Se connecter
 
AccueilLibrairieFormationTéléchargementsSupport techniqueCommunautésForums
Pour les professionnels de l’informatique >
Capturing Certs for Encrypted Email Communication

Traitée Capturing Certs for Encrypted Email Communication

  • mardi 1 mai 2012 18:56
     
     
    Connectez-vous pour voter
    0

    So I need to find out a way to capture certs from trusted users in order to decrypt email if there is any legal actions and so on.  Right now email sent from internal users to external users could be decrypted however, I need to ensure that email sent from external users can be decrypted as well.  I know PGP has this feature.  Does Exchange\Outlook\Certificate services have anything like this?

    I've been looking at Rights Management Services but haven't found any mention of this exactly.

    David Jenkins

     

Toutes les réponses

  • mercredi 2 mai 2012 04:02
     
     Traitée
    Connectez-vous pour voter
    0

    Active Directory Rights Management Services (AD RMS) can decrypt messages during transport.  But it is limited to email messages that are encrypted by your AD RMS servers (for most companies, that will NOT include external users).  You can read a bit more about it at the following URL:

    Understanding Transport Decryption

    http://technet.microsoft.com/en-us/library/dd638122.aspx

    If you are using S/MIME, there are a number of limits.  Typically, S/MIME relies on individual certificates per user.  So one big concern is managing those certificates.  In addition, there are some administrative pains around trying to use those for automating decryption during transport (mostly that Exchange doesn't provide a way to do it that I'm aware of).  Some organizations are using a hybrid PKI where they can issue S/MIME certificates from their internal PKI and have the certificates trusted on the Internet (in a hybrid PKI, the root CA is typically a cloud-based provider and the internal PKI is part of that hierarchy).  In such a scenario, theoretically, you can decrypt messages sent to any of the users.  But it isnt automated.  At least, I haven't seen anybody automate it.  But if the only goal is to ensure that an occasional email can be decrypted, it may meet the requirement.

    In reality, as long as you have administrative control of the client computers and the AD DS domain, you can also decrypt messages.  Log on to the client computer as the user, launch Outlook, and view the messages in plain text.  If you are looking at large quantities of legal/discovery/audit requests, this is certainly not a good solution though.

    Brian

    • Marqué comme réponse Gavin-Zhang lundi 28 mai 2012 08:14
    •  
     
  • lundi 7 mai 2012 08:11
     
     Traitée
    Connectez-vous pour voter
    0
    Hi David,

    Above gave some good suggestion, any update for your issue?
    Some other information for you:
    http://technet.microsoft.com/en-us/library/ee849857(v=ws.10).aspx
    http://www.msexchange.org/articles_tutorials/exchange-server-2010/compliance-policies-archiving/rights-management-server-exchange-2010-part1.html

    Regards!

    Gavin

    TechNet Community Support

    • Marqué comme réponse Gavin-Zhang lundi 28 mai 2012 08:14
    •