Document Services provide additional features related to Data Leak Prevention, by controlling attachments sent to or from your organization. They can be used to remove confidential metadata from documents, or convert documents to a different format before they are delivered to a recipient. Document Services can also be used to strip revision information from documents, including:
- Document properties
- Author credentials
- Tracked changes
- Comments
- Microsoft Visual Basic for Applications macros
Most of these are never knowingly added and, more importantly, are never intended to be viewed outside an organization.
Considerations
Consider the following before configuring a definition or policy:
- Documents can be automatically converted into PDF or ODF format. This reduces the potential risk of metadata access, and secures documents against any accidental or intentional changes by the recipient.
- To aid in communicating with external organizations that may have different versions of Microsoft Word, policies can be created to convert Word documents into older or newer versions.
- You can configure a Document Services Bypass policy to override aspects of this policy.
Configuring a Document Services Definition
To configure a Document Services definition:
- Log on to the Administration Console.
- Click on the Administration menu item. A menu drop down is displayed.
- Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed.
- Click on the Definitions button. A list of definition types is displayed.
- Click on the Document Services definition type from the list.
- Select a Folder in the navigator. A definition cannot be created in the Root folder.
- Either click on the:
- Definition to be changed.
- New Document Definition button to create a definition.
- Complete the Office Document Processing section as follows:
Field / Option Description Description Enter a description for the definition. Metadata Profile If using the definition to strip metadata, select a Metadata Profile to apply. If you are using the definition to only convert documents, leave the profile as "None". The profile selected determines what is stripped by us when the document is processed. The default profiles provided group certain aspects that can be stripped together. Alternatively the "Custom" profile can be selected, to allow you to choose the items to be stripped from a list. Profile Description Basic Removes document properties, track changes, and Microsoft Visual Basic for Applications macros (VBA). Common Removes routing slips (email addresses added as recipients to a document). All This selects all items for stripping. Unsafe This includes only the removal of Microsoft Visual Basic for Applications macros (VBA). Custom You can select the stripping parameters specified in the following list: - Common Options
- Template: Every document is based on a template which is accessible to the recipient. The Template option removes the template from the document.
- Comments: Removes all comments from a document.
- Properties: Document properties can contain a vast array of information about your organization, including the authors of documents and other sensitive information. This option strips all document properties.
- VBA: Visual Basic for Applications is the coding structure behind the application, and can contain sensitive information about the document, or be used to run malicious scripts. This option strips all VBA code from the document. If VBA is used for creating forms, etc., these will also be stripped if this option is selected.
- Custom XML: Documents can contain embedded XML Data, which can be used to store custom XML in documents. Mimecast supports the removal of custom XML data parts.
- Microsoft Word and RTF
- Track Changes: Track changes contain review information you may not want to share with recipients. This option deletes all track changes, and ensures they cannot be recovered.
- Variables: Variables (document information that can be accessed using Visual Basic or a metadata viewer) may have been used in the creation of the document. These will be stripped with this option selected.
- End Notes and Foot Notes: End notes and foot notes will be removed from the document by selecting this option.
- Fields: Fields are commonly used in documents for entering text (e.g. date, file names) and update automatically each time the document is accessed. If selected, these are removed from the document.
- Word Versions: Microsoft Word has versioning capabilities, whereby previous versions of a document can be recalled. This option strips all previous versions associated with the current document.
- Ink Annotations: Ink Annotations are used when running Microsoft Word on a tablet PC, and allows mark up of a document. For example, you can add notes in the margins or circle or underline content. With this option selected, all ink annotations are removed.
- Watermarks: A watermark allows you to enhance the appearance of the document by adding an image or adding text that identifies the document contents as a “Draft” or “Confidential”. These can be removed before the document is sent out.
- Hidden Text: Microsoft Word allows you to hide text in a document, which doesn’t appear unless you opt to display it. Selecting this option removes hidden text. We can strip this hidden text, but cannot detect text that was hidden by other methods (e.g. white text on a white background).
Add Watermark This option adds a watermark on each page of a Word or RTF document before it is transformed to PDF. These are the only currently supported file types. Directly adding watermarks to documents that have been transformed to PDFs is currently not supported. The text entry is limited to a maximum of 212 characters. Document Conversion If using the definition to convert documents, select one of the options below. If the definition's purpose is to strip metadata only, leave this option as "Do Not Convert". - PDF: Converts the document to the latest version of PDF/X or PDF/A, stripping the document of all metadata and allowing access only via a PDF reader.
- ODF: ODF is an Open Document Format, allowing the document to be read by many readers.
- Office Versions 97-2013: This option provides the ability to send documents in one of these Microsoft Word versions. This ensures recipients can access the document if they are using a different version of Microsoft Office., including both previous and later versions used in your environment.
Source Files Specify what type of source document to apply the services to. If no source file types are specified, the definition won't be applied to any outgoing documents. - Common Options
- Complete the Action on Failed Conversion section as follows:
Field / Option Description Policy Action Specify the action to be taken should conversion / processing fail. The available actions are "Allow" and "Hold for Review". All the following fields are only visible if the "Hold for Review" option is selected. Hold Type Restricts the view of held messages in the On Hold Message Queue. The options are:
- User (default)
- Moderator
- Administrator.
Moderator Group Use the Lookup button to select a group of moderators who can review and action the message when placed on hold. This option is only available for User and Moderator Hold types. Notify Group Use the Lookup button to select a group of users to be notified when the policy is triggered. Notify (Internal) Sender Notifies an internal sender that the policy has been triggered. Notify (External) Sender Notifies an external sender that the policy has been triggered. Notify (Internal) Recipient Notifies an internal recipient that the policy has been triggered. Notify (External) Recipient Notifies an external recipient that the policy has been triggered. Notify Overseers Notifies the Oversight Group should a Content Overseer policy be configured for the communication pair of the message that triggered the Document Services definition. - Click on the Save and Exit button.
Configuring a Document Services Policy
To configure a Document Services policy:
- Log on to the Administration Console.
- Click on the Administration menu item. A menu drop down is displayed.
- Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed.
- Click on Document Services. A list of policies is displayed.
- Either click on the:
- Policy to be changed.
- New Policy button to create a policy.
- Complete the Options section as required:
Field / Option Description Policy Narrative Provide a description for the policy to allow you to easily identify it in the future. Select Document Services Policy Click on the Lookup button to select the required Document Services definition for the policy. - Complete the Emails From and Emails To sections as required:
Field / Option Description Addresses Based On Specify the email address characteristics the policy is based on. This option is only available in the "Emails From" section. The options are: Option Description The Return Address (Mail Envelope From) This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission). The Message From Address (Message Header From) Applies the policy based on the masked address used in the message's header. Both Applies the policy based on the Mail Envelope From or the Message Header From whichever matches. If both match the specified value, the Message Header From is used. Applies From / To Specify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are: Option Description Everyone Includes all email users (i.e. internal and external). This option is only available in the "Emails From" section. Internal Address Includes only internal organization addresses. External Address Includes only external organization addresses. This option is only available in the "Emails From" section. Email Domain Enables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field. Address Groups Enables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path. Address Attributes Enables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, a value must be entered in the Is Equal To field. This can only be used if attributes are configured for user accounts. Individual Email Address Enables you to specify an SMTP address. The email address is entered in the Specifically field. - Complete the Validity section as required:
Field / Option Description Enable / Disable Use this to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or back date it. Should the policy's configured date range be reached, the it is automatically disabled. Set Policy as Perpetual Specifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires. Date Range Specify a start and end date for the policy. This automatically deselects the "Eternal" option. Policy Override Select this to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override. Bi-Directional If selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient. Source IP Ranges (n.n.n.n/x) Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation. - Click on the Save and Exit button.
See Also...