Email isn't just a way to send messages; it has emerged as a critical business tool for day-to-day operations. We rely on email to exchange contracts, resolve problems, and make decisions among all levels of an organization. A good deal of email that travels into and out of an enterprise contains confidential information that must be protected against loss, theft or accidental disclosure. Given the many legal and strategic business issues involved in message security, organizations rely on the security features of Exchange Server 2010.
The reality of email message security
Email messages require protection because they may be the only tangible record of agreements, decisions, comments, instructions and other forms of business communication. This puts an important focus on internal business security. In addition, email is legitimate evidence in the event of legal action and subject to discovery; failing to protect it can be more costly than losing a lawsuit, so there's also a strong push to meet compliance requirements for message retention.
"Firms should focus equally on compliance security as well as physical or logical [internal] security," said Andy Grogan, Exchange Server MVP and head of IT for U.K.-based Hounslow Homes.
There are three key aspects to email security: confidentiality, integrity and availability, which is often referred to as the "CIA triad." Confidentiality ensures that messages are available only to intended recipients; integrity means that the messages are not altered; availability guarantees that messages remain accessible over the appropriate retention period.
Exchange 2010 security tactics
Exchange Server 2010 includes a number of features designed to help organizations secure email message traffic. Perhaps the most notable change is that, by default, Microsoft disabled end-to-end encryption between internal users (within the organization itself).
"If you wish to employ wider email encryption [between two different organizations], you will need to use a third-party product such as Message Labs or Iron Port," Grogan said, noting additional support for transport layer security (TLS) on SMTP channels as well as Secure MIME.
Comprehensive control plays a huge role in message security, which is why Exchange Server 2010 includes role-based access control administrative capabilities. RBAC helps to streamline Exchange management and minimizes mistakes that could otherwise expose the Exchange platform to vulnerabilities.
Close integration with Active Directory rights management enhances control over marked messages within the Exchange system. Exchange 2010 also incorporates personal archiving and retention controls, allowing administrators to archive mail based on business rules (such as legal hold) or search across multiple mailboxes for discovery and retrieval.
Other noteworthy features include Information Rights Management (IRM) and transport rules that impose a level of control over the information that's exchanged. For example, messages can be checked and approved before they are sent in order to ensure that there is no inappropriate or confidential information.
These new features, however, can present challenges for administrators. "A lot of people don't really understand [new features] yet, and there are also some shortcomings," said Mike Crowley, enterprise infrastructure architect for Planet Technologies, Inc., headquartered in Germantown, Md. "They're not as amazing as they might seem on the surface."
Managing Exchange Server 2010 security
Generally speaking, the basic security features of Exchange Server 2010 can be managed using Exchange Management Console GUI; however, more complex configuration options (such as IRM) may need to be managed through the Exchange Management Shell. Crowley notes that it's possible to generate security certificates through the Management Console; this capability didn’t exist in previous versions of Exchange.
Many security options are enabled by default, so less setup is needed for Exchange 2010. But it's still extremely important to apply best practices to secure email, as weak or careless configurations can expose the system and leave a company vulnerable. Configuration mistakes can include improperly setting up mailbox rights (at the administrative and user level), skipping or omitting recommended security patches, allowing poor password policies (at the Active Directory and local levels), insufficient administrative and end-user training and shoddy physical security -- unlocked consoles and unauthorized access to the physical Exchange servers.
Administrators that rush to enable Exchange may opt to disable important security features like encryption because it’s the fastest way to get the server up and running, but it's also a certain path to security problems down the road.
"Try and understand encryption before you turn it off," Crowley said. Exchange Server 2010 can encrypt messages that travel within the organization, but you’ll likely have to adopt a third-party encryption product like [Symantec’s] PGP (Pretty Good Privacy) to encrypt messages that travel outside the organization.
Manage Exchange servers and people
Don’t underestimate the importance of training administrators on Exchange security. Properly configuring an Exchange server is only the beginning. Administrators need to focus on regular activity monitoring and event logs as well as recognizing the broader relationship between AD and Exchange.
"I remember being called into one environment that I was told was bulletproof, Grogan said. "It took me 10 seconds to access all the mail on the server via the IFS drive, which had been re-enabled and had full admin rights assigned to the content at store level."
Fortunately, a great deal of expertise can be cultivated without formal classroom instruction, though it usually involves mentoring less-experienced administrators. You'll also want to spend some quality time in the organization's test facilities, replicating the current setup and evaluating behaviors that result from various configurations.