Microsoft Exchange Server 2003 Unleashed (2nd Edition)

The messaging environment is composed of much more than just the Exchange servers and client machines. Firewalls, network perimeters , accessibility options for users, security policies, and more are integral components that must be thoroughly designed as well.

Establishing a Corporate Email Policy

Corporate or organizational email policies are used to govern and enforce appropriate business use of the messaging environment. They are also used to provide grounds for investigations of inappropriate use of corporate email. It is recommended to establish these policies and get the business to approve them as soon as possible.

NOTE

Corporate email policies not only define how the system can and should be used; they also limit liability.

The following are possible considerations and guidelines to include in the corporate email policy:

• The policy should expressly state that the email system is not to be used for the creation or distribution of any offensive or disruptive messages, including messages containing offensive comments about race, gender, age, sexual orientation, pornography, religious or political beliefs, national origin, or disability. State that employees who receive any emails with this content should report the matter to their supervisor immediately.

• Employees should not use email to discuss competitors , potential acquisitions, or mergers, or to give their opinion about another firm. Unlawful messages, such as copyright infringing emails, should also be prohibited . Include examples and be clear about measures taken when these rules are breached.

• Include a list of "email risks" to make users aware of the potential harmful effects of their actions. Advise users that sending an email is like sending a postcard or letter; if they do not want it posted on the bulletin board, they should not send it.

• If the organization monitors the content of its employees' emails, it must mention this in the email policy. It is important to note that most states and countries are allowed to monitor employees' emails if the employees are cognizant that the messages are being monitored . Organizations should warn users that there is no expectation of privacy in anything they create, store, send, or receive on the company's computer system. In addition, organizations should warn employees that messages may be viewed without prior notice.

• Establish clear email retention policies.

• Include a point of contact for questions arising from the email policy.

The corporate email policy should be made available in a variety of different places on a variety of different mediums. For instance, include the corporate email policy on the intranet, in employee handbooks, and periodically in the company newsletter. The policy can also be included as users log into the messaging system using forms-based authentication.

Securing Exchange Server 2003 Through Administrative Policies

Similar to the corporate email policy for users, it is recommended to establish administrative policies that govern the operation and usage of the Exchange Server 2003 messaging system. Considerations for the organization's administrative policies include the following:

• Administrative and operator accounts should not have mailboxes.

• Grant permissions to groups rather than users.

• SMTP addresses should not match the User Principle Name (UPN).

• Require complex (strong) passwords for all users.

• Require users to close the browser when finishing an Outlook Web Access (OWA) session.

• Require Secure Sockets Layer (SSL) for HTTP, POP3, IMAP4, NNTP, and LDAP clients .

• Set policies globally and customize other user policies.

• Set storage limits and reply-to policies.

Using Email Disclaimers

Email disclaimers inform recipients of corporate legal information and policies. For all practical purposes, email disclaimers are used to reduce liability and caution recipients about misusing the information contained within the message. Email disclaimers can be tacked onto the bottom of all outgoing messages automatically when sent through a particular server.

The following is a sample email disclaimer:

The information contained in this message is intended solely for the individual to whom it is specifically and originally addressed. This message and its contents may contain confidential or privileged information. If you are not the intended recipient, you are hereby notified that any disclosure or distribution, or taking any action in reliance on the contents of this information, is strictly prohibited.

TIP

The organization's legal department or representative should approve the contents of the email disclaimer. If there were ever a situation where the information could potentially be used in a court of law, the email disclaimer will hold more relevance under scrutiny.

Exchange Server 2003 SMTP event sinks are used to add email disclaimers to all outgoing mail or outgoing mail from a specific server. Third-party products are available as well but also come with a cost. To create an email disclaimer, follow these high-level steps:

1. Install the Exchange Software Development Kit (SDK).

2. Create an event sink using Visual Basic Script and save it as EventSinkScript.vbs .

3. Open the Command Prompt by typing cmd at the Start, Run menu dialog box and browse to the ...\Exchange SDK\SDK\Support\CDO\Scripts directory.

4. Register the event sink using the smtpreg.vbs script provided in the Exchange SDK. For example, at the command prompt, type

   cscript smtpreg.vbs /add 1 onarrival SMTPScriptingHost CDO.SS_SMTPOnArrivalSink "mail from=*@your-domain-here.com"

   Press Enter when done.

5. Type

   cscript smtpreg.vbs /setprop 1 onarrival SMTPScriptingHost Sink ScriptName "C:\EventSinkScript.vbs".

6. Test the SMTP event sink and email disclaimer.

For more information on creating an SMTP event sink for an email disclaimer, refer to Knowledge Base article 317680.