Compliance, Archiving, eDiscovery, Auditing

Question 1

What is DLP?

Answer 1

Data Loss Prevention

• A Compliance Management feature.
• A premium feature that requires an Enterprise CAL.
• The goal is to prevent the intentional or accidental exposure of sensitive information.
• Uses content analysis to examine email messages and attachments in transit (as they move through the transport pipeline).
• It looks for multiple pieces of evidence to determine a confidence level, and takes action based on confidence.

Question 2

What is a DLP Policy?

Answer 2

It is a collection of Transport Rules that can be managed together as a single policy.

Question 3

What is a DLP Policy Rule?

Answer 3

It is simply a Transport Rule that has been added to a DLP Policy.

(Through the DLP interface, you can combine multiple Transport Rules to manage as a single policy, and add additional DLP-specific options.)

Question 4

What are examples of sensitive information that DLP can watch for?

Answer 4

• Credit card details
• SSNs
• Passport numbers
• Bank Account Numbers
• Custom information types, such as “document fingerprints.”

Question 5

What is a Policy Tip?

Answer 5

• Policy Tips are displayed to users when an email is being composed that will breach a DLP Policy.
• Available in Outlook and Outlook on the Web
• Not available for non-Outlook clients or mobile apps.

Question 6

What are possible Policy Tip Actions?

Answer 6

• Notify sender, but allow them to send regardless
• Notify sender, and block if sent.
• Notify sender, block if sent, but allow user to override and send by indicating it is a false positive
• Notify sender, block if sent, but allow user to override and send (no reason required)
• Notify sender, block if sent message, but allow user to override and send by providing a buisiness justifcation explanation.

Question 7

What “modes” can a DLP policy be set to?

Answer 7

• Enforce
• Audit (Tests DLP policy without Policy Tips)
• AuditAndNotify (Tests DLP policy with Policy Tips)

Question 8

How do you implement DLP?

Answer 8

• Create a DLP policy
– Can create using either a built-in template, custom policy, or import a third-party policy

• Create or modify rules as needed
• Set Mode to be “Enforced”

Question 9

What configurations can be made to a DLP policy rule?

Answer 9

• Enable or disable any individual rule of a policy
• Change the scope of the rule
• Modify thresholds for triggering (minimum and maximum counts)
• Modify thresholds for confidence levels (minimum and maximum)
• Send an incident report to an email recipient
• Can take essentially any additional action that normal Transport Rules can take

Question 10

What is Document Fingerprinting?

Answer 10

• A part of DLP, used to detect specific documents, forms, or templates.
• Documents are be uploaded to Exchange for analysis and “fingerprinting.”
• DLP will then detect documents based on that template, AS LONG AS ALL ORIGNAL TEXT is all retained. (for example, a form the requires the user to overwrite fields will NOT trigger detection).

Question 11

What is MRM?

Answer 11

• Message Records Management
• Part of Compliance Management
• The overarching term for features that manage mailbox data retention.
• Retention management includes both:

– keeping data as long as it is needed,

– and removing data when should no longer be kept.

Question 12

What is MRM used to accomplish?

Answer 12

• To meet business and regulatory requirements
• To help users manage mailbox data
• To manage storage utilization of email

Question 13

What are Retention Tags?

Answer 13

• Retention tags are used to apply retention settings to mailbox folders and items.

• Each Retention Tag is made up of two settings:
– a Retention Action
– a Retention Period

• Retention policies are made up of retention tags.

Question 14

What is this?

DPT

Answer 14

Default Policy Tag

A type of Retention Tag

Question 15

What is this?

RPT

Answer 15

Retention Policy Tag

A type of Retention Tag

Question 16

What types of Retention Tags are there?

Answer 16

• Default Policy Tags (DPT)
• Retention Policy Tags (RPT)
• Personal Tags

Question 17

Describe how this type of Retention Tag works:

DPT

Answer 17

• Are assigned to any folders or items that don’t have another tag.
• Sub-folders and items inherit the DPT of the parent folder
• Users can apply a Personal Tag to folders or items to override the DPT

Question 18

Describe how this type of Retention Tag works:

RPT

Answer 18

• Are assigned to default mailbox folders, such as Inbox or Deleted Items
• Sub-folders and items inherit the RPT of the parent folder
• Users cannot override an RPT on a folder; however, they CAN assign Personal Tags to items within that folder to override the inheritance.

Question 19

How can users override RPTs with their own retention settings?

Answer 19

Users can add Personal Tags on mail items and folders.

They cannot override an RPT on a folder; however, they CAN assign Personal Tags to items within that folder.

Question 20

What is a Retention Action?

Answer 20

• A setting of a Retention Tag

* It defines the action that should be taken on the folder or item that the tag is assigned to.

Question 21

What are possible Retention Actions for each Retention Tag type?

Answer 21

• All 3 types of retention tags have these actions:

– Delete and allow recovery

– Permanently delete

• Only DPTs and Personal Tags have this action:

– Move to user’s archive mailbox

Question 22

What is this Retention Action:

Move to archive

Answer 22

• Moves the folder or item to the user’s archive mailbox, if they have one.
• If they do not have one, the item will not be moved (no action will be taken).
• Only DPTs and Personal Tags can perform this action.

Question 23

What is this Retention Action:

Delete and allow recovery

Answer 23

• Moves the item to recoverable deleted items, where it will be subject to the Deleted Item Retention Period for the mailbox database (14 days by default).
• Exception: If the mailbox or the items in question are currently under Litigation Hold or In-Place Hold, then the deleted items will remain in the Recoverable Deleted Items until the Hold is removed, or the Hold period lapses.
• All 3 Retention Tag types can perform this action.

Question 24

What is this Retention Action:

Permanently delete

Answer 24

• Skips the Recoverable Items folder, and purges the item from the mailbox database
• Exception: If the mailbox or the items in question are currently under Litigation Hold or In-Place Hold, then the deleted items will remain in the Recoverable Deleted Items until the Hold period is removed, or the Hold lapses.
• All 3 Retention Tag types can perform this action.

Question 25

What is a Retention Period?

Answer 25

• A setting of a Retention Tag
• Defines the number of days after which the retention action should be applied.
• Examples:

– 30 days

– 365 days (1 year)

– Never

Question 26

What is the cmdlet to create a Retention Tag?

Answer 26

New-RetentionPolicyTag

This is confusing because “Retention Policy Tag” is one of the three types of Retention Tags, but this cmdlet is used to create all three types of tags, not just RPTs.

Question 27

Provide an example command for creating:

A new DPT to delete items after one year and allow recovery.

Answer 27

New-RetentionPolicyTag

-Name
whatever-you-want

-Type
All

-AgeLimitForRetention
365

-RetentionAction
DeleteAndAllowRecovery

Question 28

Provide an example command for creating:

A new RPT to permanently delete items in the Junk Email folder after 30 days.

Answer 28

New-RetentionPolicyTag

-Name
whatever-you-want

-Type
“Junk Email”

-AgeLimitForRetention
30

-RetentionAction
PermanentlyDelete

Question 29

In the context of Retention, what is unique about the “Voicemail” message class?

Answer 29

They are the only message class that can have their own unique tag created for them.

A DPT can be created for them independently of the DPTs that are configured for the mailbox.

Question 30

What is a Retention Policy?

Answer 30

• A collection of Retention Tags

* Assigned to mailboxes to manage archiving or deletion of data

Question 31

What effect does adding a Personal Tag to a Retention Policy have?

Answer 31

Mailbox users get access to the Personal Tags that are included in the Retention Policy that is assigned to their mailbox.

Users can manually add these Personal Tags to any folder or item, except for any folder that already has an RPT assigned to it (however, they can assign Personal Tags to items within that folder).

Question 32

What is MFA?

Answer 32

Managed Folder Assistant

• A background process that constantly runs on an Exchange server
• Processes mailboxes that have Retention Policies assigned to them, to:

– stamp folders and items with retention tags

– perform retention actions when retention period has passed

• The MFA process is throttled so it doesn’t compete for resources with more important processes, thus actions are not necessarily always processed immediately upon reaching their period.

Question 33

What happens when you remove a Retention Tag from a Retention Policy?

Answer 33

• MFA will not stamp that tag to any more mailbox items
• Folders and items that were receiving that tag through inheritence will inherit a new tag
• Folders and items that had already been directly assigned the tag will RETAIN the tag (because the tag still exists as a tag definition in AD, even though it’s no longer in the policy).

Question 34

What happens when you Delete a Retention Tag?

Answer 34

• The Tag definition no longer exists in AD
• Items that were previously tagged are reprocessed by MFA and a new tag is stamped on them (usually by inheriting the parent folder tag).

Question 35

How is Retention Age determined for different item types?

Answer 35

• For most items (including email messages), retention age is based on delivery date or creation date.
• For Recurring Calendar and Task items, retention age is based on their end date.
• (For items with no end to their recurrence, retention period never expires.)

Question 36

What is a Retention Hold?

Answer 36

• A Retention Hold will put a hold on any retention actions from being executed even after the retention period has passed.
• It is set on a per-mailbox basis.
• Once the End Date is reached, the MFA will start taking action on expired items.
• The hold can either be removed manually, or be configured with an automatic End Date.

Question 37

What are a couple example use-cases for configuring a Retention Hold?

Answer 37

It is useful for:

• Testing Retention Policies (to see how MFA will stamp items, without actually taking actions)
• Periods of prolonged absence such as maternity leave or sabbatical, so a user’s unread items won’t be archived while they are away.

Question 38

What is Exchange Online Archiving?

Answer 38

• Works the same as on-premises Archiving, except the Archive Mailboxes are hosted in Office 365

Question 39

What is a Remote Archive?

Answer 39

• A mailbox archive that is hosted in Office 365 instead of on-prem Exchange
• Essentially, a synonym for the feature of Exchange Online Archiving.

Question 40

What are the pre-requisites for Exchange Online Archiving to work?

Answer 40

• Directory synchronization
• A hybrid configuration
• Retention tags must be exported to Office 365 tenant, so the cloud MFA can continue to process tags on items in Archives

Question 41

What are the steps to configure a mailbox for Exchange Online Archiving?

Answer 41

1) Use directory synchronization to sync the user to Office 365
2) Assign an Exchange Online Archiving license to the user
3) Enable the user’s mailbox for remote archiving
4) Wait for synchronization of the changes (which can take several hours)

Question 42

What is eDiscovery?

Answer 42

• A Compliance Management feature.

Provides:

– Tools for searching mailbox contents during investigations and legal cases

– Options for “holding” the results (preserving the data so it can’t be deleted).

– A user-friendly web portal for searches, so they can be performed by non-technical people

Question 43

What is KQL?

Answer 43

Keyword Query Language

The query syntax used both in Outlook for searches, and for eDiscovery searches

Question 44

What actions can be taken on items found in eDiscovery searches?

Answer 44

• Preserve data in-place (In-Place Hold)
• Copy data to another location
• Export data (e.g. to PST)
• Remove data from mailboxes

Question 45

What do eDiscovery searches depend on?

Answer 45

Healthy and up-to-date Content Indexes.

Any new items that have not been indexed yet will not show up in search results.

Question 46

How are eDiscovery searches performed?

Answer 46

• User must be added to “Discovery Management” role group (which is empty by default) in order to perform eDiscovery searches
• Searches are performed in EAC
• Searches use KQL queries
• Can search one or multiple mailboxes

• Can search, for example, based on:
– Keywords
– Dates
– Senders
– Recipient types
– Message types

• Searches are queued once created. Once status changes to “Estimate Succeeded,” the search results are available.

Question 47

What is a Discovery Mailbox?

Answer 47

The results of an eDiscovery search can be exported to a maibox, called a discovery mailbox.

The discovery mailbox will store the search results in a folder with the same name as the Search name.

Question 48

What is a Discovery Search Mailbox?

Answer 48

Another term for a Discovery Mailbox.

Question 49

What is a Compliance Search?

Answer 49

A search of mailbox items that can REMOVE the content from mailboxes.

Question 50

When items are deleted by a Compliance Search, where do they go?

Answer 50

They are sent to the Recoverable Deleted Items folder, where end-users can recover them.

Question 51

What is the cmdlet to perform a Compliance Search?

Answer 51

New-ComplianceSearch

a new cmdlet for 2016. Earlier versions used the more limited Search-Mailbox

Question 52

What is an In-Place Hold?

Answer 52

• A premium feature that requires an Enterprise CAL.

* Part of eDiscovery, the results of a search query will be held so they cannot be permanently deleted.

Question 53

What is the goal of a Hold?

Answer 53

To preserve mailbox contents, either indefinitely or to a desired date, in a way that is invisible to end users

Question 54

What is the difference between an In-Place Hold and a Litigation Hold?

Answer 54

• In-Place Hold:

Based on an eDiscovery search query, and applied to all content that matches the query, no matter where it’s located.

• Litigation Hold:

Applied to an entire mailbox, on a per-mailbox basis.

Question 55

PowerShell command to apply a litigation hold for one year, or indefinitely?

Answer 55

• Indefinitely:

Set-Mailbox
user@company.com
-LitigationHoldEnabled
$true

• For one year:

Same as above, but add:

-LitigationHoldDuration
365

Question 56

What are MailTips?

Answer 56

Messages displayed in Outlook and OWA to users while they are composing an email message, to alert them to potential mistakes or problems before they send a message.

Question 57

What is this:

Group Metrics

Answer 57

• Part of the MailTips feature
• A background process on Exchange
• Calculates the size of a group’s membership, including nested group members
• Stamps the group object with a msExchGroupMemberCount attribute.
• Since it’s a background process, it may not always be up-to-date.

Question 58

What are examples of MailTips that may be displayed to a user?

Answer 58

• A Distribution Group contains X number of recipients (when it is over a threshold).
• A recipient’s mailbox is full
• A recipient has an Automatic reply set (and displays the reply)
• A custom MailTip configured on a Mailbox to display a message

Question 59

What are Message Classifications?

Answer 59

• Labels applied (either by Exchange or by users) to messages to describe the intended use or audience of the message.
• They are set by users by the “Set Permissions” menu.
• Only internal to the organization; stripped from headers when sent externally.
• Only visual suggestions; they are not enforced (though Transport Rules can be configured to take action based on them).

Question 60

How are Message Classifications utilized in Outlook?

Answer 60

Classification definitions must be configured in Exchange.

Outlook on the Web users will have them available automatically.

Outlook client users will need the definitions manually deployed.

Question 61

How do you deploy Message Classification definitions to Outlook clients?

Answer 61

• Export them to an XML file using the Microsoft-provided script:

Export-OutlookClassification.ps1

• Distribute the XML file (probably through Group Policy)
• Configure the path to the file in the Registry.

Question 62

What is Journaling?

Answer 62

Makes a copy of sent or received emails to another mailbox or external address.

You can have an internal journaling mailbox, or use an external, third-party journaling service.

Question 63

What is a Journal Report?

Answer 63

• Journaled messages are stored in a special message format, known as a journal report.
• It contains metadata about the message, and a copy of the original message is attached to it.

Question 64

What types of journaling are there?

Answer 64

• Standard Journaling

* Premium Journaling

Question 65

What is Standard Journaling?

Answer 65

• Set at the mailbox database level

* All messages sent or received by mailboxes hosted on that database will be journaled

Question 66

What is Premium Journaling?

Answer 66

• A Compliance Management feature.
• A premium feature that requires an Enterprise CAL.
• Configured as a series of rules, similar to Transport rules
• Can specify or target what types of messages/recipients/etc. will be journaled

Question 67

Mario is a member of the Distribution Group named “Sales.”

Luigi is NOT a member of that group.

A Journaling rule is in place that journals all messages “If the message is sent to or received from a specific user or group,” with the group “Sales” selected.

Mario sends an e-mail addressed to Luigi.

Luigi sends an e-mail addressed to Mario.

Of these two messages, which will be caught by this Journaling rule?

Answer 67

• Both.
• Journaling rules that target groups will capture all messages involving members of that group, even if the group address is not used. It doesn’t need to be the group itself that is receiving the message.

Question 68

If two employess are communicating via a mailbox they both have access to, by writing draft emails and never sending them, how could those messages be caught for review by an admin?

Answer 68

Litigation hold would catch them.

Journaling would not.

Question 69

What happens if a journal mailbox becomes unavailable?

Answer 69

• If no Alternate Journal Mailbox has been configured, Journal reports will start to queue on servers.
• If an Alternate journal mailbox has been configured:

– journal reports will be sent to it instead.

– But if the Alternate journal mailbox is also unavailable, journal reports will NOT be queued, they will be lost.

Question 70

What is Exchange Auditing?

Answer 70

• A Compliance Management feature.

* Provides capabilities to track what mailbox users and admins are doing in the Exchange organization.

Question 71

What types of Auditing are there?

Answer 71

• Mailbox Audit Logging

* Administrator Audit Logging

Question 72

What is Mailbox Audit Logging?

Answer 72

• A type of Exchange Auditing.
• Logs actions taken by mailbox owners and delegates on the contents of mailboxes.
• Disabled by default.

Question 73

What is Administrator Audit Logging?

Answer 73

• A type of Exchange Auditing.
• Tracks changes made by Administrators while they are managing the Exchange environment.
• Tracks Exchange management tool usage, such as eDiscovery, Compliance Searches, etc.
• Enabled by default, at a level of: None.

Question 74

What are Admin Audit Log Levels?

Answer 74

Set the amount of info that is logged.

There are two levels:

• None
• Verbose
• (Note: “None” is not the same as disabling Admin Audit Logging)

Question 75

Admin Audit Logging is set to: None

When a command is run, what is logged?

Answer 75

• The Cmdlet that was run
• The Parameters used
• Who ran the command
• What object was modified
• Note: Only cmdlets that make changes are logged (not cmdlets that only retrieve info)

Question 76

Where are Admin Audit Logs stored, and how long are they retained?

Answer 76

• Retained 90 days, by default.

* Stored in one of the Arbitration Mailboxes, which are system mailboxes.

Question 77

When a command is run, what is logged when Admin Audit Logging is set to: Verbose

Answer 77

• All info that “None” would also have logged, plus:
• The Old Values, before the command was run
• The New Values, after the command was run

Question 78

What will Mailbox Audit Logging record by default?

Answer 78

• It is disabled by default, so it will record nothing.
• When enabled, the default actions it will record are:

– AuditOwner: nothing.

– AuditDelegate: Update, SoftDelete, HardDelete, SendAs, Create

– AuditAdmins: Same as delegates, and also:
Move, MoveToDeletedItems, FolderBind, SendOnBehalf

Question 79

How long will Mailbox Audit logs be retained?

Answer 79

Controlled by the Audit Log Age Limit, which is set on a per-mailbox basis.

It is set to 90 days by default.

Question 80

What is an Audit Bypass?

Answer 80

A setting that will allow actions taken by a specified account to not be record by Audit Log settings.

Useful if a service account is in place that would generate a lot of unwanted logs.

Question 81

What are the steps required to create a DLP rule using Document Fingerprinting, based on a form template?

Answer 81

1) Import the document into a variable.
2) Create a new Document Fingerprint, using the variable from 1), and store it as a new variable.
3) Create a new data classification rule using the New-DataClassification command, using the variable from 2).
4) You will now see the new Data Classification Rule when building the transport rule for your DLP policy.