Microsoft KB Archive/149333

= The basics of Advanced Security in Exchange Server =

Article ID: 149333

Article Last Modified on 3/6/2007

-

APPLIES TO


 * Microsoft Exchange Server 4.0 Standard Edition

-



This article was previously published under Q149333



SUMMARY
If Advanced Security is enabled on a user's mailbox, they can enable the Advanced Security features of Microsoft Exchange by using either the Microsoft Exchange Administrator program or a Microsoft Exchange client. To do this, they will need to check the Message Encryption and Digital Signatures options available by choosing Tools, Options, and the Security tab.

If these features are enabled and another user also has these features enabled, messages sent between those users are encrypted and they cannot be "sniffed" on the network. These features prevents potential security breaches such as reading or modifying the messages on the network. However, the message cannot be sent in encrypted format if the recipient has not enabled the Advanced Security features.

Once the encrypted message arrives at the recipient's mailbox, the message can be opened by typing in a password. The message is then decrypted and appears as a normal message to the recipient. The message can be modified and forwarded to other users. As long as the message is sent to users that have the Advanced Security features turned on, the message will be encrypted again on the network each time it is sent.



MORE INFORMATION
Advanced Security features can be enabled by installing the Microsoft Exchange Key Management server from the Microsoft Exchange Server CD in the SETUP\ \EXCHKM directory. Once installed, a new service will be available in Control Panel-Services. This is the Microsoft Exchange Key Manager service.

The following processes must occur for these features to work:
 * 1) The Key Manager service must be running on a single server in the organization.
 * 2) Each individual mailbox must have the Advanced Security features enabled using the Microsoft Exchange Administrator program.

The client must receive a special token from the administrator so they can enable the Advanced Security features for their mailbox (a local.EPF file is created containing the security information of the client).

The client must turn on Message Encryption and Digital Signature features in the Microsoft Exchange Client by choosing the Tools menu, Options, and the Security tab.
 * 1) The client must receive a special token from the administrator so they can enable the Advanced Security features for their mailbox (a local.EPF file is created containing the security information of the client).

The client must turn on Message Encryption and Digital Signature features in the Microsoft Exchange Client by choosing the Tools menu, Options, and the Security tab.
 * 1) The client must turn on Message Encryption and Digital Signature features in the Microsoft Exchange Client by choosing the Tools menu, Options, and the Security tab.

There are three different encryption formats are available in the North American version of Microsoft Exchange:
 * CAST-64
 * DES
 * CAST-40

Only CAST-40 is available for localized versions of Microsoft Exchange.

If there is a potential breach of security occurring with the Microsoft Exchange messaging system, the format can be changed at any point.

There will be no limitations on what can be done to the messages once they are opened.

The following are the changes noticeable by the clients:  If the message sender has Advanced Security enabled and is sending to other users with the features enabled, the sender will be prompted for a password when sending the message.

If message recipients have the Advanced Security features disabled, the sender has to send the message unencrypted or Cancel the message.

If the message sender has Advanced Security enabled and sends a message to some users with Advanced Security enabled and other users with this feature disabled, the sender has three options:  The sender can remove the recipients without the Advanced Security features enabled from the list. Send the message unencrypted to all recipients on the list. Cancel sending the message.

If the message sender has the Advanced Security features disabled, messages are sent unencrypted. The recipient of the message can open the message, whether Advanced Security is enabled or disabled. If message recipients have the Advanced Security features disabled, the sender has to send the message unencrypted or cancel the message.

If the message sender has Advanced Security enabled and sends a message to some users with Advanced Security enabled and other users with this feature disabled, the sender has three options:  The sender can remove the recipients without the Advanced Security features enabled from the list.</li> Send the message unencrypted to all recipients on the list.</li> Cancel sending the message.</li></ul>

If the message sender has the Advanced Security features disabled, messages are sent unencrypted. The recipient of the message can open the message, whether Advanced Security is enabled or disabled.</li> If the message sender has Advanced Security enabled and sends a message to some users with Advanced Security enabled and other users with this feature disabled, the sender has three options:  The sender can remove the recipients without the Advanced Security features enabled from the list.</li> Send the message unencrypted to all recipients on the list.</li> Cancel sending the message.</li></ul>

If the message sender has the Advanced Security features disabled, messages are sent unencrypted. The recipient of the message can open the message, whether Advanced Security is enabled or disabled.</li> If the message sender has the Advanced Security features disabled, messages are sent unencrypted. The recipient of the message can open the message, whether Advanced Security is enabled or disabled.</li></ol>

<div class="references_section">