Exchange Server data loss prevention techniques

Read time 4 minutes

Exchange Server is the most dependable professional email server that most businesses like to use. In addition to the enterprise-level email facilities, Exchange Server provides a feature called Data Loss Prevention (DLP), that allows to create mail protection policies making it a safe and secure platform for confidential email communications. Organizations don’t want sensitive data to be leaked through emails.

The Data Loss Prevention feature also helps to meet data compliance requirements set by the regulatory agencies. The DLP is a collection of multiple mail flow rules & policies for Exchange data loss prevention from leakage. Implementation of DLP policies comes with certain conditions, exceptions, and actions that check the emails and their attachments based on their content.

Understanding DLP mail flow rule components

The mail flow rules of the DLP work on the message in the transit in multiple ways. For example, a single rule can check only the incoming messages’ attachments, and another rule can check for a text pattern through some regular expressions. You can also create rules that check for the messages violating your business’s messaging policies. Any DLP rule that you want to create will have the following types of components:

• Conditions: Conditions are the parameters on which you want to test the message. The Condition can check the message header fields like To, From, Cc, Bcc fields. Another condition can check the email message properties like email text, attachments, subject, size, classification. The Condition requires a comparison operator like equals, does not equal, and contains. If you do not apply the exceptions to the rule, it applies to all the email messages.
• Exceptions: The exceptions are applied to such messages where you do not want to apply a set rule. The comparison operators that you used in the conditions are also available in the exceptions. The exception will override the set mail rule conditions and skip the messages that fit the exception parameter.
• Actions: Actions define the course of activities that will apply to the message that comes under the set Condition. Several actions are available, like rejection, deletion, message redirection, additional recipient addition, the addition of new prefixes in the subject, etc. It can also insert a new disclaimer in the message body.
• Properties: Properties are the rule settings that are different from the earlier applied Conditions. These rules are not even exceptions or actions. It may be when the Condition should be applied, the period for which it should be active, etc.

Create a data loss prevention rule for Exchange database

Applying DLP policies needs a proper strategy to differentiate between sensitive mail & phishing mails. Wrong configuration of DLP policy can provide negative results such as data loss or important data deletion. The Rule you create for data loss prevention should be tested before turning it on completely. It will protect you from creating a rule that may interact with the messages wrongly and delete the data.

1. Create the Rule in test mode: When you create the Rule in the test mode, it skips the action part and only matches the email messages with the conditions. You will get an email whenever the message is compared with the Rule. Follow the below lines:
1. Login to Exchange Admin Center and choose Mail Flow>>Rules.
2. Either you can create a new rule or edit an existing Rule.
3. Go to scroll down ‘Choose a mode for this’ and select either ‘Test without Policy Tips‘ or ‘Test with Policy Tips.’

   Note:
   I. Test without Policy Tips: This mode will provide the incident report action information applied to the message that matched the conditions.
   II. Test with Policy Tips: This mode works solely for the Data Loss Prevention feature. It will provide an email related to a matching email message but will not take action.

4. Click ‘Add action,’ and if the option is not there, click More Options>>Add action.
5. Click ‘Generate incident report and send it to‘ and select the user to get the emails.
6. Choose ‘Include message properties‘ and apply such properties that you want to use on the Rule.
7. Click Save, and a new rule is created.
2. Test whether the new Rule is working correctly: To test the Rule, you can send many test messages from another email address and see if the Rule checks them and provides you the intended information. You should send several messages that match the Rule and do not match the Rule. Messages from inside the organization and outside from the organization.
3. Activate the well-tested Rule: When you have tested the Rule, you can activate it and enforce it on email communication.
1. Click Mail Flow>>Rules>>Edit.
2. Click Enforce, and if you have created an incident report, then Remove it.
3. Click Save.

Conclusion

In this blog, we have analyzed the use of Exchange Database Loss Prevention feature that helps to secure email communication. But after assigning new DLP policies its success depends on the quality of the Rule that the Administrator creates to protect the data. There is a probability that a malicious email can bypass the Rule and you need to repair corrupt Exchange database. When the Exchange database is damaged by corruption, Kernel for Exchange Server software will help you deal with the situation. The tool will scan the EDB file and recover all the mailboxes. Then the user can save the recovered data in several formats or save it to a live Exchange directly.