Integrated, Internet Standards - Based Security

Windows Security

Exchange Server integrates with Windows security in two ways. First, users have to be authenticated using a Windows account before gaining access to any Exchange Server resource that requires authenticated access. Administrators can set up a Windows security infrastructure, and Exchange Server uses that infrastructure for its own security and access permissions. This enables users to log on only once to access both the network and Exchange Server services.

Second, Exchange Server uses the built-in auditing capabilities of Windows. This integration allows an administrator to detect security breaches by tracking events across Windows and Exchange Server that occur within a system. All the events can be viewed in one window using the Windows event log.

Secure Messaging

Many corporations today use the Internet as a backbone for their corporate communications system. While this setup is cheaper than leasing lines between servers, it opens a world of security concerns. Exchange Server alleviates these concerns by implementing features that allow corporations to use the Internet securely. For securely sending messages between servers, Exchange Server supports Secure Sockets Layer (SSL) in combination with Simple Mail Transfer Protocol (SMTP). SMTP is the primary protocol that different mail systems use to communicate over the Internet and Exchange uses to talk with other Exchange servers. SSL allows systems to encrypt data sent from one system to another. By implementing SSL with SMTP, an organization can encrypt the data sent from one Exchange Server to another when it sends the data over the Internet.

Secure Applications

SSL is also used with other Internet protocols that Exchange Server supports. By using SSL, OWA can encrypt any traffic between a user's Web browser and Web server. This secures any HTML documents that OWA is sending to the user . You can also take advantage of SSL when you use custom Web forms with Exchange Server.

S/MIME Support

Exchange Server supports encryption and digital signatures by using Secure Multipurpose Internet Mail Extensions (S/MIME). An Internet standard, S/MIME is a method of digitally signing and encrypting messages sent between users on the same vendor's system or between users on different vendors ' systems.

S/MIME is built on X.509 version 3 certificates. These certificates are generated by a certificate authority such as VeriSign or Certificate Server (which is included with Windows 2000 Server). Because Exchange Server supports X.509 version 3 certificates, it can accept the certificates from other certificate authorities. Similarly, clients can trust certificates from other authorities through the use of Certificate Trust Lists.

Exchange Server also supports the revocation of security certificates. Revoking certificates is useful when a user thinks that her security has been compromised and someone else is signing messages on her behalf . After revoking a certificate, the administrator can issue a new certificate to the user. Also, when a user leaves an organization, you might want to revoke his certificate to be sure that all messages sent by him are marked as invalid. When an administrator revokes the certificates for a user, any encrypted messages previously sent by the revoked user will appear as invalid messages.

As a developer, you can take advantage of the advanced security features of Exchange Server. By basing your applications on the standard Outlook e-mail message, you automatically inherit the advanced security functionality in Outlook. This allows you to digitally sign and encrypt your custom forms before the user sends or posts forms.