Deploying and Configuring Exchange Server 2013 Step by Step, Part 2: Managing and Configuring Exchange Server 2013 Recipients, Compliance (DLP Data Leakage Prevention), Mail Flow, and Exchange RBAC for Delegation of Authority
Author: Zahir Hussain Shah, MVP Exchange Server, CISSP
Last week we published the first part of the blog series for introducing Exchange 2013 with its new features, hardware and software requirements, and last but not least gone through the steps for installing Exchange 2013 as a fresh installation.
In this blog post we will continue with the second part of this blog series, where we will discuss the Exchange 2013 Recipients, Compliance, Mail Flow, and Exchange RBAC. For starter let’s take a look at the Exchange 2013 Recipients.
Exchange 2013 Recipients
Exchange 2013 recipients are not much changed from its previous version, as majority of the same type of recipients are continued while giving flexibility for creating and managing these recipients and resource based mailboxes.
Exchange 2013 recipients management part of Exchange Administration Center gives handy way to manage following type of recipients:
Now let’s discuss each of these above specified type of Exchange 2013 recipients in details, and see if there are any new properties are associated to them.
There are no much changes made to the GUI creation of Exchange 2013 mailbox, where you can either select the existing user account for mailbox provisioning or you can create a new user account along with mailbox creation for the same within EAC.
From the mailboxes sub-menu we can also create a Linked Mailbox.
In this section we see all the same inherited features of Distribution Group, Security Group, and last but not least Dynamic Group creation. While creating these different type of groups, we still have the option to either choose the pre-existing group or create a new group from the EAC GUI based group creation utility.
Under the resources tab of Exchange 2013 EAC, we can created Room and Equipment based mailboxes. This area is still same as Exchange previous version.
Another Exchange recipients is mail enabled contacts, within Exchange 2013 EAC GUI based administration, we have the flexibility to create Mail Contact and Mail User, just like we use to create in the previous version of Exchange Server.
Shared (Shared Mailbox)
This is a new type of Exchange recipient creation added to Exchange Administration Center (EAC). With this shared mailbox creation, we have now the flexibility to create a mailbox which will be shared among various entities. Let’s say for example we are creating a shared mailbox for our Exchange 2013 Migration Project, so in this mailbox we have added Zahir Hussain Shah and John Kelly to have full access on the mailbox, while allowing John Kelly to have send-as permission on this mailbox.
Migration (Mailbox Migration)
Within migration section of Exchange Administration Center (EAC), we can migrate a mailbox within forest to a different Mailbox Database or we can also migrate a mailbox to a different forest.
So this was all about the recipient side of Exchange 2013, now we will move ahead with Compliance and will see what new features have been added to Exchange 2013 legacy related to messaging compliance.
Exchange 2013 Compliance Management
There are couple of new features added in Exchange 2013 related to messaging compliance and DLP (Data Leakage Prevention). All these new features enables customers to automate the compliance and regulation implementation within their Exchange messaging organization, and as well as allowing them to keep their environment safe from any possible data leakage prevention of secret and business information within or outside of the organization.
Exchange 2013 provides following new ways of protecting your intellectual property and allows you to configure compliance rule to implement road-blocks for any unauthorized publication business critical information:
- Creating new custom DLP policy
- Creating new DLP policy from a pre-existing DLP policy templates
- Importing DLP policy from partners and regulatory compliance bodies
Now we will go ahead will discuss each of the above compliance management rule available within Exchange 2013 from Exchange Administration Center (EAC).
Creating a new Custom DLP Policy for CONTOSO Corporation
This option gives a free and relax hand for creating your own custom DLP policies based on your organization way of working and rules. While creating this custom policy we can select possible of three options, which are enforce, test DLP policy with policy tips, and test DLP policy without policy tips. This flexibility makes it much easier for Exchange administrator from being blocking the unnecessary and legitimate traffic, while first testing the rules and then applying the same on to the required recipients.
Within a new DLP policy creation, we can add following type of rules within this new DLP policy:
- Notify sender when sensitive information is sent outside the organization
- Block messages with sensitive information
- Block message with sensitive information unless the sender overrides
- Block messages with sensitive information unless sender overrides with a business justification
- Or create a new custom rules from the start
For example, lets create a rule which says all the sensitive messages sending out of the organization should be blocked, so for this rule to be created we will select the “Block messages with sensitive information”, and then the below box opens to customize the rule to be applied on the exact needed recipient and situation.
In the below screenshot, we tried to create a situation where the company is blocking all the sensitive information related to US passports to be send out of the organization. In this policy we used the U.S. / U.K. Passport Number DLP policy template which is by default available in Exchange 2013.
In-place eDiscovery and Hold
This feature is not much changed from Exchange previous versions, in section of Exchange Administration Center, we can perform a quick look up for the e-mail items related to a specific body material or subject. We can also customize our search criteria based on users, timing, date, e-mail body or subject.
This is something I personally like as it was not much handy way available within the previous version of Exchange Server. Now we can perform auditing for the following pre-existing type of reports, which provides a quick look up for the below type of information:
- Run a non-owner mailbox access report
- Run an administrator role group report
- Run an in-place discovery & hold report
- Run a pre-mailbox litigation hold report
- Export mailbox audit logs
- Export administrator audit logs
Retention Tag, Retention Policies, and Journal Rules
Settings and policies for retention area of Exchange administration is not much changed from its previous version. We can still use these wonderful feature in combination with our other provided new and existing feature of Exchange 2013 compliance rules to make it more compliance messaging infrastructure.
Exchange 2013 Mail Flow
For managing Exchange 2013 mail flow we create the same type of receive and send connectors as we use to create in the previous Exchange server versions. There are not much change with respect to the Accepted Domains, Receive and Send Connectors.
While giving an thousand-fit overview of the Exchange 2013 mail flow, I would emphasizes that in addition to the existing mail flow settings, Exchange 2013 transport rules are not much more capable and provides easier way of configuration.
There are following type of rules can be created within Exchange Server 2013.
Role Base Access Control (RBAC) and Delegation of Authority for Exchange Management
RBAC has one of the most significant feature which administrators and organization emphasizes to have in any of their IT infrastructure related server application. RBAC provides an efficient method of providing least administrative rights to manage and maintain application.
Exchange 2013 RBAC has not changed much from its previous versions, you can still create new admin roles and add Exchange Admins in various Exchange built-in server roles for the server or recipient based administration.
There are following set of built-in admin roles available for which delegation of authority can be performed for providing least administrative rights to perform set of operations based on the admin role membership.
In this article we summarized the various Exchange 2013 recipients and their administration part, and after completion of the recipient section, we moved to the Exchange 2013 Compliance and DLP feature explanation, which is new to the Exchange domain.
Later we finished the overview of the Exchange 2013 compliance and DLP feature we explored Exchange 2013 mail flow and last but not least Exchange RBAC overview.
In the next article, we will understand the “Part III: Creating Exchange Certificate and Assigning Services to Certificate”.
I hope you find it useful and would give a try to test Exchange 2013, which is available for your evaluation download. Stay tuned for the next part of this Exchange 2013 blog post series.
Posted on 12/02/2013, in Access Control, Active Directory, ActiveSync, Exchange 2010, Information Security and Risk Management, Information Systems Security Professionals, Outlook, Security, Server Migration, Unified Communications, Unified Messaging, Windows Server 2012 and tagged DLP, Exchange 2013, Exchange Server, Security. Bookmark the permalink. 2 Comments.