RE: HOW TO encrypt and store mail



I like the idea of using BitLocker, it's transparent to the OS and a lot less work to implement and maintain than EFS. EFS is very secure, but Bitlocker can be more secure from a physical security perspective. Remember if you are using Bitlocker that you must backup the encryption key (or use AD for the backup). I blogged about Bitlocker here:
http://blogs.technet.com/b/uspartner_ts2team/archive/2010/03/17/what-is-bitlocker-what-does-it-do-what-does-it-not-do.aspx
but remember that Bitlocker is for offline attacks. While my blog talks about Windows 7 and Vista, it also applies to Windows Server 2008 (except for BitLocker to go).

I've also blogged about the other forms of encryption available in Windows here:
http://blogs.technet.com/b/uspartner_ts2team/archive/2010/03/18/other-forms-of-encryption-you-need-to-consider.aspx

When you say you need to encrypt your data, what is the goal of this encryption? To protect from offline attacks, or attacks while the data is at rest (sitting on the server). Bitlocker is for offline attacks. EFS can protect files while the data is at rest, but that would mean encrypting the Exchange database with EFS which I would not recommend.

As Laurent said, if you don't trust your sys admins, there isn't much you can really do.
I also agree that Outlook Express is not a good mail client for secure mail, OWA would be a far superior solution to help protect your data.

The biggest question I have is that when you ask to encrypt, what type of attack are you trying to protect your data from (offline, online)...

P.S. I am a Microsoft employee

Rob Waggoner
________________________________________
From: listbounce@xxxxxxxxxxxxxxxxx [listbounce@xxxxxxxxxxxxxxxxx] on behalf of Laurent Barbier [lbarbier@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, January 12, 2011 11:52 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: HOW TO encrypt and store mail

If you even don't trust your sys admin then there is nothing you can do
... There are sys admin, they can do all what they want.

I don't understand why with a 2008 domain & Exchange you would use a
deprecated end user application like Outlook Express ?!

If you are concerned about security , give a try to OWA, nothing will be
stored / cached on the user end, full SSL with https.

For the server part, did you tried something like EFS or bitlocker, it's
possible to use such a feature on windows server.
With such a solution, extracting the filesystem from the server would be
pointless because the FS or the files would be encrypted.

Regards,
Laurent

On 12/01/2011 18:30, Edgar Zapata wrote:
Thanks Kurt.
I guess that won't do. As far as I know, and based on the tests that we've been performing, it only provides for a way so in case the disks are robbed/stolen they won't be readable unless you have a key (stored in a say removable USB drive).
It won't prevent the system admin from reading the contents of the mails or even making copies of the .edb and .stm files for later misues.

We're still searching and testing so I'm open to suggestions.

Thank you.


Edgar Zapata
EMEA Data Systems
+34 913.797.460 T
+34 680.398.372 M
edgar.zapata@xxxxxxxxx

Sitel
Calle Impresores, 20 - Planta 2
Parque Empresarial Prado del Espino
Boadilla del Monte - Madrid 28660
SPAIN
www.sitel.com

Please consider the environment before printing.

-----Mensaje original-----
De: Kurt Dillard [mailto:kurtdillard@xxxxxxx]
Enviado el: miércoles, 12 de enero de 2011 18:22
Para: Edgar Zapata; focus-ms@xxxxxxxxxxxxxxxxx
Asunto: RE: HOW TO encrypt and store mail

Your using Windows Server 2008, so why not use BitLocker to encrypt the entire drive?

Regards,

Kurt

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Edgar Zapata
Sent: Wednesday, January 12, 2011 8:09 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: HOW TO encrypt and store mail

Hello,

We are looking for a solution to store and encrypt mails.

We need to comply with PCI (Payment Card Industry) standards.
We have Windows 2008 and Exchange 2007 SP2.

So far, we haven't found a way to encrypt and store mail in Exchange.
We'll be encrypting communications with TLS.

Plus, we need to use OE (Outlook Express) so we can use IMAP for incoming mail and SMTP for outgoing e-mail.

Any ideas/suggestions are more than welcome.

Thank you.


**CONFIDENTIAL NOTICE**
This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail.

**CONFIDENTIAL NOTICE**
This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail.


Relevant Pages

  • Re: HOW TO encrypt and store mail
    ... If you even don't trust your sys admin then there is nothing you can do ... ... For the server part, did you tried something like EFS or bitlocker, it's possible to use such a feature on windows server. ... Asunto: RE: HOW TO encrypt and store mail ... so why not use BitLocker to encrypt the entire drive? ...
    (Focus-Microsoft)
  • RE: HOW TO encrypt and store mail
    ... Asunto: RE: HOW TO encrypt and store mail ... Your using Windows Server 2008, so why not use BitLocker to encrypt the entire drive? ... we haven't found a way to encrypt and store mail in Exchange. ...
    (Focus-Microsoft)
  • RE: HOW TO encrypt and store mail
    ... HOW TO encrypt and store mail ... Your using Windows Server 2008, so why not use BitLocker to encrypt the entire drive? ... we haven't found a way to encrypt and store mail in Exchange. ...
    (Focus-Microsoft)
  • RE: HOW TO encrypt and store mail
    ... Your using Windows Server 2008, so why not use BitLocker to encrypt the ... we haven't found a way to encrypt and store mail in Exchange. ... attachments and notify the sender by reply e-mail. ...
    (Focus-Microsoft)
  • Re: Certificate Services Issues
    ... What we are doing is using S/MIME to encrypt the payload with the public ... can't use the templates to get what I need. ... > Windows Server 2003 Enterprise Edition computer, ... >> certfiicate we generated is the culprit. ...
    (microsoft.public.windows.server.security)