Verhinderung von Datenverlust in Exchange 2016

[Dieses Thema gehört zur Vorabdokumentation und kann in künftigen Versionen geändert werden. Leere Themen wurden als Platzhalter hinzugefügt. Wenn Sie Feedback dazu haben, freuen wir uns über Ihre Nachricht. Senden Sie uns eine E-Mail an:]  

Gilt für:Exchange Server 2016

Summary: Learn about DLP policies in on-premises Exchange 2016, including what they contain and how to test them.

Data loss prevention (DLP) is important in Exchange Server 2016 because business critical email communication often includes sensitive data. DLP features make managing sensitive data in email messages easier than ever before by balancing compliance requirements without unnecessarily hindering the productivity of workers. For a conceptual overview of DLP, watch the following video.

Ihr Browser unterstützt kein Video. Installieren Sie Microsoft Silverlight, Adobe Flash Player oder Internet Explorer 9.

DLP policies are simple packages that are collections of mail flow rules (also known as transport rules) that contain specific conditions, actions, and exceptions that filter messages and attachments based on their content. You can create a DLP policy, yet choose to not activate it. This allows you to test your policies without affecting mail flow. For more information, see Testen einer Nachrichtenflussregel.

DLP policies can use the full power of mail flow rules to detect and then act on messages in transit. For example, a mail flow rule can perform deep content analysis through keyword matches, dictionary matches, text pattern matches through regular expressions, and other content examination techniques to detect content that violates your organization's DLP policies. Document fingerprinting is also available to help you detect sensitive information in standard forms. For more information, see the following topics:

In addition to the customizable DLP policies themselves, you can also inform email senders when they're about to violate one of your policies—even before they send a message that contains sensitive information. You do this by configuring Policy Tips. Policy Tips present a brief note about the possible policy violations in Outlook 2013 or later, Outlook im Web (formerly known as Outlook Web App), and Outlook im Web für Geräte. For more information, see Richtlinientipps.


  • DLP ist ein Premium-Feature, für das eine Exchange Enterprise-Clientzugriffslizenz (Client Access License, CAL) erforderlich ist. Weitere Informationen zu Clientzugriffslizenzen und zur Serverlizenzierung finden Sie unter Exchange Server-Lizenzierung

  • In hybrid environments where some mailboxes are in on-premises Exchange and some are in Exchange Online, DLP policies are only applied in Exchange Online. Messages that are sent between on-premises users don't have DLP policies applied, because the messages don't leave the on-premises environment.

Looking for management tasks related to Data Loss Prevention? See DLP-Verfahren.

The data loss prevention features can help you identify and monitor many categories of sensitive information that you have defined within the conditions of your policies, such as private identification numbers or credit card numbers. You have the option of defining your own custom policies and mail flow rules, or you can use the DLP policy templates that are included in Exchange to get started quickly. A policy template is a model that includes a range of conditions, rules, and actions that you can choose from to create and save an actual DLP policy that will help you inspect messages. For more information about the included policy templates, see In Exchange bereitgestellte DLP-Richtlinienvorlagen.

There are three different methods that you can use to implement DLP:

After you add a policy, you can review and change its rules, deactivate the policy, or remove it completely. For more information, see Verwalten von DLP-Richtlinien.

When you create or change DLP policies, you can include rules that look for sensitive information. The sensitive information types that are listed in the topic Typen vertraulicher Informationen in Exchange Server 2016 are available for you to use in your policies. You can customize the conditions within a policy, such as how many times something has to be found before an action is taken, or the action to take. For more information about creating DLP policies see, Erstellen einer benutzerdefinierten DLP-Richtlinie. For more information about mail flow rules, see Nachrichtenflussregeln in Exchange 2016.

To make it easy for you to use rules that look for sensitive information, Exchange comes with policy templates that already include some of the sensitive information types. You can't add conditions for all of the sensitive information types, because the templates are designed to help you focus on the most common types of compliance-related data within your organization. For more information about the pre-built templates, see In Exchange bereitgestellte DLP-Richtlinienvorlagen.

You can create many DLP policies for your organization, and enable them all so that many different types of information are looked for. You can also create a DLP policy that isn't based on an existing template. To create such a policy, see Erstellen einer benutzerdefinierten DLP-Richtlinie. For more information about the available sensitive information types, see Typen vertraulicher Informationen in Exchange Server 2016.

Exchange lets you use Dokumentfingerabdrücke to easily create a sensitive information type that's based on a standard form. To learn how to protect form data, see Schutz von Formulardaten durch Dokumentfingerabdrücke.

You can use Policy Tip notification messages to inform email senders about possible compliance issues while they are composing an email message. When you configure a Policy Tip in a DLP policy, the notification message will only show up if something in the sender's email message matches the conditions described in your policy. Policy Tips are similar to MailTips that were introduced in Exchange 2010. For more information, see Richtlinientipps.

A key factor in the strength of a DLP solution is the ability to correctly identify confidential or sensitive content that may be unique to your organization, regulatory needs, geography, or other business needs. The Exchange DLP architecture uses deep content analysis coupled with detection criteria that you establish through rules in your DLP policies. Helping to prevent data loss in Exchange requires you to configure the appropriate set of sensitive information rules that provide a high degree of protection while minimizing disruptions to mail flow that are caused by false positives and negatives. These types of rules (referred to throughout the DLP information as sensitive information detection) function within the framework of mail flow rules to enable DLP capabilities. To learn more about these features, see Integrieren von Regeln für vertrauliche Informationen in Transportregeln.

You can still apply traditional message classifications to messages, and you can combine these classifications with sensitive information detection. You can use these features together within a single DLP policy, or operate them independently (concurrently). To learn more about the traditional Exchange 2010 message classifications, see Understanding Message Classifications.

To see information about messages that contain DLP policy detections in your environment, see Anzeigen von DLP-Richtlinienerkennungsberichten and Erstellen von Schadensberichten für DLP-Richtlinienerkennungen. Data related to DLP detections is highly integrated in the delivery reports.