Which solution should you recommend?

You are the messaging engineer for your company. Your company has an Exchange Server 2007 messaging system. Your companys network has five Edge Transport servers. The Edge Transport servers handle all e-mail messages sent to and received from the Internet. Your company wants to implement a stricter e-mail security policy. You need to recommend a solution to encrypt all e-mail messages sent to the Internet. Which solution should you recommend?

You are the messaging engineer for your company. Your company has an Exchange Server 2007 messaging system. Your companys network has five Edge Transport servers. The Edge Transport servers handle all e-mail messages sent to and received from the Internet. Your company wants to implement a stricter e-mail security policy. You need to recommend a solution to encrypt all e-mail messages sent to the Internet. Which solution should you recommend?

A.
Create and configure an IPsec policy. Deploy the IPsec policy on all Edge Transport servers.

B.
Deploy e-mail certificates to all users. Instruct all users to encrypt e-mail messages with S/MIME.

C.
Configure Domain Security on one Edge Transport server. Clone the configuration to all Edge Transport servers.

D.
Enable the Externally Secured authentication mechanism for all Edge Transport servers.

Explanation:
S/MIME functionality enables users to send signed and/or encrypted email to one another from a variety of devices, including Outlook, OWA, and Mobile 6.0 using ActiveSync.

S/MIME is a standard for PKI encryption and email signing, encapsulated in MIME. Its built into and interoperates with the majority of modern mail programs and provides the following cryptographic security services: authentication, message integrity, non-repudiation of origin (using digital signatures) and privacy and data security (using encryption).

Before an application can use S/MIME, an individual key/certificate from either an internal or public CA must be installed. Best practice is to use separate private keys (and associated certs) for signature and encryption, since this permits escrow of the encryption key without compromise to the non-repudiation property of the signature key.

Encryption requires having on store the cert of the destination party. Typically, this is automatic upon receiving an email from this person with a valid signing cert.

A basic personal cert binds the owner to a particular email address, but doesnt verify his name or business. The latter, if needed (e.g., for contract signing), can be obtained from CAs offering digital notary service.

Depending on the policy of the CA, your cert and all its contents may be publicly posted for reference and verification. This exposes your name and email address to public scrutiny and search. Some CAs post only serial numbers and revocation status, without personal information. The latter, at a minimum, is mandatory to uphold the integrity of the PKI.

http://www.wilsonmar.com/1certs.htm

http://en.wikipedia.org/wiki/S/MIME

Windows Rights Management is data protection technology, working with RMS-enabled apps to safeguard digital information from unauthorized exploitation.

http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx



Leave a Reply 0

Your email address will not be published. Required fields are marked *