5. Improvements in Exchange Server 2013 Relative to Security
One
of the improvement goals Microsoft has had with all of its products
over the past few years has been to constantly improve the security in
the products. More recently with all of the regulatory compliance laws
and policies being implemented, Microsoft has focused a lot of security
enhancements to address privacy, information archiving, and compliance
support. The release of Exchange Server 2007, 2010, and 2013 has been
no different—Microsoft added in several new enhancements in the areas
of security and compliance support.
One of
the additions in Exchange Server 2007 was the creation of an Edge
Transport server role that supplements the traditional Exchange
database server as a system in the Exchange organization environment.
Whereas the Exchange database server holds user data, the Edge
Transport server is dedicated to provide the first line of defense
relative to virus and spam blocking. Organizations with Exchange have
had servers in their demilitarized zone (DMZ) typically as SMTP relay
servers that collect messages, perform antivirus and antispam
filtering, and route the messages internal to the organization.
However, most of the message relay servers in the DMZ have typically
had no tieback to Exchange, so when messages come in for email
addresses for individuals who don’t even exist in the organization, the
DMZ mail relays didn’t really have a way to know, so they blindly
processed antispam and antivirus checks, and then forwarded messages on
to the Exchange server. The Exchange server would realize when
individuals did not exist and would bounce or delete the message. This
meant that the Exchange server would still have to process hundreds if
not thousands or tens of thousands of invalid messages.
Another
major enhancement in Exchange Server 2007 was the addition of the Hub
Transport server. For many, the Hub Transport server merely replaces
the Bridgehead server that handled routing in earlier versions of
Exchange. However, the Hub Transport server that was in Exchange Server
2007 and 2010 has now been replaced as simply a Hub Transport service
in Exchange Server 2013. The service runs on the Exchange Mailbox
server and acts as the focal point for policy compliance. Policies can
be configured in Exchange Server 2013 so that after a message is
filtered for spam and viruses, the message goes to the policy server to
be assessed whether the message meets or fits into any regulated
message policy, and appropriate actions are taken. The same is true for
outbound messages, that the messages go to the policy server, the
content of the message is analyzed, and if the message is determined to
meet specific message policy criteria, the message can be routed
unchanged, or the message might be held or modified based on the
policy. As an example, an organization might want any communications
referencing a specific product code name or a message that has content
that looks like private health information, such as a Social Security
number, date of birth, or health records of an individual, to be held
so that encryption can be enforced on the message before it continues
its route. Exchange Server 2013 adds built-in capabilities to support
policies specific to personally identifiable information as well that
is key to many privacy regulations as well as payment card industry
data security for organizations that use credit cards as part of their
transactions.
Policies
in Exchange Server 2013 are more than just internal policies that
identify messages in transit or at rest in the Exchange environment,
but also policies that protect the leakage of protected content outside
of the organization. Data leakage protection, or DLP, is addressed both
as the built-in policies components of Exchange Server 2013 as well as
further enhanced by Microsoft’s Rights Management Services (RMS) that
actively encrypts and protects content.
For
organizations leveraging Outlook 2013 as the endpoint client for users,
Microsoft has expanded the MailTips feature that was introduced in
Outlook 2010 with PolicyTips in Outlook 2013. PolicyTips analyzes email
messages and provides recommendations and guidance how the message
applies to organizational policies.
Not
new to Exchange Server 2013, but key in an organization’s effort to
maintain security and privacy of information is the ability to encrypt
email messages and content at the client level. Exchange Server 2013
encrypts content between the Exchange Server 2013 server and an Outlook
2013 client by default, and provides full support for certificate-based
Public Key Infrastructure (PKI) encryption of mail messages.
6. Improvements in Exchange Server 2013 Relative to eDiscovery and Retention
Beyond
compliance policies, message encryption, and data leakage protection
are simple processes like message retention and eDiscovery search of
content within Exchange. Exchange Server 2013 includes extensive
enhancements in discovery and retention. Exchange Server 2013 continues
to support email archiving that was introduced in Exchange Server 2010.
Content can be archived and retained based on retention tags, shown in Figure 4;
whether the retention is set for one year, seven years, or infinite,
Exchange Server 2013 provides the ability to retain message content.
Figure 4. Retention tags in Exchange Server 2013.
In
addition, Exchange Server 2013 introduces the ability of an
organization to search for information across both the mailbox and the
user’s archive at the same time, something that with Exchange Server
2010, a query had to be done once against the user’s mailbox and then
separately against the user’s archive. Unified search in Exchange
Server 2013 can then be set to preserve the results of the query for
immediate export or for immediate content hold.
Content
hold in Exchange Server 2013 can be set using policies or can
automatically be applied as time-based holds, where content is
prevented from deletion based on a time factor. And Exchange Server
2013 continues to support litigation hold that locks a mailbox from
having content permanently deleted from the mailbox for future search
and reporting.
Lastly, Microsoft has
included FAST Search as the default search engine for Exchange Server
2013; FAST Search is the common search tool for Exchange Server 2013,
SharePoint 2013, and Lync 2013 and provides administrators the ability
to search for content from a single tool.
