SnapOverflow

SnapOverflow Logo SnapOverflow Logo

SnapOverflow Navigation

  • Home
  • Server
  • Ubuntu

Mobile menu

Close
  • Home
  • System Administrators
    • Hot Questions
    • New Questions
    • Tags
  • Ubuntu
    • Hot Questions
    • New Questions
    • Tags
  • Help
Home / server / Questions / 60910
In Process
caspert
caspert
Asked: 2009-09-01 12:19:04 +0800 CST2009-09-01 12:19:04 +0800 CST 2009-09-01 12:19:04 +0800 CST

Suggestions to improve e-mail security

  • 772

I work for a lawyer company which has a lot of extremely sensitive data.

I would like to step up a notch on security. Especially when it comes to e-mail.

So I'd like a lot of recommendations, encryption, storing and similar. I already have some precautions, but it is better to generalize and better to ask for a lot of suggestions.

As many tips as possible please :)

Clients have: Windows XP coupled with Office 2007. We have an exchange server running 2003 as backend. I would rather not upgrade the OS, but other than that, I am very open to suggestions. Oh and another thing. Office 2007 is a must as well, can't change that one, as some of our company software relies on Word, Excel and Outlook.

security exchange-2003 microsoft-office-2007
  • 6 6 Answers
  • 229 Views

6 Answers

  • Voted
  1. Bart Silverstrim
    2009-09-01T14:18:22+08:002009-09-01T14:18:22+08:00

    What exactly are you trying to secure? The email in transit to other people? In that case, you'd want to use something like PGP to encrypt the message, since email is sent in the clear...your service provider could easily intercept email messages flying over their network (or anyone supplying a connection between you and the recipient). PGP will definitely give them more trouble than it's worth to decrypt the message. There should be plugins for Outlook to integrate it.

    Are you trying to secure the storage of messages on your server? You'd want to take the usual precautions of making sure the server has all the latest patches, STRONG passwords, rotating password policy such that users have to change their passwords periodically with minimum 8 letters mixed case alphanumerics, probably on a thirty to ninety day cycle.

    You have AV and malware scanners on the mail server, yes?

    Are you worried about storage being taken? Governments like taking those if they think there's reason to examine it for something an employee has been doing. The only way to stop that is encryption of the storage volume. Here's where things get hairy because you need to have GOOD BACKUPS in place before screwing around with this...you can use something like NTFS's native encryption or truecrypt to encrypt the volume. This also means that if there's problems with data being corrupted, boot issues, etc...you're up a creek if you don't plan ahead and test, since you can't just boot up with a rescue disk and get to data for recovery! You may want to only have a partition set aside for storing data from the mail server, then encrypt that volume.

    Again...TEST BACKUPS. We're talking about making changes to your mail server where if something goes wrong you could easily lose data.

    Then that's another question...you are using a backup product that encrypts the tapes, right? Because all the security on the mail server means nothing if some punk can walk out with a tape to recover the data at home because you don't have it passworded and encrypted.

    How far do you want to layer security? Because if you're running Outlook in a way that caches data, anyone that puts malware on the client system can read their email. Heck, taking over the boss's computer means they have access to whatever the boss has access to, encrypted or not.

    You really need to identify the specific threats you're trying to guard against. Plan out how if you were an outsider you'd try to get whatever asset you're protecting. Then figure out how you'd be thwarted. Stealing client computers? Data backups? Sniffing traffic? Keystroke loggers? What accounts need to be protected?

    Then take a deep breath and figure out how much it's going to COST in terms of money and in terms of convenience. Security often isn't the most convenient thing, and users will grow frustrated if they have to put up with things like decryption and encryption (and getting other people to USE the encryption) or having to store passwords or having multiple passwords. You need to find a balance between safety and convenience so that your users will work WITH you and not against you, because your security won't mean squat when users decide to work around your security measures when they're too irritated to follow procedures.

    • 1
  2. August
    2009-09-01T16:48:23+08:002009-09-01T16:48:23+08:00

    You can employ a Microsoft Public Key Infrastructure/Cert Authority for free if you are running a server OS like Win 2003 (which I see that you are if you are using Exchange). It integrates very well with Active Directory (if you are running that also). Users can grab certs from the CA and encrypt their e-mail with it on an as-needed basis. Exchanging encrypted e-mail within the same domain is no problem as the users will trust the CA inherently and have access to the public key for decryption. If you are sending encrypted e-mail outside the domain, you will need the receiving party's public key so you can encrypt e-mail sent to them with it. This ensures that they are the only recipient who can read it. The reverse is true for receiving encrypted e-mail from outside the domain. I am sorry I don't have any suggestions for secure storage of e-mail though...

    Best Practices for Implementing a Microsoft PKI - http://technet.microsoft.com/en-us/library/cc772670(WS.10).aspx

    Encrypting e-mail with Outlook 2007 (assumes your PKI is already set up) - http://office.microsoft.com/en-us/outlook/HP012305361033.aspx

    • 1
  3. RateControl
    2009-09-01T12:25:52+08:002009-09-01T12:25:52+08:00

    If you aren't opposed to spending money. The PGP Universal server isn't a bad idea. We've been running it for years now. It also is doing well as a virtual for the past 8 months.

    • 0
  4. slovon
    2009-09-01T12:48:43+08:002009-09-01T12:48:43+08:00

    Lotus Notes is from security standpoint a very good product. You can have mail encrypted all the way to server disk, even administrator can't read user's mail.

    It integrates to some extent with MS Office on Windows at least, is in some ways strange and ugly but it works quite ok and has wonderful replication options (think always backed up and everything available online if you want).

    • 0
  5. sysadmin1138
    2009-09-01T18:13:37+08:002009-09-01T18:13:37+08:00

    In terms of direct email security, the two 'standards' out there are a bit paradoxical. S/MIME has far better client support in your environment, but suffers from PKI issues. PGP is more widely usable trust-wise, but is (IMHO) clunky in an Outlook environment. This presumes the communication being performed is able to use either standard.

    We've looked into S/MIME and run into the trust issue. We can't give everyone a certificate that chains to one of the certs in all browsers, we can't even come close to speculating about the merest possibility of affording something like that. By using our internal Active Directory rooted Certificate Authority we'd be able to at least secure e-mail between ourselves, just not with external entities with any grace. We have to ask the external entities to trust our Authority, and that's still a tricky proposition after all these years.

    On the other hand S/MIME with an internal CA is free. We'd also be able to set defaults so that all mail sent is at least signed, and possibly even encrypted. With certificates in the Global Address List and the mailbox's Contact List for external entities, maintaining a keyring is a cinch for internal mail and Just Works. The Personal certificates are simply retrieved from the Tree, making key transport simpler. And Outlook Web Access includes the ability to do S/MIME (from IE) if the personal cert is installed on the home machine. It is by far the most convenient solution, too bad the trust issues hamstring it.

    PGP or GPG have Outlook integration issues. Unless the big money products change this, there is no GAL integration. Keys have to be manually backed up and transported to new computing hardware. On the other hand, you don't have the PKI chaining issues you have with S/MIME, so it'll just work more places than S/MIME will.

    • 0
  6. Kara Marfia
    2009-09-02T06:40:47+08:002009-09-02T06:40:47+08:00

    I'd definitely take the above advice, as encrypting email will give you the best security bang - provided your users understand what it can and can't do.

    Next I'd probably ditch Exchange 2003 for 2007. It's nice to finally get rid of Exchange's last lingering dependence on Public Folders. There are a couple of nice security benefits, like giving a user the ability to use OWA to remotely wipe their smartphone if it's lost/stolen.

    Speaking of which, if smartphones are in use, I'd look to procedures/policies on them to really clamp down on security.

    • 0

Sidebar

Stats

  • Questions 681965
  • Answers 980273
  • Best Answers 280204
  • Users 287326
  • Popular
  • Answers
  • Marko Smith

    Ping a Specific Port

    • 18 Answers
  • Marko Smith

    What port does SFTP use?

    • 6 Answers
  • Marko Smith

    Resolve host name from IP address

    • 8 Answers
  • Marko Smith

    How can I sort du -h output by size

    • 30 Answers
  • Marko Smith

    Command line to list users in a Windows Active Directory group?

    • 9 Answers
  • Marko Smith

    What's the command-line utility in Windows to do a reverse DNS look-up?

    • 14 Answers
  • Marko Smith

    How to check if a port is blocked on a Windows machine?

    • 4 Answers
  • Marko Smith

    What port should I open to allow remote desktop?

    • 9 Answers
  • Marko Smith

    What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

    • 3 Answers
  • Marko Smith

    How to determine if a bash variable is empty?

    • 15 Answers
  • Martin Hope
    Davie Ping a Specific Port 2009-10-09 01:57:50 +0800 CST
  • Martin Hope
    Deepak Mittal How to run a server on port 80 as a normal user on Linux? 2008-11-11 06:31:11 +0800 CST
  • Martin Hope
    MikeN In Nginx, how can I rewrite all http requests to https while maintaining sub-domain? 2009-09-22 06:04:43 +0800 CST
  • Martin Hope
    Tom Feiner How can I sort du -h output by size 2009-02-26 05:42:42 +0800 CST
  • Martin Hope
    0x89 What is the difference between double and single square brackets in bash? 2009-08-10 13:11:51 +0800 CST
  • Martin Hope
    kch How do I change my private key passphrase? 2009-08-06 21:37:57 +0800 CST
  • Martin Hope
    Kyle Brandt How does IPv4 Subnetting Work? 2009-08-05 06:05:31 +0800 CST
  • Martin Hope
    Noah Goodrich What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? 2009-05-19 18:24:42 +0800 CST
  • Martin Hope
    Brent How to determine if a bash variable is empty? 2009-05-13 09:54:48 +0800 CST
  • Martin Hope
    cletus How do you find what process is holding a file open in Windows? 2009-05-01 16:47:16 +0800 CST

Related Questions

Trending Tags

linux nginx windows networking ubuntu domain-name-system amazon-web-services active-directory apache-2.4 ssh

Explore

  • Home
  • Questions
    • Hot Questions
    • New Questions
  • Tags
  • Help

Footer

SnapOverflow

About Us

  • About Us
  • Contact Us

Legal Stuff

  • Privacy Policy

Help

© 2022 SOF-TR. All Rights Reserve