Category: IFilter

Exchange DLP Rules in Exchange Management Shell

Posted on Brian ReidLeave a commentPosted in 2013, cloud, DLP, EOP, exchange, exchange online, Exchange Online Protection, IAmMEC, IFilter, mcm, mcsm, Office 365

This one took a while to work out, so noting it down here!

If you want to create a transport rule for a DLP policy that has one data classification (i.e. data type to look for such as ‘Credit Card Number’) then that is easy in PowerShell and an example would be as below.

New-TransportRule -name “Contoso Pharma Restricted DLP Rule (Blocked)” -DlpPolicy ContosoPharma” -SentToScope NotInOrganization -MessageContainsDataClassifications @{Name=”Contoso Pharmaceutical Restricted Content”} -SetAuditSeverity High -RejectMessageEnhancedStatusCode 5.7.1 -RejectMessageReasonText “This email contains restricted content and you are not allowed to send it outside the organization”

As you can see, and highlighted in red, the data classification is a hashtable and the single classification is mentioned.

To add more than one classification is much more involved:

$DataClassificationA = @{Name=”Contoso Pharmaceutical Private Content”}
$DataClassificationB = @{Name=”Contoso Pharmaceutical Restricted Content”}
$AllDataClassifications = @{}
$AllDataClassifications.Add(“DataClassificationA”,$DataClassificationA)
$AllDataClassifications.Add(“DataClassificationB”,$DataClassificationB)
New-TransportRule -name “Notify if email contains ContosoPharma documents 1” -DlpPolicy “ContosoPharma” -SentToScope NotInOrganization -MessageContainsDataClassifications $AllDataClassifications.Values -SetAuditSeverity High -GenerateIncidentReport administrator -IncidentReportContent “Sender”,”Recipients”,”Subject” -NotifySender NotifyOnly

And as you can see, shown in red above, you need to make a hashtable of hashtables and then use the value of the final hashtable in the New-TransportRule

Enabling Exchange 2013 to Filter OneNote and Publisher Files

Posted on Brian Reid1 CommentPosted in 2013, 64 bit, exchange, IFilter, owa, transport

Exchange Server 2013 includes the Search Foundation product to index and search most of the file types that needed IFilters installed for in previous versions including PDF files, so the Adobe IFilter is no longer needed. That said, it does not filter OneNote and Microsoft Publisher files.

To filter these files so that you can search them as part of your mailbox search, include them in discovery and compliance searches and to write transport rules that can act on the contents of these files you need to install the Microsoft Office Filter Pack 2010 and Service Pack 1 for Microsoft Office Filter Pack 2010 (KB 2460041) 64-bit Edition and then, once installed, set a few registry keys. The following script does the registry key steps for you, and needs running on all your Exchange 2013 Mailbox Servers. See http://marksmith.netrends.com/Lists/Posts/Post.aspx?ID=93 for steps to install the PDF filter on Exchange 2010 if you need to do that. This script is based on the work in that post and the original scripts from Microsoft to configure the IFilters in Exchange 2010 RTM.

Script for Install-IFilters.ps1

Download the Install-IFilters.ps1 here (which is a zip containing some test files as well – see below for testing steps. The PowerShell script is also shown below:

   1: # Script to enable indexing of OneNote and Microsoft Publisher filtering in Exchange 2013

   2: # Written by Brian Reid, C7 Solutions Ltd. www.c7solutions.com 14:27 21/11/2012

   3: # Based on a script by Mark Smith from Capex Global that installed PDF filtering for Exch2010

   4: # Note PDF filtering is included in Exchange 2013 and not needed as an extra install

   5:

   6: # The Microsoft Office 2010 Filter Pack needs installing before running this script: http://www.microsoft.com/en-us/download/details.aspx?id=17062

   7: # The Microsoft Office 2010 Filter Pack SP1 (x64) needs installing before running this script: http://www.microsoft.com/en-us/download/details.aspx?id=26604

   8: # This script has not been tested with the Microsoft Office Filter Pack 2013 release as it was not available at time of writing

   9:

  10: # This script will restart the Transport service and Microsoft Filtering Management Service. Mail-flow might be affected

  11: # by the first of these restarts. Existing items in the store will not be indexed

  12:

  13: $iFilterDirName = "C:\Program Files\Common Files\Microsoft Shared\Filters\"

  14:

  15: $KeyParent = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\HubTransportRole"

  16: $CLSIDKey = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\HubTransportRole\CLSID"

  17: $FiltersKey = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\HubTransportRole\filters"

  18:

  19: # Filter DLL Locations

  20: $ONEFilterLocation = $iFilterDirName + "\ONIFilter.dll"

  21: $PUBFilterLocation = $iFilterDirName + "\PUBFILT.dll"

  22:

  23: # Filter GUIDs

  24: $ONEGuid    ="{B8D12492-CE0F-40AD-83EA-099A03D493F1}"

  25: $PUBGuid    ="{A7FD8AC9-7ABF-46FC-B70B-6A5E5EC9859A}"

  26:

  27:

  28: # Create CLSID and filters root registry keys if they do not exist

  29: Write-Host -foregroundcolor Green "Creating parent registry keys"

  30:

  31: New-Item -Path $KeyParent -Name CLSID -ErrorAction SilentlyContinue | Out-Null

  32: New-Item -Path $KeyParent -Name filters -ErrorAction SilentlyContinue | Out-Null

  33:

  34:

  35: # Create CLSIDs

  36: Write-Host -foregroundcolor Green "Creating CLSIDs..."

  37:

  38: New-Item -Path $CLSIDKey -Name $ONEGuid -Value $ONEFilterLocation -Type String | Out-Null

  39: New-Item -Path $CLSIDKey -Name $PUBGuid -Value $PUBFilterLocation -Type String | Out-Null

  40:

  41: # Set Threading model

  42: Write-Host -foregroundcolor Green "Setting threading model..."

  43:

  44: New-ItemProperty -Path "$CLSIDKey\$ONEGuid" -Name "ThreadingModel" -Value "Both" -Type String | Out-Null

  45: New-ItemProperty -Path "$CLSIDKey\$PUBGuid" -Name "ThreadingModel" -Value "Both" -Type String | Out-Null

  46:

  47: # Set Flags

  48: Write-Host -foregroundcolor Green "Setting Flags..."

  49: New-ItemProperty -Path "$CLSIDKey\$ONEGuid" -Name "Flags" -Value "1" -Type Dword | Out-Null

  50: New-ItemProperty -Path "$CLSIDKey\$PUBGuid" -Name "Flags" -Value "1" -Type Dword | Out-Null

  51:

  52: # Create Filter Entries

  53: Write-Host -foregroundcolor Green "Creating Filter Entries..."

  54:

  55: New-Item -Path $FiltersKey -Name ".one" -Value $ONEGuid -Type String | Out-Null

  56: New-Item -Path $FiltersKey -Name ".pub" -Value $PUBGuid -Type String | Out-Null

  57:

  58: # Setting permissions

  59: Write-Host -foregroundcolor Green "Granting NETWORK SERVICE read access to $KeyParent and child keys "

  60: $acl = Get-Acl $KeyParent

  61: $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NETWORK SERVICE","ReadKey","Allow")

  62: $acl.SetAccessRule($rule)

  63: $acl | Set-Acl -Path $KeyParent

  64:

  65: # Restarting required services

  66: Write-Host -foregroundcolor Green "Stopping Microsoft Exchange Transport service (this takes a few minutes)"

  67: Stop-Service "Microsoft Exchange Transport" | Out-Null

  68: Write-Host -foregroundcolor Green "Stopping Microsoft Filtering Management Service"

  69: Stop-Service "Microsoft Filtering Management Service" | Out-Null

  70: Write-Host -foregroundcolor Green "Starting Microsoft Exchange Transport service (this takes a few minutes)"

  71: Start-Service "Microsoft Exchange Transport" | Out-Null

  72: Write-Host -foregroundcolor Green "Starting Microsoft Filtering Management Service"

  73: Start-Service "Microsoft Filtering Management Service" | Out-Null

Testing Attachment Filtering

The download above contains the script and some test files for different document types. To test just create a transport rule where:

    • The sender is your mailbox.
  • Any attachment’s content includes “Testing IFilters”. (the files in the download include these words)

 

  • Generate an incident report and send it to your mailbox. Incident Reports are advanced transport rule actions.

 

If you create this rule before you run the script then you will get incident reports for the TXT file, DOCX file and the PDF file (note, you did not need to install the Adobe IFilter to get this functionality). But sending the ONE file and the PUB file before running the above script, even though you have the Microsoft Filter Pack installed, will not generate an incident report.

Once you have run the script, email yourself the ONE and PUB files and both should generate an incident report. From now on trasnport rules will process OneNote and Microsoft Publisher documents correctly, including any that match any Data Loss Prevention rules that you have enabled.

Windows Search Across The Network

Posted on Brian Reid1 CommentPosted in IFilter, WIndows Search

Windows 7 has Windows Search built in, but it will only index locations on the local PC or folders that you have made available offline.

What about the rest of your network? An error you might see because of this is “This network location can’t be included because it is not indexed”. If the servers also get an install of Windows Search on them then Windows Search on the client can talk to the Windows Search instance on the server and produce one set of search results, covering all network locations and local folders.

How do you tell the client which servers to communicate with for search results? You need to add the folders that you are interested in querying the index for to your Libraries on Windows 7. Let’s walk through this process.

Install Windows Search on your servers

If you are running Windows 2008 then add the File Services/Windows Search Server role. You probably have some of the File Services role already installed, and in that case use Add Role Services to add the Windows Search Service role.

If you are running Windows 2003 Server then you can install Windows Search 4.0 as a download from Microsoft.

The installation in Windows 2008 will ask for the storage locations to index, and you need to include the drives that contain your shared folders.

Once installed the index for the search will begin to be created. This can take some time initially, and if you want to be able to index content other than the default content (see http://msdn.microsoft.com/en-us/library/bb233501.aspx for the default filters installed) then you should install these filters as soon as possible (to save the index needing to redo files it does not know first time around). Most importantly you need to install Adobe Reader iFilter if you want to filter .pdf documents and the Microsoft Office 2010 Filter Pack if you want to index the new file formats for Microsoft Office.

Adobe have a free filter (download the correct one based on the version of your server) and Foxit Software have a paid for one, which is more reliable than the Adobe one. Adobe are on version 9 at the time of writing and can be downloaded from http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025 for the x64 version (which is the one needed if you are running SBS 2008).

The Microsoft Filter Pack can be downloaded from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5CD4DCD7-D3E6-4970-875E-ABA93459FBEE&displaylang=en

Other iFilters for other document types exist. If you are running a 32bit version of Windows then an installation of Adobe Reader will include the 32bit iFilter. A search of Google for “iFilter” will show you others.

Finally, via Control Panel > Indexing Options > Advanced you can set the location where the search index data is to be stored. This can total up to 40% of the size of the indexed content and so should be placed on a suitably sized disk. You need to restart Windows Search to move this index.

Configure Windows 7

Once the search is configured, you can add the shared folders to the Libraries feature in Windows 7. To do this open Explorer to Computer and under Desktop you will find Libraries. Create a new Library called “Network” (or a name of your choice)” and add the shared folders on the server that is now indexed to the library. Note you cannot add shared folders that are not included on a server running search to a Library.

Now you can go to Start and type keywords into the Search bar and find documents on the local machine or on remote servers!

Configure Legacy Clients

Windows XP and Vista can have Windows Search installed, but do not support Libraries. For a legacy client to search a network location they need to open the network location (either via mapped drive letter or directly with the \\server\share UNC path format. The client will query the search server remotely and return quick results. There is no way on the legacy clients to do a single search from the Start Menu or Taskbar search box of all your locations in one go, unlike Windows 7.

If you have many servers then consider Microsoft FAST Search Server 2010 for SharePoint instead.