BIO 10.02.01

Teams: Enable Watermarking For Sensitive Meetings

πŸ“… 2025-10-30
β€’
⏱️ 4 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Teams watermarking = user email/IP overlayed on shared content - prevents screen capture leaks (data loss attribution).

Aanbeveling
IMPLEMENT (highly confidential meetings)
Risico zonder
Medium
Risk Score
6/10
Implementatie
10u (tech: 5u)
Van toepassing op:
βœ“ Microsoft Teams
βœ“ Teams Premium

Watermarking = data leak deterrence: Confidential meetings: M&A discussions, legal strategy, unreleased financials, financial results previews, HR investigations, Data leak vector: Screen capture (screenshot, phone camera), screen recording (OBS, Camtasia), External monitor mirroring. Watermarking: Overlay: User's email address + timestamp overlayed on shared screen/video, Semi-transparent: Visible maar not obtrusive, Deterrence: Leaker knows: screenshot has their email β†’ traceable β†’ accountability, Attribution: Leaked screenshot β†’ watermark identifies source β†’ investigation. Limitation: NOT prevention (user CAN screenshot), maar DETERRENCE + attribution.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MicrosoftTeams
Required Modules: MicrosoftTeams

Implementatie

Teams watermarking (Premium): Requires: Microsoft Teams Premium license (add-on), Watermark content: Email address, timestamp, IP address (optional), Overlay: Shared content (PowerPoint, screen share), videos, Settings: Per sensitivity label (confidential meetings only), Use case: Board meetings, M&A, legal, HR.

Vereisten

  1. Microsoft Teams Premium license
  2. Sensitivity labels configured (Microsoft Purview)
  3. Highly confidential meetings (M&A, legal, financial)
  4. User awareness: Watermarking purpose

Implementatie

Teams Admin Center β†’ Meetings β†’ Meeting policies β†’ Watermark β†’ Enable watermarks: On (for shared content and video). Assign to: Sensitivity label 'Highly Confidential' meetings. Purview: Create label β†’ Teams watermarking enabled.

Compliance

AVG Art. 32 (Data protection - leak prevention), BIO 10.02 (Information leakage).

Monitoring

Gebruik PowerShell-script watermarking-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script watermarking-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Watermarking Enabled for Sensitive Meetings .DESCRIPTION Enables watermarking for Teams meetings to prevent unauthorized content sharing .NOTES NL Baseline v2.0 Requires: Microsoft 365 E5 or Advanced Communications add-on #> #Requires -Version 5.1 #Requires -Modules MicrosoftTeams [CmdletBinding()] param([switch]$Monitoring) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Watermarking Enabled" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MicrosoftTeams -ErrorAction Stop $policy = Get-CsTeamsMeetingPolicy -Identity Global $result = @{ isCompliant = $policy.AllowWatermarkForCameraVideo videoWatermark = $policy.AllowWatermarkForCameraVideo screenWatermark = $policy.AllowWatermarkForScreenSharing } Write-Host " Video Watermark: $(if($policy.AllowWatermarkForCameraVideo){'ENABLED'}else{'DISABLED'})" -ForegroundColor $( if ($policy.AllowWatermarkForCameraVideo) { 'Green' }else { 'Yellow' } ) Write-Host " Screen Share Watermark: $(if($policy.AllowWatermarkForScreenSharing){'ENABLED'}else{'DISABLED'})" -ForegroundColor $( if ($policy.AllowWatermarkForScreenSharing) { 'Green' }else { 'Yellow' } ) Write-Host "`n Security Benefits:" -ForegroundColor Cyan Write-Host " β€’ Prevents unauthorized content sharing" -ForegroundColor Gray Write-Host " β€’ Deters screen recording" -ForegroundColor Gray Write-Host " β€’ Maintains content confidentiality" -ForegroundColor Gray Write-Host " β€’ Reduces data exposure risk" -ForegroundColor Gray Write-Host "`n Note: Watermarking helps prevent unauthorized content sharing" -ForegroundColor Gray Write-Host " Requires Microsoft 365 E5 or Advanced Communications add-on" -ForegroundColor Gray if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT - Watermarking enabled" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Watermarking disabled!" -ForegroundColor Red exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat .DESCRIPTION Dit is een monitoring-only control, remediation delegeert naar monitoring #> [CmdletBinding()] param() Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan Invoke-Monitoring }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: No watermarking = leaked screenshots untraceable.

Management Samenvatting

Teams watermarking (Premium). User email overlayed on shared content. Data leak deterrence + attribution. Requires: Teams Premium license. Highly confidential meetings (M&A, legal). Implementatie: 5-10 uur.