Exchange2007安全遵循和归档

1、Exchange Server 2007 安全、法规遵循和归档 李 强 技术专家 微软（中国）有限公司 消息安全性 传输安全 防病毒 防垃圾邮件 法规遵循(合规) 归档 病毒进入组织最常见的方式是通过邮件“SoftScan的专家指出被扫描出来的病毒中89.5%是钓鱼或恶意程序” - Clement James, “Virus Levels Soar in August,” IT N.au, September 5, 2006“垃圾邮件制造者们现在每天会生成约550亿封的垃圾邮件.一年前的数字是300亿.” - Robert McMillian, “Spams New Image,” CIO.c

2、om, August 15, 2006垃圾邮件的数量在持续膨胀钓鱼欺骗程序在短期内就已经变得更让人迷惑和上当了 使用信封传输，而不是明信片 防止窃听或更改商务邮件，保护产权或隐私 收到可能伪造的消息时用户会收到警告信息 组织内安全地发送邮件 组织间默认安全地发送邮件（默认签名或加密）45所有内部邮件传输都是加密传输Kerb / TLS for Hub to Hub trafficEdge to Hub 相互认证TLS加密连接Edgesync 设置Edge to Edge 加信封(默认)支持 TLS + 证书认证支持Message Level Security (MLS) Message Lev

3、el Security (MLS) 支持自签名证书， 通过DNS认证 加密和签名的Key发布到DNS 消息加密，签名并完全的密封6Exchange 托管服务在邮件进入组织网络前进行邮件过滤基于SLA(服务品质协议)的邮件安全性能Exchange Server 2007边缘服务器在防火区进行邮件过滤由组织定制和管理的功能病毒过滤垃圾邮件过滤托管服务的选择基于互联网的托管服务，在邮件进入组织内网前对垃圾邮件和病毒进行处理针对邮件安全和管理的企业级立体托管服务简化邮件管理FirewallMailbox ServerHub Transport ServerClient Access ServerInt

4、ernet+On-Premise Software 邮件加密 无需公钥和私钥管理 基于网关和策略的邮件加密 不间断的邮件访问 快速恢复 30天邮件历史数据 邮件保留 生成定制报表 快速搜索 实时邮件防护 立体邮件防护 可定制的内容和策略边缘网络的选择组织内软件来保护邮件本地控制防病毒、防垃圾邮件和邮件安全策略都是在本地进行定制内置保护FirewallInternet+On-Premise SoftwareMailbox ServerHub Transport ServerClient Access ServerEdge Transport Server 部署在防火区 不加入活动目录 安全的SM

5、TP配置地址重写中继转发控制智能主机传输层加密(TLS) SMTP高可用性 一致的Exchange管理体验 基于活动目录的收件人过滤 Outlook 安全收件人列表汇集 垃圾邮件归档再处理支持Exchange Server 2007的防病毒厂家SymantecTrend MicroKasperksy LabGFI SoftwareMcAfeeVSAPI 2.5 支持基于存储的扫描应用防病毒标签来减少不必要的重复扫描防病毒标签样例:X-MS-Exchange-Organization-AVStamp-Mailbox: VSKing;5;0;infoVSKing: AV vendor name (

6、8 characters)5: Vendor version (32-bit unsigned integer)0 (VIRSCAN_NO_VIRUS): Virus status (32-bit unsigned integer)Info: Optional Virus info (128 byte string)Forefront 安全方案可以保护我们的消息服务器，使其免受病毒和蠕虫的困扰多个防病毒引擎、在多个层面进行扫描64位支持，一致性管理体验消除不合适的文字和危险的附件防垃圾邮件特性防垃圾邮件特性Exchange 2003 RTMExchange 2003 SP1Exchange 2

7、003 SP2Exchange 2007RTMIP 黑白名单Yes YesYesYesIP DNS 阻止列表YesYesYesYes收件人筛选YesYesYesYes发件人筛选Yes YesYesYes内容筛选(Smartscreen)YesYesYes内容筛选更新(Smartscreen)Bi-weeklyDaily发件人IDYesYesIP 安全列表(aka Bonded Sender)YesOutlook Postmark 验证Yes协议分析数据收集Yes发件人信誉Yes开放代理验证Yes动态垃圾邮件数据更新服务Yes每用户/组织单元垃圾邮件设置Yes管理垃圾邮件隔离区Yes自动DNS阻

8、止列表Yes连接筛选实时组织列表全局黑白名单SMTP 筛选发件人和收件人筛选发件人 IDSMTP 命令行Tar-pitting 内容筛选Outlook 安全列表聚合垃圾邮件信任级别每用户/组织单元垃圾邮件偏好Outlook Postmark 验证隔离和垃圾邮件报表 Incoming Internet E-mail Outlook MailboxInboxJunk E-mail1 连接筛选3 内容筛选2 协议筛选12132连接筛选收件人筛选发件人筛选发件人ID内容筛选（垃圾邮件信任级别）Outlook邮戳验证发件人信誉IP信誉安全列表汇集垃圾邮件隔离附件筛选制度和法规遵从控制传输规则通讯保留和查

9、找个人信息声明针对规定用户应用一些操作指令发送副本给管理者审查公司规定控制法律声明保护智能资产邮件中包含攻击性词汇对消息应用权限管理21 获取和保留智能资产 消息分类 自动保留和过期策略 跨邮箱搜索2223Primary FocusIntentRegulationInformation retentionEstablished by the SEC, establishes retention policies for brokers, dealers, and Exchange members. Per SEC 17a-4 regulations, broker-dealers as wel

10、l as many multiline financial firms need the capacity to capture, index, archive, search, and retrieve their email and instant message (IM) communications.SEC 17A-4Controlled accessRelates to the privacy of patients health information. The act is intended to protect medical records and other health

11、information held or disclosed by health-related organizations.Heath Insurance Portability and Accountability Act (HIPAA)Addresses the publics increasing concern regarding the protection and use of their private information. Mandates that financial institutions take steps to ensure the security and c

12、onfidentiality of their customers personal information.Gramm-Leach Bliley ActMandates public disclosure of computer-security breaches in which confidential information of any California resident may have been compromised. Confidential information includes social security numbers, California drivers

13、license numbers, account numbers, and credit or debit card numbers. It became effective on July 1, 2003.California SB 1386Information and process integrityImpacts financial reporting processes, with long-term effects on corporate governance and the regulation of auditors.Sarbanes-Oxley Act of 2002Cr

14、eated in response to recent growth in international financial markets. It intended to encourage banks to manage their capital appropriately and to improve their risk-control processes. It is a set of international risk-based capital guidelines due to take effect in 2006.Basel IIEstablished the crite

15、ria under which electronic records (including email) and signatures will be considered equivalent to paper records and handwritten signatures in manufacturing processes regulated by the FDA.21 CFR Rule 11Developed in response to the September 11, 2001, terrorist attacks. The act requires financial s

16、ervices and insurance companies to implement antiterrorism and anti-money-laundering regulations, including capabilities to identify customers and flag suspicious transactions.USA PATRIOT ActSource: IDC, 200424Compliance AreaFeaturesServer RoleInformation RetentionAutocopyMailboxTransport JournalingHubManaged E-mail Folders MailboxControlled AccessTransport RulesHub, EdgeEnhanced SearchMailboxTransport EncryptionHub, EdgeInformation and Process IntegrityManaged E-mail FoldersMailboxSender SigningEdgeAudit TrailsAll except Edge 传输控制 过滤个人信息 消息分类 管理员配置 用户配置多种托管