Configuring Document Services Definitions and Policies

Document created by user.oxriBaJeN4 Employee on Sep 11, 2015Last modified by user.Yo2IBgvWqr on Oct 9, 2017
Version 10Show Document
  • View in full screen mode

Document Services provide additional features related to Data Leak Prevention, by controlling attachments sent to or from your organization. They can be used to remove confidential metadata from documents, or convert documents to a different format before they are delivered to a recipient. Document Services can also be used to strip revision information from documents, including:

  • Document properties
  • Author credentials
  • Tracked changes
  • Comments
  • Microsoft Visual Basic for Applications macros

Most of these are never knowingly added and, more importantly, are never intended to be viewed outside an organization.




Consider the following before configuring a definition or policy:

  • Documents can be automatically converted into PDF or ODF format. This reduces the potential risk of metadata access, and secures documents against any accidental or intentional changes by the recipient.
  • To aid in communicating with external organizations that may have different versions of Microsoft Word, policies can be created to convert Word documents into older or newer versions.
  • You can configure a Document Services Bypass policy to override aspects of this policy.


Configuring a Document Services Definition


To configure a Document Services definition:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed.
  4. Click on the Definitions button. A list of definition types is displayed.
    Definitions List
  5. Click on the Document Services definition type from the list.
  6. Select a Folder in the navigator. A definition cannot be created in the Root folder.
  7. Either click on the:
    • Definition to be changed.
    • New Document Definition button to create a definition.
  8. Complete the Office Document Processing section as follows:
    Field / OptionDescription
    DescriptionEnter a description for the definition.
    Metadata ProfileIf using the definition to strip metadata, select a Metadata Profile to apply. If you are using the definition to only convert documents, leave the profile as "None". The profile selected determines what is stripped by us when the document is processed. The default profiles provided group certain aspects that can be stripped together. Alternatively the "Custom" profile can be selected, to allow you to choose the items to be stripped from a list.
    BasicRemoves document properties, track changes, and Microsoft Visual Basic for Applications macros (VBA).
    CommonRemoves routing slips (email addresses added as recipients to a document).
    AllThis selects all items for stripping.
    UnsafeThis includes only the removal of Microsoft Visual Basic for Applications macros (VBA).
    CustomYou can select the stripping parameters specified in the following list:
    • Common Options
      • Template: Every document is based on a template which is accessible to the recipient. The Template option removes the template from the document.
      • Comments: Removes all comments from a document.
      • Properties: Document properties can contain a vast array of information about your organization, including the authors of documents and other sensitive information. This option strips all document properties.
      • VBA: Visual Basic for Applications is the coding structure behind the application, and can contain sensitive information about the document, or be used to run malicious scripts. This option strips all VBA code from the document. If VBA is used for creating forms, etc., these will also be stripped if this option is selected.
      • Custom XML: Documents can contain embedded XML Data, which can be used to store custom XML in documents. Mimecast supports the removal of custom XML data parts.
    • Microsoft Word and RTF
      • Track Changes: Track changes contain review information you may not want to share with  recipients. This option deletes all track changes, and ensures they cannot be recovered.
      • Variables: Variables (document information that can be accessed using Visual Basic or a metadata viewer) may have been used in the creation of the document. These will be stripped with this option selected.
      • End Notes and Foot Notes: End notes and foot notes will be removed from the document by selecting this option.
      • Fields: Fields are commonly used in documents for entering text (e.g. date, file names) and update automatically each time the document is accessed. If selected, these are removed from the document.
      • Word Versions: Microsoft Word has versioning capabilities, whereby previous versions of a document can be recalled. This option strips all previous versions associated with the current document.
      • Ink Annotations: Ink Annotations are used when running Microsoft Word on a tablet PC, and allows mark up of a document. For example, you can add notes in the margins or circle or underline content. With this option selected, all ink annotations are removed.
      • Watermarks: A watermark allows you to enhance the appearance of the document by adding an image or adding text that identifies the document contents as a “Draft” or “Confidential”. These can be removed before the document is sent out.
      • Hidden Text: Microsoft Word allows you to hide text in a document, which doesn’t appear unless you opt to display it. Selecting this option removes hidden text. We can strip this hidden text, but cannot detect text that was hidden by other methods (e.g. white text on a white background).
    Add WatermarkThis option adds a watermark on each page of a Word or RTF document before it is transformed to PDF. These are the only currently supported file types. Directly adding watermarks to documents that have been transformed to PDFs is currently not supported. The text entry is limited to a maximum of 212 characters.
    Document ConversionIf using the definition to convert documents, select one of the options below. If the definition's purpose is to strip metadata only, leave this option as "Do Not Convert".
    • PDF: Converts the document to the latest version of PDF/X or PDF/A, stripping the document of all metadata and allowing access only via a PDF reader.
    • ODF: ODF is an Open Document Format, allowing the document to be read by many readers.
    • Office Versions 97-2013: This option provides the ability to send documents in one of these Microsoft Word versions. This ensures recipients can access the document if they are using a different version of Microsoft Office., including both previous and later versions used in your environment.
    Source FilesSpecify what type of source document to apply the services to. If no source file types are specified, the definition won't be applied to any outgoing documents.
  9. Complete the Action on Failed Conversion section as follows:
    Field / OptionDescription
    Policy ActionSpecify the action to be taken should conversion / processing fail. The available actions are "Allow" and "Hold for Review". All the following fields are only visible if the "Hold for Review" option is selected.
    Hold Type

    Restricts the view of held messages in the On Hold Message Queue. The options are:

    • User (default)
    • Moderator
    • Administrator.
    For Data Leak Prevention (DLP) reasons a user won'tt be able to release outbound items that were placed on hold due to a Content Examination policy.
    Moderator GroupUse the Lookup button to select a group of moderators who can review and action the message when placed on hold. This option is only available for User and Moderator Hold types.
    Notify GroupUse the Lookup button to select a group of users to be notified when the policy is triggered.
    Notify (Internal) SenderNotifies an internal sender that the policy has been triggered.
    Notify (External) SenderNotifies an external sender that the policy has been triggered.
    Notify (Internal) RecipientNotifies an internal recipient that the policy has been triggered.
    Notify (External) RecipientNotifies an external recipient that the policy has been triggered.
    Notify OverseersNotifies the Oversight Group should a Content Overseer policy be configured for the communication pair of the message that triggered the Document Services definition.
  10. Click on the Save and Exit button.


Configuring a Document Services Policy


To configure a Document Services policy:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed.
  4. Click on Document Services. A list of policies is displayed.
  5. Either click on the:
    • Policy to be changed.
    • New Policy button to create a policy.
  6. Complete the Options section as required:
    Field / OptionDescription
    Policy NarrativeProvide a description for the policy to allow you to easily identify it in the future.
    Select Document Services PolicyClick on the Lookup button to select the required Document Services definition for the policy.
  7. Complete the Emails From and Emails To sections as required:
    Field / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on. This option is only available in the "Emails From" section. The options are:
    The Return Address (Mail Envelope From)This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission).
    The Message From Address (Message Header From)Applies the policy based on the masked address used in the message's header.
    BothApplies the policy based on the Mail Envelope From or the Message Header From whichever matches. If both match the specified value, the Message Header From is used.
    Applies From / ToSpecify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
    EveryoneIncludes all email users (i.e. internal and external). This option is only available in the "Emails From" section.
    Internal AddressIncludes only internal organization addresses.
    External AddressIncludes only external organization addresses. This option is only available in the "Emails From" section.
    Email DomainEnables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
    Address GroupsEnables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
    Address AttributesEnables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, a value must be entered in the Is Equal To field. This can only be used if attributes are configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. The email address is entered in the Specifically field.
  8. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or back date it. Should the policy's configured date range be reached, the it is automatically disabled.
    Set Policy as PerpetualSpecifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.
    Date RangeSpecify a start and end date for the policy. This automatically deselects the "Eternal" option.
    Policy OverrideSelect this to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
    Bi-DirectionalIf selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  9. Click on the Save and Exit button.


See Also...


1 person found this helpful