Managing the risks around data has become increasingly complex for organizations. At the current stage more and more employees are working from home. With the latest Microsoft feature named Data Loss Prevention (DLP) it is possible to prevent data loss across Microsoft 365 and based on the endpoint. In this new series of blogs all the information about Endpoint Data Loss Prevention with multiple scenarios.
Why Endpoint DLP
More and more users work outside the traditional corporate walls. A good firewall en network protection feature is not enough with more and more cloud applications. Microsoft Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft 365 data loss prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services.
Microsoft Endpoint DLP allows you to monitor Windows 10 devices and detect when sensitive items are used and shared.
Viewing Endpoint DLP data
Endpoint DLP monitors activity-based on MIME type, so activities will be captured even if the file extension is changed. At public preview it watches all:
- Word files
- PowerPoint files
- Excel files
- PDF files
- .csv files
- .tsv files
- .txt files
- .rtf files
- .c files
- .class files
- .cpp files
- .cs files
- .h files
- .java files
Microsoft Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items on devices running Windows 10. This includes:
activity on item | auditable/restrictable |
---|---|
created | auditable |
renamed | auditable |
copied to or created on removable media | auditable and restrictable |
copied to network share, e.g. \my-server\fileshare | auditable and restrictable |
printed | auditable and restrictable |
copied to cloud via Chromium Edge | auditable and restrictable |
accessed by unallowed apps and browsers | auditable and restrictable |
Before the start – Licensing
Before you start with Endpoint DLP. Confirm the licenses and add-on. For the Endpoint DLP feature, you need one of these subscriptions or add-ons. Endpoint DLP is a premium E5/A5 feature.
- Microsoft 365 E5
- Microsoft 365 A5 (EDU)
- Microsoft 365 E5 compliance
- Microsoft 365 A5 compliance
- Microsoft 365 E5 information protection and governance
- Microsoft 365 A5 information protection and governance
Prepare endpoints level
For the endpoint DLP feature Windows 10 devices need to use some requirements. You need minimal the following pre-requirements:
- Windows 10 x64 build 1809 or later.
- Antimalware Client Version is 4.18.2009.7 or newer.
- Windows updates ( not needed for onboarding, all the updates patching issues
- For Windows 10 1809 – KB4559003, KB4577069, KB4580390
- For Windows 10 1903 or 1909 – KB4559004, KB4577062, KB4580386
- For Windows 10 2004 – KB4568831, KB4577063
- For devices running Office 2016 (and not any other Office version) – KB4577063
- Azure AD Joined or Hybrid Azure AD Joined
- For cloud activity Microsoft Edge Chromium
Enable Device monitoring
The first step is to enable device monitoring and onboarding of your endpoints. For the Device Monitoring configuration use the following steps:
- Open the Microsoft Compliance Portal
- Go to: Settings -> Device onboarding
- Now click on: Turn on device onboarding
Devices in your organization must be configured so that the Microsoft 365 Endpoint data loss prevention service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. The onboarding process is the same as the Defender for Endpoint onboarding. When the device is configured with Defender for Endpoint a single Turn on device monitoring click is enough. When not already using Microsoft Defender ATP, devices can be onboarded by using the same process as for onboarding devices for Microsoft Defender ATP.
After some time the devices will be listed.
Create the policy
Once the generic Endpoint DLP settings are configured, the next step is to have a look at configuring an Endpoint DLP policy to protect cloud uploads by unallowed browsers.
- Open the Microsoft Compliance Portal
- Go to Policies (1) – Data Loss Prevention (2)
- Click now on Create Policy
- Select Custom with the template Custom Policy. It is also possible to select pre-configured templates based on GDPR data. Examples; EU Debit Card Number, EU Driver’s License Number, and EU Passport Number.
- Now give the policy a name and optional description
- The Device DLP configuration is listed in the new Devices tap. Make sure Devices is selected. Of course you can choose a limited security group or exclude users or groups.
- Now it is time for creating the rule. Click on Create Rule:
The rule is based on conditions, exceptions and actions. As a condition it is possible to use conditions like; Content contains – Sensitive info type – EU Passport Number. With this rule you can apply the policy to content that matches the EU Passport Number value. Another example; Content shared from Microsoft 365 with people outside my organization. The rule needs at least one condition to match.
Under actions click on: Add an action and select: Audit or restrict activities on Windows devices
Select the option; Audit or restrict activities on Windows devices and select the option Upload to cloud services or access by unallowed browsers and print. As action it is possible to audit only or block directly. Block with override is a default block with the option to override the result.
It is possible to create user notifications and incident reports. With an incident reports configuration it is possible to set the severity level in the admin alerts and reports. If a high critical policy matches it is also possible to send an alert to admins or SIEM solutions like Sentinel (More next time about incident handling with Sentinel and Security Center).
Now enable the policy or test it first. Keep in mind that after you turn it on it’ll take up to an hour for the policy to take effect.
Configure unallowed and allowed browsers
To block uploads to unsupported browsers. Go to:
- Microsoft 365 Compliance
- Click on Policies (1)
- Open Data Loss Prevention (2)
- Now click on Endpoint DLP Settings(3)
For the configuration of the browser and domain restrictions. Click on: Browser and domain restrictions to sensitive data
When a policy’s ‘Upload to cloud services or access by unallowed browsers’ setting is turned on, and users attempt to access a protected file on a Windows device from these browsers, the activity will be allowed, blocked, or blocked but users can override the restriction. All activity is audited and available to review in activity explorer.
Now select the unallowed browsers:
Configure service domains
To protect file copies to sensitive domains a box.com it is possible to use the service domains for blocking file uploads to specific service domains from Microsoft Edge. Make sure the Block rule is enabled and the service domains are added.
It is also possible to allow service domains witch are trusted.
End-user experience
Now it is time for the result. For example I’ve created a document, named; doc1.docx, and that document contains an example BSN number. When I now want to upload the document to Box.com I received a notification. When we use the browser; Opera and open the docx or pdf the action is blocked. Exactly the purpose of the configuration. Now some short video’s with the result:
Sensitive PDF file upload to box:
Sensitive DOCX file upload to box:
Print sensitive file:
Reporting
It is possible to view related incidents in the activity monitor.
- Go to: Compliance.microsoft.com
- Click on Activity explorer
Here you can find the activity related to the created DLP rules. With the filters it is possible to filter activity based on; Label Applied; File copied to cloud, file created, DLP rule matches, File printed, File renamed, File modified, FIle accessed by unallowed app.
For the printing activity, you can find all the details related to the activity file printed. For example; Activity, Client IP, Application, Target printer name, Detected Sensitive info type and more.
Sources:
For more information about Microsoft Endpoint DLP:
Microsoft; Microsoft 365 Endpoint data loss prevention
Microsoft; Endpoint data loss prevention
Microsoft’s DLP Endpoint isn’t properly recognizing a specific printer despite setting the friendly name and IP address, but it does work when you set the printer type as “Corporate Printer”. Since DLP Endpoint is recognizing the printer when it is set as a “Corporate Printer”, it suggests that the printer is indeed reachable and identifiable by the system. However, isolating a specific printer seems to be the challenge here. Any ideas?