Document Services provides additional features related to data leak prevention. They also control the document attachments sent or received from your organization. Mimecast can be configured to remove confidential metadata from files, or to convert documents to PDF/ODF or a different version of the document, before being delivered to the recipient.
Document Services can be used to strip revision information from documents, including: Document Properties, Author Credentials, Tracked Changes, Comments and Microsoft Visual Basic for Applications macros. Most of these are never knowingly added and, more importantly, are never intended to be viewed outside the organization.
Documents can also be automatically converted into PDF or ODF format, which reduces the potential risk of metadata access and also assists to secure documents against any accidental or intentional changes by the recipient.
Content Definitions can also be configured to implement Document Services functionality. For example, messages containing the phrase "for internal use only" may be converted into a PDF document before leaving your organization.
Users may also be able to apply Document Services Policies manually using the latest versions of Mimecast End User applications.
To create or change a definition you must:
- Be logged on to the Mimecast Administration Console.
- Have access to the relevant Gateway menu item for the definition being created or changed.
Creating / Changing a Document Services Definition
- Open the Gateway Policy Editor.
- Select the Definitions drop down. A list of the definition types is displayed.
- Select the Document Services definition type from the list. The list of definitions is displayed.
- Select a folder in the Navigator. A Document Services definition cannot be created in the Root folder.
- Either select the:
- Policy to be changed.
- New Document Definition button to create a definition.
- Complete the Office Document Processing section as follows:
Field Description Description Enter a description for the definition. Metadata Profile
If using the definition to strip metadata, select a Metadata Profile to apply. If you are using the definition to only convert documents, leave the profile as None. The profile selected will determine what is stripped by Mimecast when the document is processed. The default profiles provided group certain aspects that can be stripped together, or alternatively the Custom profile can be selected. This allows the Administrator to choose the items to be stripped from a list.
Profile Description Basic Removes Document Properties, Track Changes, and Microsoft Visual Basic for Applications macros (VBA). Common Removes Routing Slips (email addresses added as recipients to a document). All This selects all items for stripping. Unsafe This includes only the removal of Microsoft Visual Basic for Applications macros (VBA). Custom The Administrator selects the stripping parameters specified in the following list:
- Common Options
- Template: Every document is based on a template which is accessible to the recipient. The Template option removes the template from the document.
- Comments: Removes all comments from within a document.
- Properties: Document Properties can contain a vast array of information about your organization, including the author of the document and other sensitive information. Checking Properties will strip all Document Properties.
- VBA: Visual Basic for Applications is the coding structure behind the application, and can contain sensitive information about the document, or be used to run malicious scripts. This option strips all VBA code from the document. If VBA is used for creating forms, etc., these will also be stripped if this option is selected.
- Custom XML: Documents can contain embedded XML Data, which can be used to store custom XML in documents. Mimecast supports the removal of custom XML data parts.
- Microsoft Word and RTF
- Track Changes: Track Changes usually contain review information that may not want to share with the intended recipient of the document. This option deletes all Track Changes and ensures they cannot be recovered.
- Variables: Variables (information about the document that can be accessed using Visual Basic or viewed using a metadata viewer) may have been used in the creation of the document. These will be stripped when the Variables box is checked.
- End Notes and Foot Notes: End Notes/Foot Notes will be removed from the document by selecting this option.
- Fields: Fields are commonly used in documents for text such as Date, Filenames, etc., and these update automatically each time the document is accessed. If selected, Mimecast removes the details from these fields.
- Word Versions: Word has versioning capabilities, whereby previous versions of a document can be recalled. This option strips all previous versions associated with the current document.
- Ink Annotations: Ink Annotations are used when running Word on a Tablet PC, and allow mark up of a document similar to how you would do so on paper. For example, you can add notes in the margins or circle or underline content. By selecting Ink Annotations, these modifications are removed.
- Watermarks: A watermark allows you to enhance the appearance of the document by adding an image or adding text that identifies the document contents as a “Draft” or “Confidential”. These can be removed before the document is sent out by checking Watermarks.
- Hidden Text: Word allows you to hide text in your document, which doesn’t appear unless you opt to display it. Checking this option will remove Hidden Text. Mimecast can strip this hidden text, but cannot detect text that was hidden by other methods (e.g. white text on a white background).
This function will insert a watermark on each page of a Word or RTF document before it is transformed to PDF. These are the only currently supported file types. Directly adding watermarks to documents that have been transformed to PDFs is currently not supported. The text entry is limited to a maximum of 212 characters.
If using the definition to convert documents, select a Document Conversion option. Alternatively, if the purpose of the definition is to strip metadata only, leave this option as Do Not Convert.
- PDF: Converts the document to the latest version of PDF/X or PDF/A, stripping the document of all metadata and allowing access only via a PDF reader.
- ODF: ODF is an Open Document Format, allowing the document to be read by many readers.
- Office Versions 97-2013: This option provides the ability to send documents in one of these versions, ensuring that recipients can access the document if they are using a different version of Office. This includes both previous and later versions of Office that are currently used in your environment.
Source Files Specify what type of source document to apply the services to. If no source file types are specified, the definition will not be applied to any outgoing documents.
- Common Options
- Complete the Action on Failed Conversion section as follows:
Field Description Policy Action This option specifies the action to be taken should conversion / processing fail. The available actions are "Allow" and "Hold for Review". All the following fields are only visible if the "Hold for Review" option is selected. Hold Type
Restricts the view of held messages in the On Hold Message Queue. The options are:
- User (default)
Moderator Group Used to select a group of moderators who can review and action the message when placed On Hold. This option is only available for User and Moderator Hold types. Use the Lookup button to select a group. Notify Group Use this option to notify a group of users when the policy is triggered. Use the Lookup button to select a group. Notify (Internal) Sender Use this option to notify an internal sender that the policy has been triggered. Notify (External) Sender Use this option to notify an external sender that the policy has been triggered. Notify (Internal) Recipient Use this option to notify an internal recipient that the policy has been triggered. Notify (External) Recipient Use this option to notify an external recipient that the policy has been triggered. Notify Overseers Use this option to notify the Oversight Group should a Content Overseer policy have been configured for the communication pair of the message that triggered the Document Services definition.
- Select the Save and Exit button.