Policies - Document Services - Definition and Policy

Updated

This article outlines the Document Services and the additional features related to Data Leak Prevention by controlling attachments sent to or from your organization. They can be used to remove confidential metadata from documents or convert documents to a different format before they are delivered to a recipient. Document Services can also be used to strip revision information from documents, including:

  • Document properties.
  • Author credentials.
  • Tracked changes.
  • Comments.
  • Microsoft Visual Basic for Applications macros.

Most of these are never knowingly added and, more importantly, are never intended to be viewed outside an organization.

Considerations

Consider the following before configuring a definition or policy:

  • Documents can be automatically converted into PDF or ODF format. This reduces the potential risk of metadata access and secures documents against any accidental or intentional changes by the recipient.
  • To aid in communicating with external organizations that may have different versions of Microsoft Word, policies can be created to convert Word documents into older or newer versions.
  • You can configure a Document Services Bypass policy to override aspects of this policy. See the Document Services Bypass page for full details.

Configuring a Document Services Definition

To configure a Document Services definition:

  1. Log in to the Mimecast Administration Console.
  2. Click on the Policies | Gateway Policies menu item. The Gateway Policy Editor is displayed.
  3. Click on the Definitions button. A list of definition types is displayed.
  4. Click on the Document Services definition type from the list.
  5. Select a Folder in the navigator. A definition cannot be created in the Root folder.
  6. Either click on the:
      • Definition to be changed.
      • New Document Definition button to create a definition.
  1.   Complete the Office Document Processing section as follows:
Field / Option Description
Description Enter a description for the definition.
Metadata Profile

If using the definition to strip metadata, select a Metadata Profile to apply. If you are using the definition to only convert documents, leave the profile as None. The profile selected determines what is stripped by us when the document is processed. The default profiles available group certain aspects that can be stripped together. Alternatively, the Custom profile can be selected to allow you to choose the items to be stripped from a list.

  • Basic: Removes document properties, track changes, and Microsoft Visual Basic for Applications macros (VBA).
  • Common: Removes routing slips (email addresses added as recipients to a document).
  • All: This selects all items for stripping.
  • Unsafe: This includes only the removal of Microsoft Visual Basic for Applications macros (VBA).
  • Custom: You can select the stripping parameters specified in the following list:
    • Common Options
      • Template: Every document is based on a template, which is accessible to the recipient. The Template option removes the template from the document.
      • Comments: Removes all comments from a document.
      • Properties: Document properties can contain a vast array of information about your organization, including the authors of documents and other sensitive information. This option strips all document properties.
      • VBA: Visual Basic for Applications is the coding structure behind the application, and can contain sensitive information about the document, or be used to run malicious scripts. This option strips all VBA code from the document. If VBA is used for creating forms, etc., these will also be stripped if this option is selected.
      • Custom XML: Documents can contain embedded XML Data, which can be used to store custom XML in documents. Mimecast supports the removal of custom XML data parts.
    • Microsoft Word and RTF
      • Track Changes: Track changes contain review information you may not want to share with recipients. This option deletes all track changes and ensures they cannot be recovered.
      • Variables: Variables (document information that can be accessed using Visual Basic or a metadata viewer) may have been used in the creation of the document. These will be stripped with this option selected.
      • Endnotes and Footnotes: Endnotes and footnotes will be removed from the document by selecting this option.
      • Fields: Fields are commonly used in documents for entering text (e.g., date, file names) and update automatically each time the document is accessed. If selected, these are removed from the document.
      • Word Versions: Microsoft Word has versioning capabilities, whereby previous versions of a document can be recalled. This option strips all previous versions associated with the current document.
      • Ink Annotations: Ink Annotations are used when running Microsoft Word on a tablet PC, and allow markup of a document. For example, you can add notes in the margins, circle, or underline content. With this option selected, all ink annotations are removed.
      • Watermarks: A watermark allows you to enhance the appearance of the document by adding an image or text that identifies the document's contents as a Draft or Confidential. These can be removed before the document is sent out.
      • Hidden Text: Microsoft Word allows you to hide text in a document, which doesn’t appear unless you opt to display it. Selecting this option removes hidden text. We can strip this hidden text, but cannot detect text that was hidden by other methods (e.g., white text on a white background).
Add Watermark

This option adds a watermark on each page of a Word or RTF document before it is transformed to PDF. These are the only currently supported file types. Adding watermarks directly to documents that have been transformed to PDFs is currently not supported. The text entry is limited to a maximum of 212 characters.
Document Conversion

If using the definition to convert documents, select one of the options below. If the definition's purpose is to strip metadata only, leave this option as Do Not Convert.

  • PDF: Converts the document to the latest version of PDF/X or PDF/A, stripping the document of all metadata and allowing access only via a PDF reader.
  • ODF: ODF is an Open Document Format, allowing the document to be read by many readers.
  • Office Versions 97-2013: This option provides the ability to send documents in one of these Microsoft Word versions. This ensures recipients can access the document if they are using a different version of Microsoft Office, including both previous and later versions used in your environment.
Source Files

Specify what type of source document to apply the services to. If no source file types are specified, the definition won't be applied to any outgoing documents.
  1. Complete the Action on Failed Conversion section as follows:
Field / Option Description
Policy Action Specify the action to be taken should conversion / processing fail. The available actions are Allow and Hold for Review. All the following fields are only visible if the Hold for Review option is selected.
Hold Type

Restricts the view of held messages in the On Hold Message Queue. The options are:

  • User (default).
  • Moderator.
  • Administrator.

For Data Leak Prevention (DLP) reasons a user won't be able to release outbound items that were placed on hold due to a Content Examination policy.
Moderator Group Use the Lookup button to select a group of moderators who can review and action the message when placed on hold. This option is only available for User and Moderator Hold types.
Notify Group Use the Lookup button to select a group of users to be notified when the policy is triggered.
Notify (Internal) Sender Notifies an internal sender that the policy has been triggered.
Notify (External) Sender Notifies an external sender that the policy has been triggered.
Notify (Internal) Recipient Notifies an internal recipient that the policy has been triggered.
Notify (External) Recipient Notifies an external recipient that the policy has been triggered.
Notify Overseers Notifies the Oversight Group should a Content Overseer policy be configured for the communication pair of the message that triggered the Document Services definition.
  1. Click on the Save and Exit button.

Configuring a Document Services Policy

To configure a Document Services policy:

  1. Log in to the Mimecast Administration Console.
  2. Select the Policies | Gateway Policies menu item.
  3. Click on Document Services.
  4. Either click on the:
      • Policy to be changed.
      • New Policy button to create a policy.
  1.   Complete the Options section as required:
Field / Option Description
Policy Narrative Policy Narrative
Select Document Services Policy Click on the Lookup button to select the required Document Services definition for the policy.
  1. Complete the Emails From and Emails To sections as required:
Field / Option Description
Addresses Based On

Specify the email address characteristics on which the policy is based. This option is only available in the Emails From section. The options are:

  • The Return Address (Mail Envelope From): This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e., the address used during SMTP transmission).
  • The Message From Address (Message Header From): Applies the policy based on the masked address used in the message's header.
  • Both: Applies the policy based on the Mail Envelope From or the Message Header From whichever matches. If both match the specified value, the Message Header From is used.
Applies From / To

Specify the Sender characteristics on which the policy is based. For multiple policies, you should apply them from the most to the least specific. The options are:

  • Everyone: Includes all email users (i.e. internal and external). This option is only available in the Emails From section.
  • Internal Address: Includes only internal organization addresses.
  • External Address: Includes only external organization addresses. This option is only available in the Emails From section.
  • Email Domain: Enables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
  • Address Groups: Enables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
  • Address Attributes: Enables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop-down list. Once the Attribute is specified, a value must be entered in the Is Equal To field. This can only be used if attributes are configured for user accounts.
  • Individual Email Address: Enables you to specify an SMTP address. The email address is entered in the Specifically field.
  1. Complete the Validity section as required:
Field / Option Description
Enable / Disable Use this to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or backdate it. Should the policy's configured date range be reached, it is automatically disabled.
Set Policy as Perpetual Specifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.
Date Range Specify a start and end date for the policy. This automatically deselects the "Eternal" option.
Policy Override Select this to override the default order in which policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
Bi-Directional If selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
Source IP Ranges (n.n.n.n/x) Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data falls within or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  1. Click on the Save and Exit button.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.