Develop an Exchange Compliance Strategy

Message and Transport Security
Message security encompasses two main areas: message encryption (using cryptography to protect the actual message from inspection by unauthorized parties) and transport encryption (using cryptography to protect discrete connections between components of the messaging system).

Message encryption. Message security has clear implications for your DCAR solution. In particular, you need to consider the following questions:

• If you use Secure MIME (S/MIME), which Exchange supports, does your archiving solution support it?
• Does your archiving solution archive older certificates, so that you can still view email messages encrypted with them?
• How do you protect, back up, and restore whatever public key infrastructure (PKI) you use with S/MIME? (And although pretty good privacy—PGP—isn't optimal for DCAR, if you use it, ask yourself how you'll protect, back up, and restore your users' keyrings encrypted with PGP.)
• Can your policy-compliance software handle encrypted email messages?
• Are you required to protect message integrity through every hop of your network?
• Can attackers (whether internal or external) eavesdrop on unencrypted transport links?

Exchange 2003 and Exchange 2000 come with strong support for S/MIME; the Exchange 2003 version of OWA extends this support to OWA users. However, the practical considerations of deploying and managing the requisite PKI, dealing with the content-inspection challenges, and archiving keys tend to make the use of S/MIME unattractive for most organizations unless they're required to use it (e.g., government Exchange deployments).

Transport encryption. Transport encryption, on the other hand, is easy with Exchange and Windows and tends to mesh well with any third-party components of your DCAR solution. Exchange 2000 and later natively support Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for a variety of protocols; Windows 2000 and later provide built-in IPsec functionality. Don't rely on MAPI encryption to protect connections between Outlook and Exchange; either deploy IPsec policies or upgrade to Microsoft Office Outlook 2003 and Exchange 2003 so that you can use RPC over HTTPS.

In my experience, Microsoft Internet Security and Acceleration (ISA) Server 2004 is one of the best investments you can make to help provide a higher level of message security between the Internet and your Exchange organization. Placing an ISA server in your demilitarized zone (DMZ) means never having to expose your Exchange servers directly to incoming Internet traffic and greatly simplifies your firewall configuration. Plus, ISA permits SSL bridging, so that you can perform protocol-aware proxying and filtering of SMTP and HTTP connections while still providing transport encryption for every connection.

Related Technologies
A variety of other Exchange technologies and features aren't directly related to DCAR but still provide useful hooks into your Exchange organization or make deployment and troubleshooting easier to perform:

• Event sinks—Exchange event sinks provide a powerful mechanism for extending Exchange functionality. Many DCAR components use this feature to plug into your Exchange servers and intercept email messages before they're passed off to internal Exchange components. Common uses include alternative journaling implementations, content inspection, and disclaimer injection.
• Protocol logs—Although protocol logs are disabled by default, you can easily turn on Exchange's powerful protocol-level logging on a per–virtual-server basis. These logs provide an accurate picture of all the communications that transpire through that virtual server, letting you easily track down problems or perform spot audits.
• Message tracking—Exchange's message-tracking feature is disabled by default. When enabled on all your Exchange servers, message tracking lets you quickly trace the passage of email messages through your organization. Enabling message tracking takes a small amount of overhead, but the ability to easily find out where an email message went astray more than makes up for the overhead, especially if you need to troubleshoot your DCAR implementation.
• Message hygiene—Exchange 2003, in particular, includes some impressive antispam features that can help you reduce the level of junk that makes it into your organization. The reduction in spam in turn reduces the load on your retention, archiving, and compliance components. Exchange also provides a comprehensive antivirus API that lets you stop worms, viruses, and Trojan horses.

Completing the Solution
As you've seen, you can use Exchange's built-in journaling, along with Exchange 2003's support for VSS and message and transport encryption plus related features such as message tracking, as the foundation of your Exchange recovery and compliance solution. However, Exchange doesn't provide certain other essential DCAR functions, such as archiving and PST management. To complete your Exchange DCAR solution, you'll want to look into third-party products that can provide these capabilities.

This article is adapted from Email Discovery and Compliance, Chapter 5: Implementation, Part 2—Hardware and Software (Windows IT Pro eBooks, 2006).