Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Data Protection

Step-by-Step Guide: How to track shared documents using Azure information Protection?

Last month or so I have done few blog posts which explained about Azure information Protection (AIP)’s capabilities. In there, I mainly talked about how to protect sensitive data in organization when we know the data type, audience and permissions

Step-by-Step Guide: Protect confidential data using Azure information protectionhttps://www.rebeladmin.com/2018/12/step-step-guide-protect-confidential-data-using-azure-information-protection/ 

Step-by-Step Guide: Automatic Data Classification via Azure Information Protectionhttps://www.rebeladmin.com/2018/12/step-step-guide-automatic-data-classification-via-azure-information-protection/

Step-by-Step Guide: On-premise Data Protection via Azure Information Protection Scanner https://www.rebeladmin.com/2018/12/step-step-guide-premise-data-protection-via-azure-information-protection-scanner/

Step-by-Step Guide: How to protect confidential emails using Azure information protection?https://www.rebeladmin.com/2019/01/step-step-guide-protect-confidential-emails-using-azure-information-protection/ 

When we work with information, sometime we have to share information with internal/external peoples, organizations. Usually It is hard to apply strict data protection polices if it’s not sensitive data. With document tracking, we can review who access shared document, when and from where. It also allows to setup notifications so we know when someone access it. if the document is starting to appear in places where it shouldn’t, we can revoke the permissions as well. In this blog post I am going to demonstrate how we can do this. 

Prerequisites 

1. We need supported subscription first. This feature is available under Enterprise Mobility + Security E3 & E5, Office 365 Enterprise plans. Or else it is available as standalone solution https://azure.microsoft.com/en-gb/pricing/details/information-protection/

2. We need Microsoft Azure Information Protection Viewer app https://www.microsoft.com/en-us/download/details.aspx?id=54536&WT.mc_id=rss_alldownloads_all or Azure Information Protection client https://www.microsoft.com/en-us/download/details.aspx?id=53018 installed in the pc. It will allow to view, protect office documents using office apps. 

In my demo pc, I have installed Azure Information Protection client.

Once agent & subscription is ready,

1. Open up document that you like to share using office app (Word, Excel etc.) and then click on Protect | Custom Permissions  

2. It will open up new window, click on protect with custom permission. Then under select permissions, choose the permissions level you like to apply. 

[Read more…] about Step-by-Step Guide: How to track shared documents using Azure information Protection?

Step-by-Step Guide: Prevent Sensitive Data Leaks using Office 365 Data loss prevention (DLP) Policies

In my previous blog post I explained how to protect sensitive email data using Azure information protection. Using data classifications and policies we can prevent users from sharing sensitive information via email. You can read more about it using https://www.rebeladmin.com/2019/01/step-step-guide-protect-confidential-emails-using-azure-information-protection/. Azure information protection can do many things to protect sensitive data in an organization. Email protection is just one feature of it. it even can protect data in hybrid environments. 

Data loss prevention (DLP) policies also capable of preventing sensitive data sharing via email. But it is only applying to office 365 services. Also, it doesn’t include classification, it only works with real-time data. let’s see some of the capabilities of DLP policies. 

Support pre-defined data patterns on custom data patterns – Organizations can use pre-defined data patterns comes with DLP policies such as U.S Financial Data, HIPPA or create custom patterns to identify different type of data across different locations such as Exchange Online, OneDrive etc.  

Educate Users – Using DLP policies we can send notifications to senders in a policy breach. These notifications will include, data types, reason for block etc. So next time users can prevent doing it. 

Reporting – DLP policy can send detailed email report to administrators in a policy breach. 

Support Office Apps – DLP policies supports Office 2016 and later desktop clients. 

In today demo I am going to setup a DLP policy to detect credit card details in emails. Also, if someone try to send it to external user via email, policy should block it. in policy breach it will send notification to sender and a detailed report to administrator. 

1. To start, log in to https://portal.office.com as Global Administrator & open Admin Center 

2. Then go to Admin Centers | Security and Compliances 

3. It will open up a new window, in there go to Data loss prevention | Policy

4. Then click on Create a policy

[Read more…] about Step-by-Step Guide: Prevent Sensitive Data Leaks using Office 365 Data loss prevention (DLP) Policies

Step-by-Step Guide: On-premise Data Protection via Azure Information Protection Scanner

In my previous blog posts, I explained what Azure information protection is and how we can use it to do data classification and protect sensitive data. In those, I was using data stored in corporate OneDrive accounts. But in most cases organizations use on-premises file servers. in this blog post I am going to explain how we can use Azure information protection with on-premises file shares.

To do this we are going to use component called Azure Information Protection Scanner. This comes with Azure Information Protection add-on that we normally install in user computers. 

Pre-requisites 

1) Windows Server 2012 R2 or newer

2) Minimum SQL Server 2012 (Express, Standard or Enterprise)

3) Service Account to run the service – Ideally this should be AD sync account and should have log on locally & log on as a service permission. If you have lockdown environment, you can use local account to run service and separate Azure AD account to do authentication. In my demo I am going to use this method. 

4) The Azure Information Protection client installed

5) Classification with automatic protection – More details can find under https://www.rebeladmin.com/2018/12/step-step-guide-automatic-data-classification-via-azure-information-protection/

Create Service Account

In my demo server I have created a local user called aipsa and assign local administrator rights. 

File Share

For demo purpose I have created a file share called DataShare and add different types of files to it. 

SQL Server 2017 Express

In my demo server I have SQL Server 2017 Express installed. This will use for AIP Scanner. 

AIP Client Install

We need full AIP client install before we start the scanner configuration. 

1) Log in to the server as Administrator

2) Download AIP client from https://www.microsoft.com/en-gb/download/details.aspx?id=53018

3) Run the AzInfoProtection.exe as Administrator

4) Accept terms & conditions in first screen

5) It will start the installation

[Read more…] about Step-by-Step Guide: On-premise Data Protection via Azure Information Protection Scanner