Watermarking works by introducing custom XML files that contain the watermarking data. Only documents in these Office Open XML formats can be watermarked:
Important - Older formats supported in Office 2007 and above for backward compatibility (such as DOC, PPT, and XLS, cannot be watermarked). Changing the file extension from doc to docx will not make the document eligible for watermarking.
If the Data Type scanned for by the DLP gateway occurs in the body of the email and not the document, the document will not be watermarked. For example if you are scanning for credit card numbers. If the credit card number shows in the body of an email with a document attached, the document will not be watermarked. The Data Type has to occur in the document. |
To watermark documents:
SmartDashboard opens and shows the DLP tab.
DLP has 3 built-in profiles:
Note - You can also modify a built-in profile.
To create a new watermark profile:
SmartDashboard opens and shows the DLP tab.
The Watermark Profiles window opens.
The Advanced Settings window opens.
Note - A watermark in Excel cannot exceed 255 characters. The 255 character limit includes the visible watermark text and formatting data. If you exceed the 255 character limit, the watermark feature makes a best effort to show as much text as possible.
The 255 limit is per document.
The actual placement of watermarks depends on:
Watermark option |
Section Break |
In Word 2007 |
In Word 2010 |
---|---|---|---|
All pages
|
Yes |
All pages get watermark |
All pages get watermark |
No |
All pages get watermark |
All pages get watermark |
|
First page only
|
Yes |
All pages get watermark |
First page only gets watermark |
No |
All pages get watermark |
First page only gets watermark |
|
Even pages only
|
Yes |
All pages get watermark |
All pages get watermark |
No |
Only even pages get watermark |
Only even pages get watermark |
|
Odd pages only
|
Yes |
All pages get watermark |
All pages get watermark |
No |
Only odd pages get watermark |
Only odd pages get watermark |
To configure settings on the General Page:
The Select text location on page window opens.
To create a new watermark, click Add watermark text to another location.
The text formatting tools are shown.
Note - Watermark rotation is only available for:
To add a shadow behind Watermark text in Word and PowerPoint:
cpstop
$DLPDIR/config/dlp.conf.
watermark_add_shadow_text(0)
.Change the watermark_text_opacity_percentage
property from 30 (70% transparency) to the new value.
cpstart
Note - Before the changes to dlp.conf
take effect, you must run cpstop
and cpstart
.
To configure settings on the Hidden Text page:
If Microsoft Office 2007 (or higher) is installed on the same computer as SmartConsole, a preview of the watermark shows on a sample file in the preview pane.
Note - The preview pane is not available if you create or edit a watermark from the DLP policy rule base. To see a preview, create a watermark from Additional Settings > Advanced > Watermarks > New.
Note - Hidden encrypted text is not removed, only added to by each DLP gateway. Hidden text can later be used for forensic tracking.
To complete the watermark profile:
In SmartConsole > Data Loss Prevention tab > Additional Settings > Watermarks, Watermarks are previewed in the right-hand pane on sample documents.
Preview works by downloading sample Office files from the Security Management Server and applying the watermark to them. The sample preview files are named:
To open a document or preview it, you must install Microsoft Office 2007 (or higher) on the computer that has SmartConsole installed.
Watermarks can also be previewed on User-Added Files.
To view watermarks on user-added files:
The Select File window opens.
The Select File window is now divided into User Added Files and Sample Files.
Note - When you preview a user-added file, the file is uploaded to the Security Management Server. The file will stay on the server until you remove it by selecting the file in the Select File window and clicking the red X in the top right-hand corner. |
For Office documents that have been watermarked by a DLP gateway, view the watermarks in this way:
Office document |
Go to: |
---|---|
Word |
View > Print Layout or Full Screen Reading |
Excel |
View > Page layout > Print Layout |
PowerPoint |
PowerPoint has a number of built-in layers. The DLP watermark sits above the slide layout layer but below the slide content layer. This means that the watermark always shows below the content of a slide. |
When scanned by the DLP gateway, an email with a document attached might match one or more DLP rules. If the rules have different and conflicting watermark profiles, then the conflict must be resolved for visible watermarks and resolved for hidden text.
Resolving Hidden Text Conflicts
If different watermark profiles specify invisible text, the text is taken from the profile attached to the DLP rule that has the highest precedence. Rule precedence is derived from the ACTION and SEVERITY priorities in the DLP Rule Base.
Action |
Priority |
---|---|
Ask User |
1 |
Inform User |
2 |
Detect |
3 |
Hidden text is taken from the watermark profile belonging to the rule that has the highest ACTION priority. If the two rules have the Ask User setting, the same priority, then SEVERITY is considered:
Severity |
Priority |
---|---|
Critical |
1 |
High |
2 |
Medium |
3 |
Low |
4 |
For example, if an email with a document attached matches these two rules:
Data |
Action |
Severity |
Watermark Profile |
---|---|---|---|
Rule 1 |
Ask User |
Low |
W1 |
Rule 2 |
Detect |
Critical |
W2 |
The ACTION setting for Rule 1 has a greater priority than the ACTION setting defined for Rule 2. Rule 1 takes precedence. The hidden text configured for the W1 profile applies even though Rule 2 has a greater SEVERITY. If the rule is changed to:
Data |
Action |
Severity |
Watermark Profile |
---|---|---|---|
Rule 1 |
Inform User |
Low |
W1 |
Rule 2 |
Inform User |
Medium |
W2 |
The rules have the same ACTION priority, so SEVERITY is considered. In this case Medium has a higher priority than Low. Hidden text from the W2 profile is added to the document. Rule 2 has precedence.
If the rules have the same priority for ACTION and SEVERITY, for example:
Data |
Action |
Severity |
Watermark Profile |
---|---|---|---|
Rule 1 |
Inform User |
Low |
W1 |
Rule 2 |
Inform User |
Low |
W2 |
Rule precedence is decided according to an internal calculation based on the name of the rule in the data column.
Resolving Visible Watermark Conflicts
An outgoing document may match one or more rules in the DLP policy. If each rule specifies different watermarking profiles, then a conflict will arise. For example if different profiles specify dissimilar text in the center, the conflict must be resolved by merging the different watermark profiles according to rule precedence. Rule precedence is decided based on ACTION and SEVERITY priorities.
After rule precedence is decided, a merged watermark profile is built according to this criteria:
The procedure repeats until all watermarks are added to the merged profile. For example, if you have three DLP rules, each with a custom Watermark Profile, and an email matches all three of these rules:
DLP Data Rule |
Precedence |
Watermark Profile Name |
In graphic |
---|---|---|---|
Rule_A |
1 |
W1 |
1 |
Rule_B |
2 |
W2 |
2 |
Rule_C |
3 |
W3 |
3 |
The merged profile (4) is built by taking elements from all the profiles.
(The watermark in the top right corner will not overwrite the watermarked placed there by W1, which has higher precedence.)
(The watermark for the top center location is already taken by W1, which has greater precedence.)
Naming the Merged Profile
If the merged profile takes elements from existing profiles (hidden text or visible watermarks) then the name of those profiles are integrated into the name of the merged profile. In the above example, the name of the merged profile is W1;W2;W3, with a semi-colon which separates the individual profile names. This is the name that shows in the DLP Watermark Profile column in the Logs & Monitor view.
Watermarking can be turned off in a number of ways:
enable_watermarking_feature
propertyIn the DLP rule base, the warning Watermarks are not applied on the DLP policy shows at the bottom of the policy table.
Clicking Apply opens the Advanced Settings Window where you can once more add watermarks in the DLP rules.
For forensic tracking, hidden text can be decrypted and read using the DLP watermark viewing tool.
To view hidden text on a watermarked document:
dlp_watermark_viewer
Enter the name of one file or the path to a directory that contains a number of files.
Note - Only the hidden text is shown by the tool, not the document's content. |
Keys used for decrypting hidden text are stored on the Security Management Server and downloaded to the Security Gateway. DLP gateways managed by the same Security Management Server share the same keys and a common (random) ID. The random ID identifies the Security Management Server that installed the DLP policy on the gateway. The viewing tool will only show text added by gateways managed by the same Security Management Server. For example, for a document that has passed through three DLP gateways, each managed by a different Security Management Server, you must copy the file to each gateway and run the tool on each. The tool will only show the hidden text added by that gateway, and not the text added by gateways managed by other Security Management Servers.
Important - If you reinstall a Security Gateway, the keys and random ID are downloaded again from the server. The new gateway can be used to decrypt hidden text added by the old one. But if you reinstall the Security Management Server the random ID is lost. The random ID added to the document by the gateway will not match the ID of the new Security Management Server. The DLP viewer will not show the document's hidden text. |