programming4us
programming4us
SECURITY

Microsoft Exchange Server 2007 : Components of a Secure Messaging Environment (part 4) - Establishing a Corporate Email Policy, Securing Groups

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
12/16/2014 3:47:31 AM

Establishing a Corporate Email Policy

Not all misuse of organizational email systems comes from external sources. Employees improperly utilizing a messaging system can put a company at risk as well, either by overloading the sytem, passing confidential data to nonauthorized personnel, or passing material that is offensive in nature, potentially exposing the organization to lawsuits from other personnel.

Established and documented corporate email policies are used to govern and enforce the appropriate use of the messaging environment. However, like most security policies, they cannot be effective if they are not created, approved, implemented, and communicated to the user community.

Note

Corporate email policies not only define how the system can and should be used; they also limit an organization’s liability in the event of misuse.


The following are possible considerations and guidelines to include in the corporate email policy:

  • Personal usage— The policy should state whether emails of a personal nature are accepted and, if so, to what extent. Some companies place a limit on the number of personal emails that can be sent each day. Others require personal emails to be stored in a separate folder within the email system. Most companies allow the sending and receiving of personal emails because this is often less time consuming than requiring employees to access external mail sources for personal communications.

  • Expectation of privacy— A corporate email policy should plainly state that the messages contained within the system are the property of the organization, and that no expectation of privacy is implied. Email records can be subpoenaed, mailboxes can be reviewed for appropriate use, or data can be retrieved in the event of the termination of someone’s employment. By setting the expectation up front, you can make it clear to your users that the email system is a tool for their use, but the messages contained do not belong to them.

  • Email monitoring— If the organization monitors the content of its employees’ emails, this should be stated in the email policy. Most countries and states allow the monitoring of corporate email by authorized individuals, as long as the employee has been made aware of the policy.

  • Prohibited content— The policy should state that the email system is not to be used for the distribution of offensive or disruptive messages. This includes messages containing inappropriate content such as comments about race, religion, gender, or sexual orientation. The policy should also clearly state that pornographic pictures or emails with sexual content will not be tolerated, as these items are commonly the cause of offense between employees. The policy should mandate that employees receiving any such materials should report them to their supervisor or another appropriate entity for review immediately.

  • Confidential data— Employees should not use the messaging system to discuss sensitive matter, such as potential acquisitions or mergers. Corporate secrets or other proprietary data should not be sent either, as an inadvertent forward could allow the sensitive data to pass to inappropriate personnel.

  • Email retention policies— Many organizations, especially government, health-care, and financial institutions, are required by law to meet or exceed certain email retention policies. These policies should be clearly stated and meticulously enforced. Allowances should be made for employees to save messages of a critical nature—often companies allow them to be saved in separate folders to avoid automatic deletion.

  • Point of contact— The email policy should clearly state where employees can go to have any questions about the corporate email policy answered.

Bear in mind, a corporate email policy that is unknown to the user community is not an effective one. The policy should be distributed to the users in a variety of ways, such as posting on an intranet site, in employee handbooks, on break room bulletin boards, or in company newsletters.

Securing Exchange Server 2007 Through Administrative Policies

Whereas a corporate email policy specifically governs the use of the messaging system for users, administrative policies govern the operation and usage of the messaging system in general. Many best practices have been worked out over the years, some of which are as follows:

  • Administrative and operator accounts should not have mailboxes— Many viruses and email worms rely on the permissions of the authenticated user to perform. If the user opening the message has administrative access to the computer, there is a much greater potential for danger.

  • Grant permissions to groups rather than users— By granting permissions to groups, rather than users, you can quickly grant or deny access to a wide range of resources with one change. For example, if your Human Resources department has hundreds of files, in dozens of directories throughout your network, you would have to add (or remove) an individual from the permissions from each of these folders when they join or depart the team. However, by granting the permissions instead to an HR group, and then giving the group permissions, you can now modify access simply by adding the user to, or removing them from, the group.

  • Require complex (strong) passwords for all users— If left to their own devices, many users select passwords that are easy for them to remember. However, this behavior results in passwords that are also very easy for malicious users to crack. By requiring complex passwords, consisting of upper- and lowercase letters, numbers, and special characters, the likelihood of a breach of security is greatly reduced.

  • Require Secure Sockets Layer (SSL) for HTTP, POP3, IMAP4, NNTP, and LDAP clients— The SSL encryption protects confidential or personal information sent between a client and a server. The SSL protocol uses a combination of public-key and symmetric-key encryption. Symmetric-key encryption is much faster than public-key encryption; however, public-key encryption provides better authentication techniques.

  • Set policies globally when possible— Rather than setting policies for individual users or groups, companywide policies should be set, whenever possible, at a global level to ensure compliance.

Securing Groups

An important step in securing your messaging environment is to secure distribution and mail-enabled security groups. For instance, CompanyABC is a medium-sized company with 1,000 users. To facilitate companywide notifications, the HR department created a distribution group called “All Employees,” which contains all 1,000 employees. By default, there are no message restrictions for new groups, meaning that anyone can send to this list. If CompanyABC has an Internet Mail SMTP Connector, this group will also have an SMTP address.

Consider what would happen if a new user sent an email to “All Employees” advertising a car for sale. Let’s take it one step further and imagine that the user sent it with a read receipt and delivery notification requested. Thousands of messages can now be generated from this one mistake and could negatively impact server performance.

Often, intentions are not as innocent as the new user simply making a mistake. Sending repeated email messages to mail-enabled groups with large memberships is sometimes used in an attempted denial of service (DoS) attack. The attacker sends an SMTP message to the “All Employees” group with a delivery notification receipt requested and spoofs the “Return to” address with the same SMTP address used for the distribution group. So, 1,000 messages are sent, and 1,000 delivery notifications are returned—each of which is then sent to all 1,000 users in the group! From this one spoofed message, the net effect is (1 + 1000) + (1000 * 1000)=1,001,001 messages! By spoofing the distribution list and including a delivery notification receipt, this single email results in over 1 million messages processed by the system.

Fortunately, for this easy problem, there is an even easier solution. Exchange Server 2007 allows you to configure message restrictions on your distribution groups.

To secure distribution groups so that only authenticated users can use it, do the following:

1.
Open the Exchange Management Console.

2.
In the console tree, under Recipient Configuration, click Distribution Group.

3.
In the results pane, select the distribution group you want to modify, and then click Properties.

4.
On the Mail Flow Settings tab, highlight Message Delivery Restrictions, and click Properties.

5.
Ensure there is a check in the Require That All Senders Are Authenticated check box.

6.
Click OK when finished, and then click OK again to exit the configuration screen.

In addition, an administrator can further restrict the usage of this distribution group by allowing only a specific individual or security group to use it.

To restrict access to the distribution group to a specific user or group, do the following:

1.
Open the Exchange Management Console.

2.
In the console tree, under Recipient Configuration, click Distribution Group.

3.
In the results pane, select the distribution group you want to modify, and then click Properties.

4.
On the Mail Flow Settings tab, highlight Message Delivery Restrictions, and click Properties.

5.
Under Accept Messages From, select the Only Senders in the Following List option button.

6.
Click Add, and select the users or groups that are to have permission to send to the distribution group.

7.
Click OK when finished, and then click OK again to exit the configuration screen.

An additional option allows you to configure the distribution list to reject messages from an individual or from members of a group. This setting is also configured using the Message Delivery Restrictions page.

Other  
  •  Microsoft Exchange Server 2007 : Server and Transport-Level Security - Considering the Importance of Security in an Exchange Server 2007 Environment
  •  Security and Windows 8: Keeping Your PC Safe (part 2) - Windows SmartScreen, Using Windows SmartScreen, Action Center Improvements
  •  Security and Windows 8: Keeping Your PC Safe (part 1) - Windows Defender, Boot-Time Security
  •  Netgear EX6200 AC1200 Wi-fi Range Extender
  •  Windows 8 : Managing BitLocker and other policy-based mobility tools (part 5) - Configuring offline file synchronization, Configuring policy settings for device power
  •  Windows 8 : Managing BitLocker and other policy-based mobility tools (part 4) - Configuring policy settings for offline files
  •  Windows 8 : Managing BitLocker and other policy-based mobility tools (part 3) - Managing BitLocker at the command line
  •  Windows 8 : Managing BitLocker and other policy-based mobility tools (part 2) - Managing BitLocker at the command line
  •  Windows 8 : Managing BitLocker and other policy-based mobility tools (part 1) - Configuring BitLocker policies
  •  Connecting Us TP-LINK TL-PA6010 Test
  •  
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us