Print Download PDF Send Feedback

Previous

Next

Configuring the DLP Watermark

Watermarking works by introducing custom XML files that contain the watermarking data. Only documents in these Office Open XML formats can be watermarked:

To watermark documents:

  1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Policy.
  3. For the Data Type, right-click the Action cell, and select a restrictive Action such as Ask, Inform User or Detect.
  4. Right-click the Action cell and select the Watermark profile.

    DLP has 3 built-in profiles:

    • Classified. Places the word Classified in the center of the page.
    • Invisible only. Contains only hidden text.
    • Restricted. Places the word Restricted at the bottom of the page, and these inserted fields: sender, recipient, and send date.
  5. If there are no exiting watermark profiles, click New and create one.

    Note - You can also modify a built-in profile.

  6. Click Save and then close SmartDashboard.
  7. In SmartConsole, Install Policy.

To create a new watermark profile:

  1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Additional Settings > Watermarks.
  3. Click New.

    The Watermark Profiles window opens.

  4. In the General page, enter the Name for the watermark profile.
  5. Click Advanced.

    The Advanced Settings window opens.

  6. Clear the Use the same configuration for all supported file types option to create different watermarks for Word, Excel, or PowerPoint files.

    Note - A watermark in Excel cannot exceed 255 characters. The 255 character limit includes the visible watermark text and formatting data. If you exceed the 255 character limit, the watermark feature makes a best effort to show as much text as possible.

    The 255 limit is per document.

  7. Set if watermarks are added to:
    • All pages
    • First page only
    • Even pages only
    • Odd pages only

    The actual placement of watermarks depends on:

    • If the document contains Section Breaks on the page.
    • The version of MS Word used to create the document.
  8. Click OK.

    Watermark option

    Section Break

    In Word 2007

    In Word 2010

    All pages

     

    Yes

    All pages get watermark

    All pages get watermark

    No

    All pages get watermark

    All pages get watermark

    First page only

     

    Yes

    All pages get watermark

    First page only gets watermark

    No

    All pages get watermark

    First page only gets watermark

    Even pages only

     

    Yes

    All pages get watermark

    All pages get watermark

    No

    Only even pages get watermark

    Only even pages get watermark

    Odd pages only

     

    Yes

    All pages get watermark

    All pages get watermark

    No

    Only odd pages get watermark

    Only odd pages get watermark

To configure settings on the General Page:

  1. To configure the location of the watermark:
    1. Click the watermark graphic.

      The Select text location on page window opens.

    2. Click the location for the watermark.
  2. To configure the watermark text:
    1. Click the field with the watermark text.

      To create a new watermark, click Add watermark text to another location.

      The text formatting tools are shown.

    2. Click Insert Field, to add a dynamic field to the watermark.
    3. Click the Diagonal button, to show the text on a 45 degree diagonal.

    Note - Watermark rotation is only available for:

    • PowerPoint presentations in MS Office 2007 and 2010
    • Word documents in MS Office 2010
    1. To change the text to seventy-percent transparency, click the Transparency button.
  3. Click OK.

To add a shadow behind Watermark text in Word and PowerPoint:

  1. On the gateway, run: cpstop
  2. On the gateway, open for editing: $DLPDIR/config/dlp.conf.
  3. Search for the attribute: watermark_add_shadow_text(0).
  4. Change the value of the attribute from 0 to 1.
  5. Set percentages for watermark transparency and size, for DOCX and PPTX files.

    Change the watermark_text_opacity_percentage property from 30 (70% transparency) to the new value.

  6. Save and close the file.
  7. Run: cpstart

    Note - Before the changes to dlp.conf take effect, you must run cpstop and cpstart.

To configure settings on the Hidden Text page:

  1. Select Add the following hidden text to the document.
  2. Click Add, and select which fields should be inserted as encrypted hidden text into the document.
  3. For the purpose of forensic tracking, hidden text can be viewed using the DLP watermark viewing tool.
  4. Click OK.

    If Microsoft Office 2007 (or higher) is installed on the same computer as SmartConsole, a preview of the watermark shows on a sample file in the preview pane.

    Note - The preview pane is not available if you create or edit a watermark from the DLP policy rule base. To see a preview, create a watermark from Additional Settings > Advanced > Watermarks > New.

  5. In Additional Settings > Advanced > Watermarks section:
    1. Make sure Apply watermarks on Data Loss Prevention rules is selected.
    2. Set how existing watermarks are handled on documents that pass repeatedly through DLP gateways. Existing watermarks can be kept, or replaced.

    Note - Hidden encrypted text is not removed, only added to by each DLP gateway. Hidden text can later be used for forensic tracking.

To complete the watermark profile:

  1. Click Save and then close SmartDashboard.
  2. In SmartConsole, Install Policy.

Previewing Watermarks

In SmartConsole > Data Loss Prevention tab > Additional Settings > Watermarks, Watermarks are previewed in the right-hand pane on sample documents.

Preview works by downloading sample Office files from the Security Management Server and applying the watermark to them. The sample preview files are named:

To open a document or preview it, you must install Microsoft Office 2007 (or higher) on the computer that has SmartConsole installed.

Watermarks can also be previewed on User-Added Files.

To view watermarks on user-added files:

  1. Open the drop-down box in the preview pane.

    The Select File window opens.

  2. Click Add and browse to your Word, Excel, or PowerPoint file.

    The Select File window is now divided into User Added Files and Sample Files.

  3. Select your user added file to see it previewed with the watermark.

    Note - When you preview a user-added file, the file is uploaded to the Security Management Server. The file will stay on the server until you remove it by selecting the file in the Select File window and clicking the red X in the top right-hand corner.

Viewing Watermarks in MS Office Documents

For Office documents that have been watermarked by a DLP gateway, view the watermarks in this way:

Office document

Go to:

Word

View > Print Layout or Full Screen Reading

Excel

View > Page layout > Print Layout

PowerPoint

PowerPoint has a number of built-in layers. The DLP watermark sits above the slide layout layer but below the slide content layer. This means that the watermark always shows below the content of a slide.

Resolving Watermark Conflicts

When scanned by the DLP gateway, an email with a document attached might match one or more DLP rules. If the rules have different and conflicting watermark profiles, then the conflict must be resolved for visible watermarks and resolved for hidden text.

Resolving Hidden Text Conflicts

If different watermark profiles specify invisible text, the text is taken from the profile attached to the DLP rule that has the highest precedence. Rule precedence is derived from the ACTION and SEVERITY priorities in the DLP Rule Base.

Action

Priority

Ask User

1

Inform User

2

Detect

3

Hidden text is taken from the watermark profile belonging to the rule that has the highest ACTION priority. If the two rules have the Ask User setting, the same priority, then SEVERITY is considered:

Severity

Priority

Critical

1

High

2

Medium

3

Low

4

For example, if an email with a document attached matches these two rules:

Data

Action

Severity

Watermark Profile

Rule 1

Ask User

Low

W1

Rule 2

Detect

Critical

W2

The ACTION setting for Rule 1 has a greater priority than the ACTION setting defined for Rule 2. Rule 1 takes precedence. The hidden text configured for the W1 profile applies even though Rule 2 has a greater SEVERITY. If the rule is changed to:

Data

Action

Severity

Watermark Profile

Rule 1

Inform User

Low

W1

Rule 2

Inform User

Medium

W2

The rules have the same ACTION priority, so SEVERITY is considered. In this case Medium has a higher priority than Low. Hidden text from the W2 profile is added to the document. Rule 2 has precedence.

If the rules have the same priority for ACTION and SEVERITY, for example:

Data

Action

Severity

Watermark Profile

Rule 1

Inform User

Low

W1

Rule 2

Inform User

Low

W2

Rule precedence is decided according to an internal calculation based on the name of the rule in the data column.

Resolving Visible Watermark Conflicts

An outgoing document may match one or more rules in the DLP policy. If each rule specifies different watermarking profiles, then a conflict will arise. For example if different profiles specify dissimilar text in the center, the conflict must be resolved by merging the different watermark profiles according to rule precedence. Rule precedence is decided based on ACTION and SEVERITY priorities.

After rule precedence is decided, a merged watermark profile is built according to this criteria:

The merged profile (4) is built by taking elements from all the profiles.

Naming the Merged Profile

If the merged profile takes elements from existing profiles (hidden text or visible watermarks) then the name of those profiles are integrated into the name of the merged profile. In the above example, the name of the merged profile is W1;W2;W3, with a semi-colon which separates the individual profile names. This is the name that shows in the DLP Watermark Profile column in the Logs & Monitor view.

Turning Watermarking On and Off

Watermarking can be turned off in a number of ways:

Using the DLP Watermark Viewing Tool

For forensic tracking, hidden text can be decrypted and read using the DLP watermark viewing tool.

To view hidden text on a watermarked document:

  1. Copy the document, or a folder of documents, to the DLP gateway.
  2. On the gateway, run: dlp_watermark_viewer

    Enter the name of one file or the path to a directory that contains a number of files.

  3. The output shows the hidden fields included in the profile.

    Note - Only the hidden text is shown by the tool, not the document's content.

Keys used for decrypting hidden text are stored on the Security Management Server and downloaded to the Security Gateway. DLP gateways managed by the same Security Management Server share the same keys and a common (random) ID. The random ID identifies the Security Management Server that installed the DLP policy on the gateway. The viewing tool will only show text added by gateways managed by the same Security Management Server. For example, for a document that has passed through three DLP gateways, each managed by a different Security Management Server, you must copy the file to each gateway and run the tool on each. The tool will only show the hidden text added by that gateway, and not the text added by gateways managed by other Security Management Servers.

Important - If you reinstall a Security Gateway, the keys and random ID are downloaded again from the server. The new gateway can be used to decrypt hidden text added by the old one. But if you reinstall the Security Management Server the random ID is lost. The random ID added to the document by the gateway will not match the ID of the new Security Management Server. The DLP viewer will not show the document's hidden text.