Exchange 2013 Data Loss Prevention (Part 1)

By Nuno Mota, [Published on 11, October 2012]


Data Loss Prevention [DLP] is a system designed to detect a potential data breach/leakage incident in a timely manner and prevent it. When this happens, sensitive data such as personal/company information, credit card details, social security numbers, etc., is disclosed to unauthorized users either with malicious intent or by mistake. This has always been an important matter for most companies as the loss of sensitive data can be very damaging for a business. For many years now, there have been both software and hardware solutions that monitor data while:

  • in-use: end-user actions such as copying data to USB or printing it for example;
  • in-motion: network communications like e-mail, web traffic, Instant Messaging, etc.;
  • at-rest: data stored in file shares or on users' drives.

Up until now, Exchange Administrators had to rely on 3rd party solutions to achieve this, but some solutions would cause more harm than good and user productivity would suffer. With Exchange 2013, Microsoft now makes it possible to enforce compliance requirements for such data and control how it is used in e-mail. DLP is the new feature that allows administrators to manage sensitive data in Exchange!

How DLP Works

DLP works through DLP Policies, packages that contain a set of conditions made up of rules, actions and exceptions. These packages are based on Transport Rules and can be created in the Exchange Administration Center [EAC] or through the Exchange Management Shell [EMS]. Once created and activated, they will start analyzing and filtering e-mails. A nice feature is that you can create a DLP Policy without activating it, allowing you to test its behavior without affecting mail flow.

DLP Policies are nothing more than special Transport Rules. Because the transport rules with Exchange 2010 didn't provide the means to properly analyze e-mail content, new types of transport rules were created in Exchange 2013 to make DLP possible. These allow information inside e-mails to be checked and classified as sensitive (or non-sensitive) based on keywords, dictionaries or even regular expressions, thus determining if an e-mail violates any organizational DLP Policies.

Another nice feature of DLP is called Policy Tips. These tips, similar to the MailTips introduced in Exchange 2010, inform senders that they might be violating a DLP Policy before they actually send the message! As we will see in the second part of this article, these Policy Tips only work on Outlook 2013 for now but it is just a matter of time until they appear in Outlook Web App as well.

Creating DLP Policies based on Templates

To start with Data Loss Prevention, we have to create a DLP Policy. To do so, we can import one from a file (for example provided by a 3rd party company), use Microsoft-provided templates or build a policy from scratch.

To read the full article, please go to:

Use Ctrl+Shift+R to "Reply all" to the selected message.


Will tablet and Smart phone use be a big part of your OWA 2013 deployment?