How to Prevent Data Leakage through Windows Information Protection

How to Prevent Data Leakage through Windows Information Protection

Now is the time to protect information that can have a huge impact on individuals and organizations. If such information enters the hands of malicious users or criminals, it can have serious adverse effects or consequences. Edward Snowdon, the NSA, John Podesta, the Democratic National Party, and other recent media headlines have revealed the devastating consequences of information leakage.

Prevent Data Leakage through WIPOrganizations that use Windows primarily on user devices have answers to these questions. The ‘ready answer’ is Windows Information Protection (WIP), a data leakage prevention technology. WIP looks for classified information that can affect business, classified information, and keywords associated with sensitive information that can flow out of the corporate security fence. And plan to prevent or mitigate data leakage.

WIP is useful

You need to protect business-related information stored on a company-owned or employee-owned device, such as a smartphone or tablet, that can connect company resources through the BYOD program.

If you are using business applications that do not have data leak prevention, you need one or two flood protection layers.

You also need a protection scheme that integrates with the System Center or Microsoft Intune cloud-based management platform.

How

does WIP work and how to use it? Let’s look at what WIP is and how it can be introduced and used.

First, keep in mind that WIP is Windows 10 technology. In order to implement WIP across the enterprise, migration to Windows 10 from Windows 7 and Windows 8.1 must be completed.

When you create a new document, spreadsheet, or other file on a protected device, WIP will run. Ask them if they want to save their work files as a ‘Work Document’ with all WIP protection. This business document, whether stored locally on a protected device or on removable media such as an SD card or USB flash drive, is considered corporate data. All business files stored on the device or removable media are encrypted at at rest.

Do not protect new content. When an employee visits a network share on a protected device, downloads content from a SharePoint document library or a corporate intranet, WIP encrypts the data and applies the policy.

WIP also puts barriers around the data accessed through applications on protected devices. Administrators can set up apps that can use ‘business data’ and set up to copy and paste data only between these apps. Conversely, you can block certain apps, and prevent them from moving data from WIP-enabled devices to blocked apps (Gmail, Secrets, etc.).

By default, your app is restricted to white listing. It means blocking everything and then adding it to the white list manually to approve business data access. Some applications, especially Microsoft Office, recognize WIP and protect data. These applications protect data even when an employee pastes data from a protected file into a new document and stores it as a new document. This is because WIP recognizes and automatically encrypts the new file.

The app that recognizes WIP is called ‘Enlightened app’. Windows 10 developers can optionally create WIP-aware apps that inherit these features automatically without additional code.

WIP supports multiple levels of protection. Occasionally, employees may need to be given the authority to override WIP protection policies. Or, you may need to give your organization the power to audit only what is happening in your organization to understand the current state of data movement.

In the event of a problem, the protected enterprise data may be remotely deleted from all computer devices, including employee owned devices, without touching the personal data.

You can do all of this with the WIP policy, the ‘cornerstone’ of the WIP protection engine. The WIP policy for devices includes an EFS (Encrypted File System) built into the latest Windows client operating system and includes instructions to encrypt business data or data originating from the enterprise. It also includes an app white list that can use protected data. It is based on the App Locker feature. Then, set the WIP policy in one of four modes as follows.

Block WIP:  This watches the actions and actions that users perform on protected corporate content. If you do something that could lead to an infringement, block the user’s work. The ability to block protected data from copying and pasting unprotected applications, and the ability to block protected data from being sent outside the corporate network.

Override Block:  This mode allows WIP to monitor employee work and behavior. However, instead of blocking work, you can inform the user that it can lead to an infringement and decide to continue. If the user ignores (redefines) the WIP alert, the administrator logs it in so that it can be audited and evaluated later.

Silent WIP: In this mode, the system is monitored, but if it recognizes any action or action that might lead to an infringement, it will either block it or log it instead of warning the user (if a user with no access attempts to access the protected file Except for certain acts of infringement. Most operators will use this mode as a basis for understanding the network’s data movement prior to using the more restrictive mode.

Off WIP:  This mode disables WIP. If you have activated WIP, Windows decrypts the device’s encrypted file. If you later reactivate WIP, you must reapply the WIP’s protection policy to the file. This is because the existing policy information is not maintained.

How to apply WIP policy: There are two ways to apply WIP to Windows 10 client devices. It is a way to use Microsoft’s own subscription-based management service, called cloud-based system center, and to deploy System Center Configuration Manager (SCCM).

Using Microsoft Intune: To use Intune, open your browser and navigate to the Intune console. When you expand the Policy node, click Add Policy in the Task area that appears.

Select ‘Windows Information Protection’ from the list of windows listed in the ‘Select a template for the new policy’ screen (Windows 10 desktop and later versions of the mobile).

Then click the Create and Deploy a Custom Policy radio button and the Create Policy button next to it. Then enter the name and description of the policy.

Now it’s time to add rules for either a modern app, a Windows Store app called Windows 10 app, or a typical Win32 desktop app. It focuses on desktop apps that use popular Microsoft Excel.

Click the Add button in the center of the screen, and in the Add App rule box enter the name you want to use for your app. Select the WIP mode you want to use (here, Allow). Then select ‘Desktop App’ from the ‘Rule Templates’ list, check the box next to ‘Binary name’ and enter EXCEL.EXE.

Introduces a handy tip. If you want to filter for other options such as publisher, product name, file version, etc., you can use Get-AppLockerFileInformation
-Path “c:
Then you can get the information you want. You can copy this and paste it on the intune screen.

After you add the app to which you want to apply the policy, you must select one of the blocks called ‘paste / drop / share restriction mode’, ie Block, Override, Silent, or Off.

The following defines an enterprise ID, which is a list of domains in which corporate content is located. It is used as a basis for WIP to identify work related items. This list should include all the domains from which businesses receive email. ’82ventures.com | jonathanhassell.com’ “|” Using characters, you can enter multiple domains in the Corporate Identity field.

Now, set up a list of network locations that allow apps that process protected data to work with your data. It is basically a list of network locations that can write protected data and retrieve it. A company’s IP range is a good starting point. You can then adjust the list later. You can also upload the DRA (Data Recovery Agent) that is created by enabling the Windows EFS feature. This helps ensure that Intune can recover encrypted data when keys are lost.

Now, keep the default settings and click ‘Save’. The policy has been set. Now, using Intune’s policy node, add this policy to the distribution group list. The policy is then deployed.

Using System Center Configuration Manager (SCCM)

To deploy WIP using SCCM, you must create a policy using version 1606 or later. If there is a WIP policy created by an existing SCCM version, it must be deleted and re-created.

Under “Assets and Compliance” in the SCCM console, look for “Overview” / “Compliance Settings” / “Configuration Items”.

Click the “Create Configuration Item” button. When the wizard starts, enter the desired name and description, and then specify Windows 10 as the supported platform for that item.

In the ‘Select the device setting group’ screen, select ‘Windows Information Protection’. You can then add app rules in a similar way to how to add an app in the iTunes app.

After selecting ‘paste / drop / share restriction mode’, define the ID domain, select the location of the corporate network where the protected data is located, and select the optional setting. You can also upload a DRA certificate.

After reviewing the settings, click ‘Continue’. Depending on how the SCCM deployment policy is set up, policies can be applied to devices managed by SCCM using compliance or baseline configurations.

Protecting:  Information at a low cost There are a variety of programs and data leakage prevention systems that manage the authority of information. Until now, however, there has been no information protection technology built into operating systems such as Windows 10, such as WIP. As of the ninth anniversary of Windows 7, Windows 10 has matured into a stable operating system for many organizations. WIP is a technology worth investigating. When used with Microsoft Intune, you can also protect your information for less.

  • 2010