Thursday, 7 May 2015

Setting up Data Prevention Loss Policies / transport rules to protect sensitive data

Preventing sensitive information from leaving your organization can be accomplished with the user of Data Loss Prevention policies - in this example we will be ensuring that credit card data does not get sent anywhere inside or outside the organizaion.

We should firstly create a new data loss prevention policy:

New-DlpPolicy -Name "PCI-CreditCard" -Mode Enforce

We then want to decide which data classification property we wish to use - you can either use one of the built-in properties (from the "Microsoft Rule Pack"):


Or we can create and import our own:

and to import the custom rule:

Import-DlpPolicyCollection -FileData ([Byte[]]$(Get-Content -Path " C:\My Documents\DLP Backup.xml " -Encoding Byte -ReadCount 0))

We will now create the transport rule that will perform the DLP check:

New-TransportRule -Name "Notify in Outlook:External Recipient Credit Cards" -NotifySender RejectMessage -RuleSubType DLP -DlpPolicy "PCI-CreditCard" -Mode Enforce -SentToScope NotInOrganization -MessageContainsDataClassification @{Name="Credit Card Number"}

And if we wish to remove the DLP and transport rule we can use the following cmdlets:

Remove-DlpPolicy "PCI-CreditCard"
Remove-TransportRule "Notify in Outlook:External Recipient Credit Cards"


Post a Comment