In Part 3 of this series we’ll review the Compliance Management tab on the Exchange Admin Console. Seems Microsoft bunched quite a few features under this one heading:
- In-Place Discovery & Hold
- Data Loss Prevention
- Retention Policies
- Retention Tags
Because of the size and complexity of all the tabs of this list, I will cover only In-Place Discovery & Hold, Auditing, and Data Loss Prevention in this article. The rest will be in Part 4 to be released this week.
Let’s start with In-Place Discovery & Hold. What exactly is this?
“In-Place eDiscovery uses the content indexes created by Exchange Search. The Exchange Administration Center (EAC) provides an easy-to-use search interface for non-technical personnel such as legal and compliance officers, records managers, and human resources (HR) professionals. Role Based Access Control (RBAC) provides the Discovery Management role group to delegate discovery tasks to non-technical personnel, without the need to provide elevated privileges that may allow a user to make any operational changes to Exchange configuration.”
“In Exchange 2013 Preview, you can use In-Place Hold to accomplish the following goals:
- Enable users to be placed on hold and keep mailbox items in an unaltered state
- Use query-based In-Place Hold to search and hold items matching specified criteria
- Place a user on multiple holds for different cases or investigations
- Preserve mailbox items that may have been deleted or edited by users
- Preserve mailbox items automatically deleted by MRM
- Preserve items indefinitely or for a specific duration
- Keep In-Place Hold transparent from the user by not having to suspend MRM
- Enable In-Place eDiscovery searches of items placed on hold”
With that out of the way, let’s look at how you can accomplish this in the EAC for Exchange Server 2013 Preview:
Make sure you have the Discovery Management role assigned to your account so you can manage these settings. If you do not, you will only see this menu in “In-Place Discovery &Hold”:
To add yourself, simply run ‘ Add-RoleGroupMember -Identity “Discovery Management” -Member ‘ in the Exchange Management shell. Once you do that, verify your membership with ‘Get-RoleGroupMember -Identity “Discovery Management”‘:
Once you’ve added this role to your account, log out of the EAC, log back in and now you will see more option in “In-Place Discovery &Hold”:
Let’s add a sample in place hold. First, click ‘+’ to start the wizard:
Add a mailbox and click ‘Next’:
Put in your criteria for your query. As you can see from the screenshot below, you can filter based on keyword, dates, who the email was to or from, as well as message type.
Decide if you want to put a hold on the mailbox as well:
Now we can perform multiple operations with this discovery:
For the search button, you can Estimate the results, Preview the results or Copy your search results.
In the results pane to the right results will be displayed from your searches:
Click on ‘Preview search results:
Quick and easy way to see the emails that match the criteria. You can also copy these results:
See these Exchange Team Blog posts for more in-depth information:
From here you can see that we have ways to report on non-owner mailbox access, litigation holds, administrator role group, export mailbox audit logs and export administrator audit logs.
** Note **
Notice that each of the items on this screen have a “Learn More” link that brings up a page describing the feature on TechNet.
For this search, change the date range to the time period you are interested in, select the mailbox you want to check on, select the access by:
The click search and the results will appear in the lower section of the window.
Run an administrator role group report
Export mailbox audit logs
Export administrator audit logs
For the admin audit log, simply pick a time period and where to send the log to:
As you can see the Auditing functionality has just gotten better in Exchange 2013. There isn’t as big a need to depend on PowerShell to get this information. See the following links for more information:
Data Loss Protection
Microsoft added Data Loss Prevention with Exchange Server 2013 Preview. This feature is another line of defense against the loss of valuable data outside of the Exchange mail system. With DLP you can theoretically stop any email with a credit card or social security number or any number of protected data types. Microsoft also allowed third parties to create their own templates to make the system more flexible.
Let’s start by creating a new DLP Policy:
What if we wanted to make some changes to the policy? Then we would need to click the Edit button and make those changes:
If you wanted to start fresh, you can also just delete the policy as well:
After you’ve created your policy, you can also set the Outlook configurations:
What are Outlook Configurations for? Well, let’s create a new configuration and see what we are able to do:
From the above screenshot it is apparent that we are creating a notification for Outlook users for use with DLP. These are called Policy Tips and are seen when a new message is created and a DLP policy matches criteria in a new message.
More on this – http://technet.microsoft.com/en-us/library/jj150512(EXCHG.150).aspx
A sample policy for the text rejecting a message from going out:
A sample notification message:
You can verify your settings hitting the edit button after highlighting the policy you want to examine:
You can read more about DLP and how to use it here:
That is the end of Part 3 of my series on the Exchange EAC. Look for another post soon for the second part of the Compliance Management.