Security Solutions for Exchange Server

Well, I have harped about Exchange Server disaster recovery enough so let’s talk about something new. How about security? I was wondering how all of you address high security services in your Exchange environment.

As most users are aware, Microsoft provides some basic high-security mechanisms in Exchange Server for functions such as encrypting and signing messages. Combining Microsoft Certificate Server with the Exchange Key Management Server (KMS) provides two features. Microsoft Certificate Server provides the certification authority (CA), and KMS provides administration and key recovery services. In addition, you can set up your system to use a third-party CA such as VeriSign. Also, on the client side, several options ranging from Microsoft Outlook to third-party solutions are available. All of the latest capabilities were provided with Exchange Server 5.5 Service Pack 1 (SP1). Prior to that, with Exchange Server 4.0 and 5.0, you were limited to the key management facilities that the KMS provided. In this scenario, the capability to encrypt and sign email by using the KMS as the CA severely limited the enterprise viability of such a solution. The ability to exchange keys with outside organizations also was difficult. To make matters worse, the management and administration of this setup was (being kind to Microsoft) not optimal.

Today, however, Exchange administrators might have more options than they can deal with because not only does Microsoft provide a better solution with Exchange 5.5 and Certificate Server but many third parties have added to the mix as well. Vendors like VeriSign and Entrust offer solutions that both complement and compete with Microsoft’s features. Throw in developments from the Business Quality Messaging (BQM) forum and you'll become totally confused. Now that all these features are available and relatively simple to deploy, which options do you choose? I would recommend taking a look at both Microsoft’s core technology provided with Exchange Server and Windows NT as well as third parties such as VeriSign and Entrust. Also, look at some of the service providers for Exchange such as Compaq, Wang, Software Spectrum, and others and ask them how they can assist.

The subject will become increasingly important as the e-business paradigm evolves. Also, with new technologies on the forefront, such as the new security features in Windows 2000 (Win2K) and Platinum, an organization will need answers to questions about security and their own public key infrastructure (PKI). Very soon, sending encrypted and digitally signed messages within your own company and outside your organization will be commonplace. For Exchange deployments, start by understanding your organizations PKI strategy and look at what’s in the box with Exchange Server already. If your organization has no PKI strategy, ask someone why.