Integrated, Internet Standards-Based Security

With so many corporations connecting their systems to the Internet and exposing their networks to millions of Internet users, security has become a large concern. While most users on the Internet are not lurking and waiting to break into corporate networks, some "bad apples" on the Internet are. Exchange Server prevents these users from accessing privileged information by implementing Internet standards-based security in an integrated way.

Windows NT Security

Exchange Server integrates with Windows NT security in two ways. First, users have to be authenticated using a Windows NT account before gaining access to any Exchange Server resource that requires authenticated access. Administrators can set up a Windows NT security infrastructure, and Exchange Server will use that infrastructure for its own security and access permissions. This enables users to log on only once to access both the network and Exchange Server services.

Second, Exchange Server uses the built-in auditing capabilities of Microsoft Windows NT. This integration allows an administrator to detect security breaches by tracking events, across Windows NT and Exchange Server, which occur within a system. All the events can be viewed in one window using the Windows NT event log.

Secure Messaging

Many corporations today use the Internet as a backbone for their corporate communications system. While this is cheaper than leasing lines between servers, it opens a world of security concerns. Exchange Server alleviates these concerns by implementing some key features that allow corporations to securely use the Internet as a communications network backbone. For securely sending messages between servers, Exchange Server supports Secure Socket Layers (SSL) in combination with the Simple Mail Transfer Protocol (SMTP). SMTP is the primary way that different mail systems talk over the Internet. SSL allows systems to encrypt data sent from one system to the other. By implementing SSL with SMTP, an organization can encrypt its data from one Exchange Server to another when sending the data over the Internet.

Secure Applications

SSL is not only supported with use of SMTP, but it is also used with other Internet protocols that Exchange Server supports. By using SSL, Outlook Web Access can encrypt any traffic between a user's web browser and web server. This secures any HTML documents that Outlook Web Access is sending to the user. You can take advantage of SSL when using custom forms in the web forms library of Outlook Web Access.

S/MIME Support

Exchange Server supports encryption and digital signatures by using Secure Multipurpose Internet Mail Extensions, or S/MIME for short. An Internet standard, S/MIME is a method of digitally signing and encrypting messages between users on the same vendor's system or users on different vendors' systems.

S/MIME is built on X.509 version 3 certificates. These certificates are generated by a certificate authority such as VeriSign or Certificate Server included with the Microsoft Windows NT version 4 Option Pack. Since Exchange Server supports X.509 version 3 certificates, it can accept the certificates from other certificate authorities. Similarly, clients can trust certificates from other authorities through the use of Certificate Trust Lists.

Exchange Server also supports the revocation of security certificates. Revoking certificates is useful when a user feels that her security has been compromised and someone else is signing messages on her behalf. Likewise, when a user leaves an organization, you might want to revoke the user's certificate to make sure that all messages sent by this user are marked invalid. When an administrator revokes the certificates for a user, any encrypted messages previously sent by that user will notify other users, upon opening of the messages, that the certificate is invalid. After revoking a certificate, the administrator can issue a new certificate to the user.

As a developer, you can take advantage of the advanced security features of Exchange Server. By building your applications based on the standard Outlook e-mail message, you automatically inherit the advanced security functionality in Outlook. This allows you to digitally sign and encrypt your custom forms before the user sends or posts forms.