Indexing content is only half the battle; you also need a client tool that can use the index. Outlook 2000 automatically uses the full-text index (if it's available) for a target store. The difference in responsiveness between an unindexed folder and an Exchange 2000 indexed folder is impressive: Searches that take many minutes without an index take only a few seconds after Exchange 2000 has created the index. Figure 6, page 150, shows Outlook 2000's Advanced Find option, which you can use to search a public folder's contents, including attachments such as Microsoft PowerPoint presentations and Excel worksheets.
Granular access to email content. The moment a user sends a message, it leaves the user's control. Regardless of the original sender's intentions, recipients can forward, post, alter, print, or copy the message. Users can attempt to recall messages, but recall works only if a recipient is in your Exchange Server organization and hasn't already read the message.
Deploying Advanced Security to enable message encryption and electronic signatures is a good way to ensure that only the intended recipients can see message content. However, you must expend substantial effort to set up a Certificate Authority (CA), issue certificates to users, and manage certificate revocation lists (CRLs) and certificate expiry lists. Encryption between email systems requires additional effort. (Exchange 2000's Advanced Security subsystem integrates with the Windows 2000 Certificate Server and offers better interoperability with other CAs that issue X.509 version 3 certificates.) You must also train users to encrypt and decrypt messages, apply digital signatures, and handle certificates they receive from other users—especially external correspondents. (For more information about certificates and encryption, see Jan De Clerq, "Advanced Security in Exchange 2000, Part 1,".)
Virus scanning. If you don't realize the need for good virus protection, you're a fool. The Melissa, Worm.ExploreZip, and VBS.LoveLetter viruses underscore the importance of running good virus-scanning software at multiple levels within your messaging infrastructure. Products are available to protect desktops, the backbone (including the entry point for messages from the Internet), the stores, or servers. Don't rely on
protection at only one of these levels. Desktop scanners can stop viruses on 3.5" disks but might not stop a .vbs file such as the one the VBS.LoveLetter worm uses. Scanners running on your backbone should stop most viruses, but the virus-pattern file might be slightly out-of-date and might fail to recognize new viruses. Store or server scanners examine each message as it arrives into Exchange Server, but these scanners suffer from the same shortcoming as backbone scanners. Protecting all these levels gives you a better chance of resisting a virus attack.
Creating a Document-Management Policy
I've observed that most systems administrators and designers don't realize that document retention and management policies cover so much ground. After all, systems administrators aim to provide highly available messaging services—a big job that doesn't leave much time to think about better control, until you run into a problem.
Exchange 2000 adds features (e.g., mailbox retention, integrated full-text indexing, less reason to depend on PSTs, easier-to-manage Advanced Security options, a finer degree of control over large messages) that can help you implement a good document-management policy using only out-of-the-box software. However, you need to invest in additional software to achieve a finer degree of control than these tools can provide. You can divide these important add-on products into four categories: archiving, content checking, virus scanning, and granular access to message content.
Archiving. Archival software, such as kVault Software's (KVS's) Enterprise Vault, places messages in a permanent archive, often under the control of an HSM system. You can apply policies to state exceptions (e.g., don't remove items stored in any folder labeled Important) and to determine when to remove messages (e.g., never process the CEO's mailbox). Often, the software replaces an archived message with a small text file that informs the user that the message is now offline and under the control of the archival system and that gives instructions for retrieving the message. Microsoft Consulting Services' Enterprise Archive Agent utility for Exchange Server might be enough for your purpose, although it doesn't offer as many features as a true archival or HSM package.
Content checking. Software packages such as Content Technologies' MIMESweeper scan messages for appropriate content as the messages pass across the messaging backbone. This technology isn't specific to Exchange Server and often uses an examination of SMTP/MIME content.
Virus checking. As I noted earlier, you need to operate virus-checking software at multiple levels to attain maximum protection. For Exchange Server, two families of virus scanners are available: Messaging API (MAPI)-based and Extensible Storage Engine (ESE)-based. The former is an older implementation; the latter has been available only since 1999. Trend Micro's ScanMail and Sybari's Antigen are the best examples of these two scanner types.
Granular access. Granular access to message content lets users control sent messages after receipt. For example, users can specify that a recipient can't forward or print a message or can't copy message text into another file. Users can set messages to be unavailable offline so that recipients can download messages into a PST or offline store (OST) and view messages only when the recipients are connected to the server. Users can time-out messages so that recipients can view content only if they open messages within a preset time. Authentica's MailVault offers this type of Exchange Server support through an Outlook plugin. Some companies use this technology to exchange highly sensitive commercial information between predetermined users. These products are still fairly new but mark a trend that reflects a desire for greater control over sent messages.
Keep Looking
The products I mentioned are only a few of the available alternatives; I recommend that you search the Web or attend product demonstrations at events such as Microsoft TechEd or the Microsoft Exchange Conference. And ask vendors about their plans to upgrade and support Exchange 2000; you want to be able to deploy the product with Exchange 2000 when you migrate.
To define a practical and acceptable corporate document-management policy, you need to work with many people, including senior management and possibly legal advisors. To participate in developing a suitable plan, familiarize yourself with the different ways you can control information in Exchange Server. Follow through by setting mailbox quotas and implementing appropriate tools, such as journaling or content scanners. Invest in add-on products to fine-tune control, and investigate Exchange 2000 features that you might use now or in the future.