You are the messaging engineer for your company. Your network includes two Exchange Server 2007 servers. All users access their mailboxes by using Microsoft Office Outlook 2003. You plan to deploy a Public Key Infrastructure (PKI) on your network. You need to ensure that immediately following your PKI deployment, all users are able to encrypt e-mail messages. What should you recommend?
A.
Publish all users certificates to the Active Directory.
B.
Install the Windows Rights Management client on the Mailbox server.
C.
Install the Windows Rights Management client on all desktop computers.
D.
Create a transport rule that assigns a message classification to all messages sent by internal senders to
internal recipients.
Explanation:
Publishing certs in AD is required because the 2003 GAL is based on AD:The CA can add certs issued to AD subjects to the appropriate AD object. This provides other users with the ability to locate and use the subject’s cert.
There are two template settings that affect how this feature works:
1. Publish cert in AD.
2. Dont automatically re-enroll if a duplicate cert exists in AD (allows renewal of existing certs but prevents redundant ones from being issued).http://technet2.microsoft.com/windowsserver/en/library/051bbb3a-a5f4-46ef-827d-4b68ee0610b61033.mspx?mfr=true
Exchange S/MIME email security can be easily furnished when you establish a CA. Archiving and recovery can be enabled for certs. Then, even if the public and/or private keys get lost, encrypted messages can be recovered. Auto-enrollment furnishes a simple easy method to distribute certs across the forest.
After establishing mail security for the CA and AD, you must configure the Outlook clients. Use security tab of the Options panel to do this. You can set encryption and/or signing for all outgoing mail or for individual messages. With Office System 2003 Reskit Utilities, you can even automate Outlook user profile creation.
http://www.msexchange.org/tutorials/Email_Security_with_Exchange_2003.html