Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Exchange Server 2010 : Components of a Secure Messaging Environment (part 2)

3/25/2011 6:38:33 PM

Establishing a Corporate Email Policy

Not all misuse of organizational email systems comes from external sources. Employees improperly utilizing a messaging system can put a company at risk as well, either by overloading the system, passing confidential data to nonauthorized personnel, or passing material that is offensive in nature, potentially exposing the organization to lawsuits from other personnel.

Established and documented corporate email policies are used to govern and enforce the appropriate use of the messaging environment. However, like most security policies, they cannot be effective if they are not created, approved, implemented, and communicated to the user community.

Note

Corporate email policies not only define how the system can and should be used; they also limit an organization’s liability in the event of misuse.


The following are possible considerations and guidelines to include in the corporate email policy:

  • Personal usage— The policy should state whether emails of a personal nature are accepted and, if so, to what extent. Some companies place a limit on the number of personal emails that can be sent each day. Others require personal emails to be stored in a separate folder within the email system. Most companies allow the sending and receiving of personal emails because this is often less time consuming than requiring employees to access external mail sources for personal communications.

  • Expectation of privacy— A corporate email policy should plainly state that the messages contained within the system are the property of the organization, and that no expectation of privacy is implied. Email records can be subpoenaed, mailboxes can be reviewed for appropriate use, or data can be retrieved in the event of the termination of someone’s employment. By setting the expectation up front, you can make it clear to your users that the email system is a tool for their use, but the messages contained do not belong to them. Note that this type of policy might not be applicable or legal in certain European countries, as privacy laws vary from location to location.

  • Email monitoring— If the organization monitors the content of its employees’ emails, this should be stated in the email policy. Most countries and states allow the monitoring of corporate email by authorized individuals, as long as the employee has been made aware of the policy.

  • Prohibited content— The policy should state that the email system is not to be used for the distribution of offensive or disruptive messages. This includes messages containing inappropriate content such as comments about race, religion, gender, or sexual orientation. The policy should also clearly state that pornographic pictures or emails with sexual content will not be tolerated, as these items are commonly the cause of offense between employees. The policy should mandate that employees receiving any such materials should report them to their supervisor or another appropriate entity for review immediately.

  • Confidential data— Employees should not use the messaging system to discuss sensitive matter, such as potential acquisitions or mergers. Corporate secrets or other proprietary data should not be sent either, as an inadvertent forward could allow the sensitive data to pass to inappropriate personnel.

  • Email retention policies— Many organizations, especially government, health-care, and financial institutions, are required by law to meet or exceed certain email retention policies. These policies should be clearly stated and meticulously enforced. Allowances should be made for employees to save messages of a critical nature—often companies allow them to be saved in separate folders to avoid automatic deletion.

  • Point of contact— The email policy should clearly state where employees can go to have any questions about the corporate email policy answered.

Bear in mind, a corporate email policy that is unknown to the user community is not an effective one. The policy should be distributed to the users in a variety of ways, such as posting on an intranet site, in employee handbooks, on break room bulletin boards, or in company newsletters.

Securing Exchange Server 2010 through Administrative Policies

Whereas a corporate email policy specifically governs the use of the messaging system for users, administrative policies govern the operation and usage of the messaging system in general. Many best practices have been worked out over the years, some of which are as follows:

  • Administrative and operator accounts should not have mailboxes— Many viruses and email worms rely on the permissions of the authenticated user to perform. If the user opening the message has administrative access to the computer, there is a much greater potential for danger.

  • Grant permissions to groups rather than users— By granting permissions to groups, rather than users, you can quickly grant or deny access to a wide range of resources with one change. For example, if your Human Resources department has hundreds of files, in dozens of directories throughout your network, you would have to add (or remove) an individual from the permissions from each of these folders when they join or depart the team. However, by granting the permissions instead to an HR group, and then giving the group permissions, you can now modify access simply by adding the user to, or removing them from, the group.

  • Require complex (strong) passwords for all users— If left to their own devices, many users select passwords that are easy for them to remember. However, this behavior results in passwords that are also very easy for malicious users to crack. By requiring complex passwords, consisting of upper- and lowercase letters, numbers, and special characters, the likelihood of a breach of security is greatly reduced.

  • Require Secure Sockets Layer (SSL) for HTTP, POP3, IMAP4, and Outlook Anywhere clients— The SSL encryption protects confidential or personal information sent between a client and a server. The SSL protocol uses a combination of public-key and symmetric-key encryption. Symmetric-key encryption is much faster than public-key encryption; however, public-key encryption provides better authentication techniques. An Internal Certificate Authority can be used for these certificates, or they can be purchased from a third-party CA.

  • Set policies globally when possible— Rather than setting policies for individual users or groups, companywide policies should be set, whenever possible, at a global level to ensure compliance.

Securing Groups

An important step in securing your messaging environment is to secure distribution and mail-enabled security groups. For instance, CompanyABC is a medium-sized company with 1,000 users. To facilitate companywide notifications, the HR department created a distribution group called “All Employees,” which contains all 1,000 employees. By default, there are no message restrictions for new groups, meaning that anyone can send to this list. If CompanyABC has an Internet Mail SMTP Connector, this group will also have an SMTP address.

Consider what would happen if a new user sent an email to “All Employees” advertising a car for sale. Let’s take it one step further and imagine that the user sent it with a read receipt and delivery notification requested. Thousands of messages can now be generated from this one mistake and could negatively impact server performance.

Often, intentions are not as innocent as the new user simply making a mistake. Sending repeated email messages to mail-enabled groups with large memberships is sometimes used in an attempted denial of service (DoS) attack. The attacker sends an SMTP message to the “All Employees” group with a delivery notification receipt requested and spoofs the “Return to” address with the same SMTP address used for the distribution group. So, 1,000 messages are sent, and 1,000 delivery notifications are returned—each of which is then sent to all 1,000 users in the group! From this one spoofed message, the net effect is (1 + 1000) + (1000 * 1000)=1,001,001 messages! By spoofing the distribution list and including a delivery notification receipt, this single email results in more than 1 million messages processed by the system.

Fortunately, for this easy problem, there is an even easier solution. Exchange Server 2010 allows you to configure message restrictions on your distribution groups.

To secure a distribution group so that only authenticated users can use it, do the following:

1.
Open the Exchange Management Console.

2.
In the console tree, under Recipient Configuration, click Distribution Group.

3.
In the results pane, select the distribution group you want to modify, and then click Properties.

4.
On the Mail Flow Settings tab, highlight Message Delivery Restrictions, and click Properties.

5.
Ensure there is a check in the Require That All Senders Are Authenticated check box, as shown in Figure 2.

Figure 2. Restricting the ability to deliver to a distribution group.


6.
Click OK when finished, and then click OK again to exit the configuration screen.

In addition, an administrator can further restrict the usage of this distribution group by allowing only a specific individual or security group to use it.

To restrict access to the distribution group to a specific user or group, do the following:

1.
Open the Exchange Management Console.

2.
In the console tree, under Recipient Configuration, click Distribution Group.

3.
In the results pane, select the distribution group you want to modify, and then click Properties.

4.
On the Mail Flow Settings tab, highlight Message Delivery Restrictions, and click Properties.

5.
Under Accept Messages From, select the Only Senders in the Following List option button.

6.
Click Add, and select the users or groups that are to have permission to send to the distribution group.

7.
Click OK when finished, and then click OK again to exit the configuration screen.

An additional option allows you to configure the distribution list to reject messages from an individual or from members of a group. This setting is also configured using the Message Delivery Restrictions page.

Other -----------------
- Considering the Importance of Security in an Exchange Server 2010 Environment
- Installing BizTalk Server RFID 2010
- BizTalk Server 2010 : Configuring EDI Trading Partners
- BizTalk Server 2010 : Accessing the EDI Version 5010 HIPAA Schemas
- Exchange Server 2010 : Managing Recipients and Distribution Groups (part 2) - Distribution Groups
- Exchange Server 2010 : Managing Recipients and Distribution Groups (part 1) - Mail Contacts & Mail-Enabled Users
- Exchange Server 2010 : Resources and Shared Mailboxes
- Windows Server 2003 : Monitoring Network Performance (part 3)
- Windows Server 2003 : Monitoring Network Performance (part 2) - Performance Console Differences
- Windows Server 2003 : Monitoring Network Performance (part 1) - Using the Networking Tab in Task Manager
- Windows Server 2008 R2 : Group Policy Management for Network Clients - Group Policy Feature Set
- Windows Server 2008 R2 : Group Policy Management for Network Clients - Windows Group Policies
- SharePoint 2010 PerformancePoint Services : SharePoint List Data Source
- SharePoint 2010 PerformancePoint Services : Data Sources - Import from Excel Workbook
- SharePoint 2010 : Visio Graphics Services Overview
- SharePoint 2010 : Access Services Overview
- Windows Server 2008 Server Core : Managing System Users - Obtaining Group Policy Results with the GPResult Command
- Windows Server 2008 Server Core : Managing System Users - Configuring Profiles with the CMStP Utility
- Windows Server 2008 Server Core : Auditing User Access with the AuditPol Utility
- BizTalk Server 2010 : Configuring Core Server Settings
 
 
Most view of day
- Microsoft Exchange Server 2010 : Managing Connectivity with Hub Transport Servers - Transport Improvements in Exchange Server 2010
- Microsoft Content Management Server Development : A Placeholder Control to Store All HTML Tags (part 1)
- Backup and Restore of Microsoft Lync Server 2010 : Restore Processes
- BizTalk Server 2009 : Building a Resequencing Aggregator
- Plug and Play and Power Management : WMI Request Handler, Synchronization Issues, Security
- Windows Server 2003 : Windows Firewall (part 2) - Service Pack Firewall Modifications - Modifications
- Windows Server 2012 : Configuring IPv6/IPv4 interoperability (part 6) - Configuring a DHCPv6 server, IPv6 transition technologies
- Using Wireless Bluetooth Devices : Adding Bluetooth-Enabled Devices
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Changing Message Bar Security Options - Modify Message Bar Security Options
- Maintaining Desktop Health : Understanding the Windows System Assessment Tool
Top 10
- Sharepoint 2013 : Working with the CSOM (part 6) - Working with the JavaScript client object model - Creating, reading, updating, and deleting in the JavaScript client object model
- Sharepoint 2013 : Working with the CSOM (part 5) - Working with the JavaScript client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 4) - Working with the JavaScript client object model - Returning collections
- Sharepoint 2013 : Working with the CSOM (part 3) - Working with the managed client object model - Creating, reading, updating, and deleting
- Sharepoint 2013 : Working with the CSOM (part 2) - Working with the managed client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 1) - Understanding client object model fundamentals
- Windows Phone 8 : Configuring Mailbox Settings (part 5) - Configuring Automatic Replies
- Windows Phone 8 : Configuring Mailbox Settings (part 4) - Lightening the Display,Changing the Mailbox Sync Settings
- Windows Phone 8 : Configuring Mailbox Settings (part 3) - Message Signatures, Blind CCing Yourself
- Windows Phone 8 : Configuring Mailbox Settings (part 2) - Unlinking Mailboxes, Conversation View
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro