Learn Exchange the Guru way !!!


Document finger printing with DLP in Exchange 2013 SP1

Exchange 2013 SP1 has brought may new features out of all one of the features is DOCUMENT finger printing for Data Loss Prevention.

DLP (Data Loss Prevention) is feature that helps an administrator to define rules to protect & secure sensitive data document being sent. It uses a pre-defined template set up for the same by the administrator.(Eg: Company’s legal documents, credit card info etc). When the DLP is enabled & if a User tries to share a sensitive information through email, he will get a warning & the mail will not be sent .DLP is available to administrators through the EAC or through the PowerShell commands. With the Exchange 2013 SP 1, the document finger printing has been made visible in the EAC & hence making it easy to configure & user. Let’s see as how to enable the DLP.

Enabling DLP:

Step 1: Create a document fingerprint, such as an intellectual property document, government form, or other standard form used in the organization.

Step 2: In the EAC, navigate to compliance management => data loss prevention.

Step 3: Select Manage document fingerprints.

Step 4: Select Add and give the new document finger print a name and description (Name: Test, Description: DLP testing). Then select add to upload document template we created initially & save.

Step 5: You can now see the document updated under the name specified “Test“.

Step 6: Next we have to create matching polices & transport rule to block the message. Click Compliance Management => Data loss prevention => Click + to create new policy => Select “New custom DLP Policy“.

Step 7: Give a name to the new policy “Test DLP Policy” & save it. After saving open the policy => Click rules (on the left pane).

Step 8: Click the + & select “Notify sender when sensitive information is sent outside the organization”.

Step 9: Under the Rule page just select “Select
types” & upload the document finger print policy rule. (We have option to add more sensitive information templates here).

Step 10: Now you will be in the “new rule” screen, where we have to create rules to block the sensitive messages, we have predefined rules through which one can configure the rules as they wish. Here we can select “Generate an incident report and send it to someone in my organisation” => Add a
user & click Ok. Next Select the option” Include message property” => Select “Sender, recipient, subject, matching rules, original mail” & save.

Step 11: For testing we can send the same document we used as template in an email & you will get this response:

This email was automatically generated by the General Incident Report action.

Message Id: <>

Sender: User1,

Subject: Pease read this private document *test*


Rule Hit: Sent to Scope outside the Organization, DLP Policy: Document finger printing test, XXXXXXXXXXXXXXXXXXXXX; Action: SenderNofity, GenerateIncidentReport.

Ratish Nair

Microsoft MVP | Exchange Server

Team @MSExchangeGuru

Leave a Reply




Do NOT follow this link or you will be banned from the site!