There’s a whole lot to talk about from an information protection standpoint in Exchange 2010. The two biggest features I want to talk about are transport protection encryption (TPE) and protected voice mail. Oddly enough, these two are related even though they may not seem to be.
Transport protection encryption is what Microsoft calls the new integration between Active Directory Rights Management Services (AD RMS) and Exchange transport rules. Simply put, you can define transport rules that automatically apply AD RMS templates to messages in transit. You can use the same predicates and conditions available to transport rules in Exchange 2007. However, there are now actions that let you automatically apply a selected RMS template to messages that match the conditions and exceptions in your rules. For example, you could automatically apply a “company confidential” template to any messages sent to your outside law firm– not a bad idea given the ease of accidentally sending messages where they don’t belong.
Outlook Protection Rules is a new client-side feature (implemented via an add-in for Outlook 2010). The add-in allows you to apply a transport rule-like mechanism to get client-side protection. For example, you can push an Outlook protection rule that automatically applies a certain AD RMS template to a message before it’s sent. The user may or may not be able to override the rule, depending on whether you made it mandatory or not. When you use these rules, the message is protected at the desktop so that administrators can’t read it. This is useful protection for scenarios where a third-party hosted service (like, oh, this one) might otherwise be able to gain access to sensitive items.
In Exchange 2010, the transport and journaling components can read IRM-protected messages. This means that these messages can be journaled, indexed, filtered, and so on, and that transport agents can apply signatures, disclaimers, and message hygiene policies.
Another thing that’s very, very cool: AD RMS is supported in OWA 2010 and on non-Windows Mobile devices. This builds on the AD RMS prelicensing agent shipped with Exchange 2007 SP1, which will proactively request a license for protected content before delivering the message containing that content to your mailbox. The client access server (CAS) will request the license and, on the fly, render the message for the client’s display.
Now, I promised to mention protected voice mail. Many legacy voice mail systems let you mark messages as private, but Exchange 2007 didn’t include this feature. Exchange 2010 does, though. It’s implemented using AD RMS; when a caller marks a message as private, the UM server applies a do-not-forward template to the message before it’s submitted to the hub transport server. (Often-asked question: can you use other RMS templates instead of do-not-forward? No, you can’t.)
Moderation is another awfully interesting feature, but I’ll have to write about it later– my dinner, a bag of tasty microwave popcorn, is done!
Paul's Down-Home Page 