Protection contre la perte de données dans Exchange 2016

[Cette rubrique est une documentation préliminaire et peut être modifiée dans les versions ultérieures. Des rubriques vides sont incluses comme espaces réservés. N’hésitez pas à nous transmettre vos commentaires. Envoyez-nous un e-mail à l’adresse]  

Sapplique à :Exchange Online, Exchange Server 2016

Learn about DLP policies in on-premises Exchange 2016, including what they contain and how to test them.

Data loss prevention (DLP) is important in Exchange Server 2016 because business critical email communication often includes sensitive data. DLP features make managing sensitive data in email messages easier than ever before by balancing compliance requirements without unnecessarily hindering the productivity of workers. For a conceptual overview of DLP, watch the following video.

Votre navigateur ne prend pas en charge les éléments vidéo. Veuillez installer Microsoft Silverlight, Adobe Flash Player ou Internet Explorer 9.

DLP policies are simple packages that are collections of mail flow rules (also known as transport rules) that contain specific conditions, actions, and exceptions that filter messages and attachments based on their content. You can create a DLP policy, yet choose to not activate it. This allows you to test your policies without affecting mail flow. For more information, see Tester une règle de flux de messagerie.

DLP policies can use the full power of mail flow rules to detect and then act on messages in transit. For example, a mail flow rule can perform deep content analysis through keyword matches, dictionary matches, text pattern matches through regular expressions, and other content examination techniques to detect content that violates your organization's DLP policies. Document fingerprinting is also available to help you detect sensitive information in standard forms. For more information, see the following topics:

In addition to the customizable DLP policies themselves, you can also inform email senders when they're about to violate one of your policies—even before they send a message that contains sensitive information. You do this by configuring Policy Tips. Policy Tips present a brief note about the possible policy violations in Outlook 2013 or later, Outlook sur le web (formerly known as Outlook Web App), and Outlook sur le web pour les appareils. For more information, see Conseils de stratégie.


  • La protection contre la perte de données est une fonctionnalité étendue qui nécessite une licence d’accès client (CAL) Exchange Enterprise. Pour plus d’informations sur les licences d’accès client et les licences par serveur, consultez la rubrique relative aux licences Exchange Server.

  • In hybrid environments where some mailboxes are in on-premises Exchange and some are in Exchange Online, DLP policies are only applied in Exchange Online. Messages that are sent between on-premises users don't have DLP policies applied, because the messages don't leave the on-premises environment.

Looking for management tasks related to Data Loss Prevention? See Procédures relatives à la protection contre la perte de données (DLP).

The data loss prevention features can help you identify and monitor many categories of sensitive information that you have defined within the conditions of your policies, such as private identification numbers or credit card numbers. You have the option of defining your own custom policies and mail flow rules, or you can use the DLP policy templates that are included in Exchange to get started quickly. A policy template is a model that includes a range of conditions, rules, and actions that you can choose from to create and save an actual DLP policy that will help you inspect messages. For more information about the included policy templates, see Modèles de stratégies DLP fournis dans Exchange.

There are three different methods that you can use to implement DLP:

  1. Apply an out-of-the-box template supplied in Exchange   The quickest way to start using DLP policies is to create and implement a new policy by using a template. This saves you the effort of building a new set of rules from nothing. You need to know what type of data you want to check for or which compliance regulation you are attempting to address. You also need to know your organization's expectations for processing this data. For more information, see Modèles de stratégies DLP fournis dans Exchange and Création d'une stratégie DLP à partir d'un modèle.

  2. Import a pre-built policy file from outside your organization   You can import policies that were created by independent software vendors. In this way, you can extend the DLP solution to meet your business requirements. For more information, see Modèles de stratégie des partenaires Microsoft, Définition de vos modèles DLP et types d'informations, and Importer un modèle de stratégie DLP personnalisé à partir d’un fichier.

  3. Create a custom policy without any pre-existing conditions   Your enterprise may have its own requirements for monitoring certain types of data that's known to exist within a messaging system. You can create a custom policy entirely on your own to find and act on your own unique message data. You need to know the requirements and constraints of the environment where the DLP policy will be enforced to create effective custom policies. For more information, see Création d'une stratégie personnalisée de protection contre la perte de données (DLP).

After you add a policy, you can review and change its rules, deactivate the policy, or remove it completely. For more information, see Gestion de stratégies de protection contre la perte de données (DLP).

When you create or change DLP policies, you can include rules that look for sensitive information. The sensitive information types that are listed in the topic Types d’informations sensibles dans Exchange 2016 are available for you to use in your policies. You can customize the conditions within a policy, such as how many times something has to be found before an action is taken, or the action to take. For more information about creating DLP policies see, Création d'une stratégie personnalisée de protection contre la perte de données (DLP). For more information about mail flow rules, see Règles de flux de messagerie dans Exchange 2016.

To make it easy for you to use rules that look for sensitive information, Exchange comes with policy templates that already include some of the sensitive information types. You can't add conditions for all of the sensitive information types, because the templates are designed to help you focus on the most common types of compliance-related data within your organization. For more information about the pre-built templates, see Modèles de stratégies DLP fournis dans Exchange.

You can create many DLP policies for your organization, and enable them all so that many different types of information are looked for. You can also create a DLP policy that isn't based on an existing template. To create such a policy, see Création d'une stratégie personnalisée de protection contre la perte de données (DLP). For more information about the available sensitive information types, see Types d’informations sensibles dans Exchange 2016.

Exchange lets you use Création d’une empreinte numérique de document to easily create a sensitive information type that's based on a standard form. To learn how to protect form data, see Protection des données de formulaire avec la création d’une empreinte numérique de document.

You can use Policy Tip notification messages to inform email senders about possible compliance issues while they are composing an email message. When you configure a Policy Tip in a DLP policy, the notification message will only show up if something in the sender's email message matches the conditions described in your policy. Policy Tips are similar to MailTips that were introduced in Exchange 2010. For more information, see Conseils de stratégie.

A key factor in the strength of a DLP solution is the ability to correctly identify confidential or sensitive content that may be unique to your organization, regulatory needs, geography, or other business needs. The Exchange DLP architecture uses deep content analysis coupled with detection criteria that you establish through rules in your DLP policies. Helping to prevent data loss in Exchange requires you to configure the appropriate set of sensitive information rules that provide a high degree of protection while minimizing disruptions to mail flow that are caused by false positives and negatives. These types of rules (referred to throughout the DLP information as sensitive information detection) function within the framework of mail flow rules to enable DLP capabilities. To learn more about these features, see Intégration des règles d'informations sensibles aux règles de transport.

You can still apply traditional message classifications to messages, and you can combine these classifications with sensitive information detection. You can use these features together within a single DLP policy, or operate them independently (concurrently). To learn more about the traditional Exchange 2010 message classifications, see Understanding Message Classifications.

To see information about messages that contain DLP policy detections in your environment, see Afficher les rapports de détection de stratégies DLP and Créer des rapports de compte-rendu d’incident pour la détection de stratégies DLP. Data related to DLP detections is highly integrated in the delivery reports.