Establishing a Corporate Email Policy
Not all misuse of
organizational email systems comes from external sources. Employees
improperly utilizing a messaging system can put a company at risk as
well, either by overloading the system, passing confidential data to
nonauthorized personnel, or passing material that is offensive in
nature, potentially exposing the organization to lawsuits from other
personnel.
Established and
documented corporate email policies are used to govern and enforce the
appropriate use of the messaging environment. However, like most
security policies, they cannot be effective if they are not created,
approved, implemented, and communicated to the user community.
Note
Corporate email
policies not only define how the system can and should be used; they
also limit an organization’s liability in the event of misuse.
The following are possible considerations and guidelines to include in the corporate email policy:
Personal usage—
The policy should state whether emails of a personal nature are
accepted and, if so, to what extent. Some companies place a limit on the
number of personal emails that can be sent each day. Others require
personal emails to be stored in a separate folder within the email
system. Most companies allow the sending and receiving of personal
emails because this is often less time consuming than requiring
employees to access external mail sources for personal communications.
Expectation of privacy—
A corporate email policy should plainly state that the messages
contained within the system are the property of the organization, and
that no expectation of privacy is implied. Email records can be
subpoenaed, mailboxes can be reviewed for appropriate use, or data can
be retrieved in the event of the termination of someone’s employment. By
setting the expectation up front, you can make it clear to your users
that the email system is a tool for their use, but the messages
contained do not belong to them. Note that this type of policy might not
be applicable or legal in certain European countries, as privacy laws
vary from location to location.
Email monitoring—
If the organization monitors the content of its employees’ emails, this
should be stated in the email policy. Most countries and states allow
the monitoring of corporate email by authorized individuals, as long as
the employee has been made aware of the policy.
Prohibited content— The
policy should state that the email system is not to be used for the
distribution of offensive or disruptive messages. This includes messages
containing inappropriate content such as comments about race, religion,
gender, or sexual orientation. The policy should also clearly state
that pornographic pictures or emails with sexual content will not be
tolerated, as these items are commonly the cause of offense between
employees. The policy should mandate that employees receiving any such
materials should report them to their supervisor or another appropriate
entity for review immediately.
Confidential data—
Employees should not use the messaging system to discuss sensitive
matter, such as potential acquisitions or mergers. Corporate secrets or
other proprietary data should not be sent either, as an inadvertent
forward could allow the sensitive data to pass to inappropriate
personnel.
Email retention policies—
Many organizations, especially government, health-care, and financial
institutions, are required by law to meet or exceed certain email
retention policies. These policies should be clearly stated and
meticulously enforced. Allowances should be made for employees to save
messages of a critical nature—often companies allow them to be saved in
separate folders to avoid automatic deletion.
Point of contact— The email policy should clearly state where employees can go to have any questions about the corporate email policy answered.
Bear in mind, a
corporate email policy that is unknown to the user community is not an
effective one. The policy should be distributed to the users in a
variety of ways, such as posting on an intranet site, in employee
handbooks, on break room bulletin boards, or in company newsletters.
Securing Exchange Server 2010 through Administrative Policies
Whereas a corporate email
policy specifically governs the use of the messaging system for users,
administrative policies govern the operation and usage of the messaging
system in general. Many best practices have been worked out over the
years, some of which are as follows:
Administrative and operator accounts should not have mailboxes—
Many viruses and email worms rely on the permissions of the
authenticated user to perform. If the user opening the message has
administrative access to the computer, there is a much greater potential
for danger.
Grant permissions to groups rather than users—
By granting permissions to groups, rather than users, you can quickly
grant or deny access to a wide range of resources with one change. For
example, if your Human Resources department has hundreds of files, in
dozens of directories throughout your network, you would have to add (or
remove) an individual from the permissions from each
of these folders when they join or depart the team. However, by
granting the permissions instead to an HR group, and then giving the group permissions, you can now modify access simply by adding the user to, or removing them from, the group.
Require complex (strong) passwords for all users— If
left to their own devices, many users select passwords that are easy
for them to remember. However, this behavior results in passwords that
are also very easy for malicious users to crack. By requiring complex
passwords, consisting of upper- and lowercase letters, numbers, and
special characters, the likelihood of a breach of security is greatly
reduced.
Require Secure Sockets Layer (SSL) for HTTP, POP3, IMAP4, and Outlook Anywhere clients—
The SSL encryption protects confidential or personal information sent
between a client and a server. The SSL protocol uses a combination of
public-key and symmetric-key encryption. Symmetric-key encryption is
much faster than public-key encryption; however, public-key encryption
provides better authentication techniques. An Internal Certificate
Authority can be used for these certificates, or they can be purchased
from a third-party CA.
Set policies globally when possible—
Rather than setting policies for individual users or groups,
companywide policies should be set, whenever possible, at a global level
to ensure compliance.
Securing Groups
An important step in
securing your messaging environment is to secure distribution and
mail-enabled security groups. For instance, CompanyABC is a medium-sized
company with 1,000 users. To facilitate companywide notifications, the
HR department created a distribution group called “All Employees,” which
contains all 1,000 employees. By default, there are no message
restrictions for new groups, meaning that anyone can send to this list.
If CompanyABC has an Internet Mail SMTP Connector, this group will also
have an SMTP address.
Consider what would
happen if a new user sent an email to “All Employees” advertising a car
for sale. Let’s take it one step further and imagine that the user sent
it with a read receipt and delivery notification requested. Thousands of
messages can now be generated from this one mistake and could
negatively impact server performance.
Often, intentions are
not as innocent as the new user simply making a mistake. Sending
repeated email messages to mail-enabled groups with large memberships is
sometimes used in an attempted denial of service (DoS) attack. The
attacker sends an SMTP message to the “All Employees” group with a
delivery notification receipt requested and spoofs the “Return to”
address with the same SMTP address used for the distribution group. So,
1,000 messages are sent, and 1,000 delivery notifications are
returned—each of which is then sent to all 1,000 users in the group!
From this one spoofed message, the net effect is (1 + 1000) + (1000 *
1000)=1,001,001 messages! By spoofing the distribution list and
including a delivery notification receipt, this single email results in
more than 1 million messages processed by the system.
Fortunately, for this easy
problem, there is an even easier solution. Exchange Server 2010 allows
you to configure message restrictions on your distribution groups.
To secure a distribution group so that only authenticated users can use it, do the following:
1. | Open the Exchange Management Console.
|
2. | In the console tree, under Recipient Configuration, click Distribution Group.
|
3. | In the results pane, select the distribution group you want to modify, and then click Properties.
|
4. | On the Mail Flow Settings tab, highlight Message Delivery Restrictions, and click Properties.
|
5. | Ensure there is a check in the Require That All Senders Are Authenticated check box, as shown in Figure 2.
|
6. | Click OK when finished, and then click OK again to exit the configuration screen.
|
In addition, an
administrator can further restrict the usage of this distribution group
by allowing only a specific individual or security group to use it.
To restrict access to the distribution group to a specific user or group, do the following:
1. | Open the Exchange Management Console.
|
2. | In the console tree, under Recipient Configuration, click Distribution Group.
|
3. | In the results pane, select the distribution group you want to modify, and then click Properties.
|
4. | On the Mail Flow Settings tab, highlight Message Delivery Restrictions, and click Properties.
|
5. | Under Accept Messages From, select the Only Senders in the Following List option button.
|
6. | Click Add, and select the users or groups that are to have permission to send to the distribution group.
|
7. | Click OK when finished, and then click OK again to exit the configuration screen.
|
An additional option allows
you to configure the distribution list to reject messages from an
individual or from members of a group. This setting is also configured
using the Message Delivery Restrictions page.