How to create Exchange 2013 data loss prevention policies

While data loss prevention policies are a cool new feature in Exchange 2013, you must understand how to build them before you can use them.

A major challenge for Exchange administrators is making sure that sensitive data doesn't escape their organizations. Exchange Server MailTips help, but most administrators still have to rely on third-party software to prevent data leakage. That's where Exchange Server 2013 data loss prevention policies come in.

The data loss prevention (DLP) feature exists as an extension of the transport rules feature. It lets administrators create policies that prevent sensitive data from being accidentally sent through email. While Exchange Server 2013 contains a number of templates you can use to build DLP policies, you also have the option to create DLP policies from scratch.

Before learning how to create a new DLP policy, you should know about the three available operation modes:

  • Enforce Policy. This means that the policy is enabled and enforced.
  • Test Policy with Notifications. This special testing mode enables the policy, but makes sure that the policy does not execute. Policy tips (which are similar to MailTips) are displayed to end users, and notifications are logged.
  • Test Policy without Notifications. This is another special testing mode where the policy is enabled, but does not execute. Policy actions are logged, but policy tips are not displayed to end users.

To create a DLP policy based on one of the built-in templates, open the Exchange Administration Center and click Compliance Management, then Data Loss Prevention. When the Data Loss Prevention screen appears, click the plus sign icon (+) to create a new DLP policy. You'll be given three options:

  • New DLP Policy from Template
  • Import Policy
  • New Custom Policy
Select a name for your data loss prevention policy
Figure 1. Enter a name and description for the data loss prevention policy, then choose a template.

Choose the "New DPL Policy from Template" option. You'll see a screen that asks you to provide a name and optional description for the policy you're creating. The screen also provides a list of the available templates. As you can see in Figure 1, there are descriptions of each template's intended use.

How will your data loss prevention policy be enforced?
Figure 2. Choose how your data loss prevention policy will be enforced.

Scroll to the bottom of the window and supply the name of an incident management mailbox. At the bottom of the window, there is a More Options link. When you click it, you can control how the policy will be enforced (Figure 2).

A list of data loss prevention policies
Figure 3. The Data Loss Prevention screen lists which policies have been created.

Click Save to create your new policy. The newly created policy is now listed on the main Data Loss Prevention screen (Figure 3).

The data loss prevention policy rules
Figure 4. The Edit DLP Policy dialog box displays the policy rules.

You've now created a policy, but what does it do? Select the policy, then click the Edit icon (shown in Figure 3) to open the Edit DLP Policy dialog box. Click the Rules link and you'll see a screen that displays all the rules that make up the policy (Figure 4).

As you can see in Figure 4, creating a new policy based on a template automatically creates a series of rules. That said, it's also possible to create your own custom policy that uses the rules of your choosing. Creating a custom policy is similar to creating a policy based on a template.

To begin, click the plus sign icon (+), then click the New Custom Policy icon. You'll be taken to the New Custom DLP Policy dialog box. You must now enter a name, description and state for the policy. Click Save to create the policy.

There are a number of different data loss prevention policy rule types
Figure 5. You can choose from a number of DLP rule types.

When you create a custom Data Loss Prevention policy this way, the policy is created without any corresponding rules. To create a rule, you must go to the "Edit DLP Policy" dialog box and click the plus sign icon to create a new rule. As you can see in Figure 5, there are a number of different types of rules that you can create.

Setting a data loss prevention policy rule is similar to setting a transport rule
Figure 6. Setting up a DLP rule is similar to setting up a transport rule.

After making your selection, you'll be taken to a screen that lets you populate the rule (Figure 6). The process of populating a rule is similar to how you'd set up any other transport rule.

Exchange 2013 data loss prevention policies and rules go a long way toward preventing sensitive data from leaving your organization. The fact that Microsoft has built custom templates based on common sets of regulations that organizations have to comply with is a nice addition.

About the author:
Brien Posey is a ten-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a chief information officer at a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Exchange Server setup and troubleshooting