 Windows Server FCI 屬性或其他屬性的編目屬性 > ****。In the crawled property selection dialog box > find and select the crawled property that corresponds to the Windows Server FCI property or other property that you will use in your DLP policy > OK.

    選取編目屬性對話方塊

  10. 在頁面底部的 > [確定]At the bottom of the page > OK.

建立使用 FCI 屬性或其他屬性的 DLP 原則Create a DLP policy that uses an FCI property or other property

在此範例中,組織在其 Windows 伺服器型檔案伺服器上使用 FCI;具體而言,他們使用的是名為 個人身分識別資訊 的 FCI 分類屬性,其可能的值為 High適中公有非 PIIIn this example, an organization is using FCI on its Windows Server-based file servers; specifically, they're using the FCI classification property named Personally Identifiable Information with possible values of High, Moderate, Low, Public, and Not PII. 現在,他們想要在 Office 365 的 DLP 原則中使用其現有的 FCI 分類。Now they want to use their existing FCI classification in their DLP policies in Office 365.

首先,他們會依照上述步驟,在 SharePoint Online 中建立 managed 屬性,該屬性會對應至自動從 FCI 屬性建立的編目屬性。First, they follow the steps above to create a managed property in SharePoint Online, which maps to the crawled property created automatically from the FCI property.

接下來,他們會建立一個 DLP 原則,其中兩個規則都使用條件 檔案屬性包含下列任一值Next, they create a DLP policy with two rules that both use the condition Document properties contain any of these values:

  • FCI PII 內容-高、適中 第一個規則會限制存取檔如果 FCI 分類屬性 個人識別資訊 等於 適中 ,而且檔與組織外部人員共用。FCI PII content - High, Moderate The first rule restricts access to the document if the FCI classification property Personally Identifiable Information equals High or Moderate and the document is shared with people outside the organization.

  • FCI PII 內容-低 第二個規則會在 FCI 分類屬性 個人識別資訊 等於 ,且與組織外部人員共用檔時,將通知傳送給檔擁有者。FCI PII content - Low The second rule sends a notification to the document owner if the FCI classification property Personally Identifiable Information equals Low and the document is shared with people outside the organization.

使用 PowerShell 建立 DLP 原則Create the DLP policy by using PowerShell

條件 檔案屬性包含這些值中的任何一個 暫時無法在安全性與合規性中心的 UI 中使用 & ,但是您仍然可以使用 PowerShell 來使用此條件。The condition Document properties contain any of these values is temporarily not available in the UI of the Security & Compliance Center, but you can still use this condition by using PowerShell. 您可以使用 New\Set\Get-DlpCompliancePolicy Cmdlet 來使用 DLP 原則,並搭配參數使用 Cmdlet, New\Set\Get-DlpComplianceRule ContentPropertyContainsWords 以新增條件 檔案屬性包含這些值中的任何一個You can use the New\Set\Get-DlpCompliancePolicy cmdlets to work with a DLP policy, and use the New\Set\Get-DlpComplianceRule cmdlets with the ContentPropertyContainsWords parameter to add the condition Document properties contain any of these values.

如需這些 Cmdlet 的詳細資訊,請參閱 安全性 & 規範中心 CmdletFor more information on these cmdlets, see Security & Compliance Center cmdlets.

  1. &使用遠端 PowerShell 連接至安全規範中心Connect to the Security & Compliance Center using remote PowerShell

  2. 使用建立原則 New-DlpCompliancePolicyCreate the policy by using New-DlpCompliancePolicy.

此 PowerShell 會建立套用至所有位置的 DLP 原則。This PowerShell creates a DLP policy that applies to all locations.

New-DlpCompliancePolicy -Name FCI_PII_policy -ExchangeLocation All -SharePointLocation All -OneDriveLocation All -Mode Enable
  1. 使用 New-DlpComplianceRule 其中一個規則是 值的規則,而另一個規則是用於 高低 值,以建立上述的兩個規則 。Create the two rules described above by using New-DlpComplianceRule, where one rule is for the Low value, and another rule is for the High and Moderate values.

    以下是建立這兩個規則的 PowerShell 範例。Here is a PowerShell example that creates these two rules. 屬性名稱/值對會以引號括住,屬性名稱可以指定多個以逗號分隔的多個值,不含空格,例如 "<Property1>:<Value1>,<Value2>","<Property2>:<Value3>,<Value4>"....The property name/value pairs are enclosed in quotation marks, and a property name may specify multiple values separated by commas with no spaces, like "<Property1>:<Value1>,<Value2>","<Property2>:<Value3>,<Value4>"....

    New-DlpComplianceRule -Name FCI_PII_content-High,Moderate -Policy FCI_PII_policy -AccessScope NotInOrganization -BlockAccess $true -ContentPropertyContainsWords "Personally Identifiable Information:High,Moderate" -Disabled $falseNew-DlpComplianceRule -Name FCI_PII_content-Low -Policy FCI_PII_policy -AccessScope NotInOrganization -BlockAccess $false -ContentPropertyContainsWords "Personally Identifiable Information:Low" -Disabled $false -NotifyUser Owner
    

    Windows Server FCI 包含許多內建的屬性,包括本範例中所用的 個人身分識別資訊Windows Server FCI includes many built-in properties, including Personally Identifiable Information used in this example. 每個組織可能會有不同的屬性值。The possible values for each property can be different for every organization. 這裡使用的 [ ]、[ 適中] 和 [ ] 值都只是範例。The High, Moderate, and Low values used here are only an example. 針對您的組織,您可以在 Windows Server 檔案伺服器的檔案伺服器資源管理員中,以其可能的值來查看 Windows Server FCI 的分類屬性。For your organization, you can view the Windows Server FCI classification properties with their possible values in the file Server Resource Manager on the Windows Server-based file server. 如需詳細資訊,請參閱 建立分類屬性For more information, see Create a classification property.

當您完成時,您的原則應該會有兩個新規則,都使用 檔案屬性包含這些值的任何 條件。When you finish, your policy should have two new rules that both use the Document properties contain any of these values condition. 此條件不會出現在 UI 中,但會顯示其他條件、動作和設定。This condition won't appear in the UI, though the other conditions, actions, and settings will appear.

一個規則會封鎖 個人身分識別資訊 屬性等於 High適中 的內容存取權。One rule blocks access to content where the Personally Identifiable Information property equals High or Moderate. 第二個規則會傳送有關 個人身分識別資訊 屬性等於 Low 的內容通知。A second rule sends a notification about content where the Personally Identifiable Information property equals Low.

新的 DLP 原則對話方塊顯示剛才建立的兩個規則

建立 DLP 原則之後After you create the DLP policy

執行上述各節中的步驟,將會建立一個 DLP 原則,它會使用該屬性快速偵測內容,但只有在該內容已新近上傳時 (,這樣內容的索引) ,或是該內容已過時,但只是編輯 (,這樣內容就會重新編制索引) 。Doing the steps in the previous sections will create a DLP policy that will quickly detect content with that property, but only if that content is newly uploaded (so that the content's indexed), or if that content is old but just edited (so that the content's re-indexed).

若要在任何地方使用該屬性偵測內容,您可能想要手動要求您的文件庫、網站或網站集合重新編制索引,以便 DLP 原則知道具有該屬性的所有內容。To detect content with that property everywhere, you may want to manually request that your library, site, or site collection be re-indexed, so that the DLP policy is aware of all the content with that property. 在 [SharePoint 線上] 中,會根據定義的編目排程自動編目內容。In SharePoint Online, content is automatically crawled based on a defined crawl schedule. 編目程式會挑選自上次編目後已變更的內容,並更新索引。The crawler picks up content that has changed since the last crawl and updates the index. 如果您需要 DLP 原則在下一個排程編目之前保護內容,您可以採取下列步驟。If you need your DLP policy to protect content before the next scheduled crawl, you can take these steps.

警告

重新編制網站索引可能會導致搜尋系統負載大幅。Re-indexing a site can cause a massive load on the search system. 除非您的案例絕對需要,否則不要重新建立網站索引。Don't re-index your site unless your scenario absolutely requires it.

如需詳細資訊,請參閱手動要求網站、文件庫或清單進行編目和重新建立索引For more information, see Manually request crawling and re-indexing of a site, a library or a list.

為網站重新編制索引 (選用) Reindex a site (optional)

  1. 在網站上,選擇右上角) > 網站設定 (齒輪圖示的 [設定]。On the site, choose Settings (gear icon in upper right) > Site Settings.

  2. 在 [ 搜尋] 底下,選擇 [ 搜尋及離線可用性 重新 > 索引網站]。Under Search, choose Search and offline availability > Reindex site.

詳細資訊More information