Designing a Secure Messaging Environment
The messaging environment is
composed
of much more than just the Exchange servers and client machines. Firewalls, network
perimeters
, accessibility options for users, security policies, and more are integral
components
that must be thoroughly designed as well.
Establishing a Corporate Email Policy
Corporate or organizational email policies are used to
govern
and enforce appropriate business use of the messaging environment. They are also used to provide grounds for investigations of inappropriate use of corporate email. It is recommended to establish these policies and get the business to approve them as soon as possible.
NOTE
Corporate email policies not only define how the system can and should be used; they also limit liability.
The following are possible considerations and guidelines to include in the corporate email policy:
-
The policy should expressly state that the email system is not to be used for the creation or distribution of any offensive or disruptive messages, including messages containing offensive comments about race, gender, age, sexual orientation, pornography, religious or political beliefs, national origin, or disability. State that
employees
who receive any emails with this content should report the matter to their supervisor immediately.
-
Employees should not use email to discuss
competitors
, potential acquisitions, or mergers, or to give their opinion about another firm. Unlawful messages, such as copyright infringing emails, should also be
prohibited
. Include examples and be clear about measures taken when these rules are breached.
-
Include a list of "email risks" to make users aware of the potential
harmful
effects of their actions. Advise users that sending an email is like sending a postcard or letter; if they do not want it posted on the bulletin board, they should not send it.
-
If the organization
monitors
the content of its employees' emails, it must mention this in the email policy. It is important to note that most states and
countries
are allowed to monitor employees' emails if the employees are cognizant that the messages are being
monitored
. Organizations should warn users that there is no expectation of privacy in anything they create, store, send, or receive on the company's computer system. In addition, organizations should warn employees that messages may be
viewed
without prior notice.
-
Establish clear email retention policies.
-
Include a point of contact for questions arising from the email policy.
The corporate email policy should be made available in a variety of different places on a variety of different mediums. For instance, include the corporate email policy on the intranet, in employee handbooks, and periodically in the company newsletter. The policy can also be included as users log into the messaging system using forms-based authentication.
Securing Exchange Server 2003 Through Administrative Policies
Similar to the corporate email policy for users, it is recommended to establish administrative policies that govern the operation and usage of the Exchange Server 2003 messaging system. Considerations for the organization's administrative policies include the following:
-
Administrative and operator accounts should not have mailboxes.
-
Grant permissions to groups rather than users.
-
SMTP addresses should not match the
User
Principle
Name
(UPN).
-
Require complex (strong) passwords for all users.
-
Require users to close the browser when finishing an Outlook Web Access (OWA) session.
-
Require Secure Sockets Layer (SSL) for HTTP, POP3, IMAP4, NNTP, and LDAP
clients
.
-
Set policies globally and customize other user policies.
-
Set storage limits and
reply-to
policies.
Using Email Disclaimers
Email disclaimers
inform
recipients of corporate legal information and policies. For all practical purposes, email disclaimers are used to reduce liability and caution recipients about misusing the information contained within the message. Email disclaimers can be tacked onto the bottom of all outgoing messages automatically when sent through a particular server.
The following is a sample email disclaimer:
The information contained in this message is intended solely for the individual to whom it is
specifically
and originally addressed. This message and its contents may contain confidential or privileged information. If you are not the intended recipient, you are hereby notified that any disclosure or distribution, or taking any action in
reliance
on the contents of this information, is
strictly
prohibited.
TIP
The organization's legal department or representative should approve the contents of the email disclaimer. If there were ever a situation where the information could
potentially
be used in a
court
of law, the email disclaimer will hold more relevance under scrutiny.
Exchange Server 2003 SMTP event sinks are used to add email disclaimers to all outgoing mail or outgoing mail from a specific server. Third-party products are available as well but also come with a cost. To create an email disclaimer, follow these high-level steps:
-
Install the Exchange Software Development Kit (SDK).
-
Create an event sink using Visual Basic Script and save it as
EventSinkScript.vbs
.
-
Open the Command Prompt by typing
cmd
at the Start, Run menu dialog box and browse to the
...\Exchange SDK\SDK\Support\CDO\Scripts
directory.
-
Register the event sink using the
smtpreg.vbs
script provided in the Exchange SDK. For example, at the command prompt, type
cscript smtpreg.vbs /add 1 onarrival SMTPScriptingHost CDO.SS_SMTPOnArrivalSink "mail
from=*@your-domain-here.com"
Press Enter when done.
-
Type
cscript smtpreg.vbs /setprop 1 onarrival SMTPScriptingHost Sink ScriptName
"C:\EventSinkScript.vbs".
-
Test the SMTP event sink and email disclaimer.
For more information on creating an SMTP event sink for an email disclaimer, refer to Knowledge Base article 317680.
|
