226 Chapter 5  Defining Policies and Security Procedures Finally, we covered some additional tweaking you should do to make your Exchange organi- zation as secure as possible. We investigated how you can secure your environment by delegating Exchange Administrator roles and by securing SMTP email. To finish we covered Information Rights Management. Exam Essentials Legal and company requirements for messaging policies There are both legal and company requirements that force you to configure messaging policies to control mail flow and mail storage. You need to know the difference between transport rules and journaling rules. You might also receive a question about client licensing requirements, and about the archiving possibilities trans- port rules offer. A lot of questions on the exam ask you about the possible configuration options for messaging records management and about message classifications. Antispam in Exchange Server 2007 The exam focuses very hard on the antispam options in Exchange Server 2007, and what is added if you introduce Exchange Hosted Services and Microsoft Forefront for Exchange to your Exchange environment. Make sure that you know what the different antispam filtering options entail. Exchange Administrative Permissions The exam will check if you know about the new Exchange Administrator roles; make sure that you can list them and that you know what rights users will get when they are delegated an Exchange Administrator role. You have to know the advantages and possible disadvantages of securing SMTP email traffic, and what Information Rights Management can offer your Exchange organization. 81461.book Page 226 Wednesday, December 12, 2007 4:49 PM Review Questions 227 Review Questions 1. You are an Exchange administrator, and you have a single Exchange Server 2007 server with 250 mailboxes. Your management wants you to implement what is needed to make sure that messages they send cannot be read by anyone other than the intended recipient. What should you implement? A. Sender filtering B. Recipient filtering C. Content filtering D. Message encryption E. Digital signatures 2. You are an Exchange administrator, and you have an Exchange Server 2007 organization with one Client Access server/Hub Transport server Exchange Server 2007 instance, and one Exchange Server 2007 Mailbox server with 250 mailboxes. Your Exchange server receives more spam messages than legitimate emails, and you want to reduce the number of spam mes- sages that reach your messaging environment, but you do not want to invest in new hardware or software. What are your options? A. Deploy antispam agents on the Mailbox server. B. Deploy antispam agents on the Hub Transport server. C. Deploy the Edge Transport server role in your environment. D. Use Exchange Hosted Services. 3. You are an Exchange administrator, and you have an Exchange Server 2007 organization with one Client Access server/Hub Transport server Exchange Server 2007 instance and one Exchange Server 2007 Mailbox server with 250 mailboxes. Your Exchange server receives more spam messages than legitimate mails, and you want to reduce the number of spam mes- sages that reach your users’ mailboxes, but you do not want to invest in new hardware or soft- ware. What are your options? A. Deploy antispam agents on the Mailbox server. B. Deploy antispam agents on the Hub Transport server. C. Deploy the Edge Transport server role in your environment. D. Use Exchange Hosted Services. 81461.book Page 227 Wednesday, December 12, 2007 4:49 PM 228 Chapter 5  Defining Policies and Security Procedures 4. You are an Exchange administrator, and you have a single Exchange Server 2007 server that houses 300 mailboxes. You would like to keep track of the emails that are sent and received by the legal department in your organization. You are using a Standard Edition license of Exchange Server 2007, and you currently have five stores in use. What should you do? Choose two answers; each part presents part of the solution. A. Create a mail-enabled universal distribution group, U_Legal_Department, and make every user of the legal department a member of that group. B. Create a journaling rule that will journal every email sent and received by members of the mail-enabled universal group U_Legal_Department. C. Move all mailboxes of users in the legal department to a new mailbox store, Store_Legal. D. Enable journaling on the new store, Store_Legal. 5. You are an Exchange administrator responsible for an Exchange 2007 organization that con- tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. Your company recently acquired an Exchange 2007 organization. You do not intend to merge the two companies, but it is important that you secure all mail flow between the two organizations that have a dedicated T1 Line to link them together. What should you do? A. Create a dedicated SMTP Send connector and require authentication. B. Create a dedicated SMTP Send connector. C. Install and configure MIIS. D. Install and configure the Exchange organization’s connector. 6. You are an Exchange administrator responsible for a single Exchange Server 2007 organiza- tion. You’ve received a request that when other SMTP servers perform Sender ID filtering your domain name cannot be spoofed by nonauthorized users. What should you create? A. Register an SPF record in DNS. B. Create an SPF record in the registry of your Exchange server. C. Register an MX record in DNS. D. Register an MX record in the registry of your Exchange server record in DNS. 7. You are an Exchange administrator responsible for an Exchange 2007 organization that con- tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. Your legal department requests that you include a disclaimer with all messages that are sent out from your Exchange organization. How can you accomplish this with the least amount of administrative effort? A. Create and register a transport event sink on your Exchange Hub Transport server. B. Create a transport rule that adds a disclaimer to all messages that are sent outside the organization. C. Create a transport rule that adds a disclaimer to all messages that are sent inside the organization. D. Educate your users to add a signature to all messages they send outside. 81461.book Page 228 Wednesday, December 12, 2007 4:49 PM Review Questions 229 8. You are an Exchange administrator responsible for an Exchange 2007 organization that con- tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. Your management would like you to investigate if it is possible to prepend the word SPAM to every message that is delivered to a user’s Junk E-Mail folder. How can you accom- plish this with the least amount of administrative effort? A. Configure a transport rule to prepend the subject of an email with SPAM when a message reaches a predefined SCL. B. Configure a journaling rule to prepend the subject of an email with SPAM when a message reaches a predefined SCL. C. Create and register a transport event sink to prepend the subject of a mail with SPAM when a message reaches a predefined SCL. D. Create and deploy a group policy to prepend the subject of an email with SPAM when a message reaches a predefined SCL. 9. You are an Exchange administrator responsible for an Exchange 2007 organization that con- tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. Your management requests that you keep the size of your database files under control. You have reached an agreement with your management to control the size of the mailboxes by managing the amount of time messages are retained in the Deleted Items folder. You are required to create two kinds of policies; the first one enables a user to keep items in the Deleted Items folder for 7 days, the second one for 60 days. What should you do to successfully con- figure these requirements? Select three; each answer is a part of the solution. A. Create two mailbox stores. B. Create two new managed default folders, type Deleted Items. C. Move users to the mailbox store that is configured with the required deleted item reten- tion time. D. Create two new managed folder policies, each one responsible for a different managed default folder, both called Deleted Items, and attach it to the users needed. E. Create managed content settings that reflect the specified criteria for each new managed default folder, type Deleted Items. F. Configure the required deleted item retention time for the mailbox stores. 10. You are an Exchange administrator, and you have a single Exchange Server 2007 that houses 300 mailboxes. You have recently deployed an Exchange Server 2007 Edge Transport server, and you need to configure a way to reject any mail that is coming from any known relayers. What should you configure? A. Sender filtering B. Recipient filtering C. Content filtering D. Connection filtering 81461.book Page 229 Wednesday, December 12, 2007 4:49 PM 230 Chapter 5  Defining Policies and Security Procedures 11. You are an Exchange administrator, and you have a single Exchange Server 2007 server that houses 300 mailboxes. You have recently deployed an Exchange Server 2007 Edge Transport server, and you need to configure a way to reject as much mail as possible from domain spoofers. What should you configure? A. Sender filtering B. Recipient filtering C. Sender ID filtering D. Connection filtering 12. You are an Exchange administrator responsible for an Exchange 2007 organization that con- tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. You would like to grant your network administrator the permission to give existing users a mailbox on your Exchange servers. What role should you delegate to your network administrator? A. Exchange Organization Administrator B. Exchange Recipient Administrator C. Exchange View-Only Administrator D. Exchange Server Administrator 13. You are an Exchange administrator responsible for an Exchange 2007 organization that con- tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. You recently hired a new Exchange administrator and added her to the Domain Admins group, but you need to grant her all permissions to the entire Exchange organization. What role should you delegate to your new colleague? A. Exchange Organization Administrator B. Exchange Recipient Administrator C. Exchange View-Only Administrator D. Exchange Server Administrator 14. You are an Exchange administrator responsible for an Exchange 2007 organization that con- tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. All your users use Microsoft Office Outlook 2007. Your management has decided that it has to be possible for users to mark every email they send to a customer as A/C Confidential. What should you do? Select two; each option is part of the solution. A. Deploy a local file (Classifications.xml) on the client computers. B. Create and deploy a registry key on the client computers that enables the use of message classifications. C. Deploy a local file (Classifications.xml) on the Exchange Mailbox servers. D. Create and deploy a registry key on the Exchange Mailbox servers that enables the use of message classifications. 81461.book Page 230 Wednesday, December 12, 2007 4:49 PM Review Questions 231 15. You are an Exchange administrator, and you have a single Exchange Server 2007 server that houses 300 mailboxes. A single user in your organization asks you if there is a way to restrict permissions on an email message he’s sending to a customer. He wants to prevent the customer from forwarding or copying the contents of the email message. The user in question uses Microsoft Office Outlook 2007. What can you offer him? A. Digital signatures B. Message encryption C. Information Rights Management D. A secure SMTP connection to that customer’s mail organization 16. You are an Exchange administrator responsible for an Exchange 2007 organization that con- tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. Your users use either Microsoft Office Outlook 2000 or Microsoft Office Outlook XP to open their mailboxes. All your clients are running Windows XP Professional SP2. Your management wants you to deploy and configure a Rights Management server. What should you do first so that your clients can use the abilities offered by IRM? Select two; each answer is a complete solution. A. Upgrade to Windows Vista B. Upgrade Microsoft Office Outlook to Microsoft Office 2003 C. Upgrade Microsoft Office Outlook to Microsoft Office 2007 D. Deploy Windows Rights Management server 17. You are an Exchange administrator, and you have a single Exchange Server 2007 server that houses 300 mailboxes. Your management wants customers to be sure that messages they receive from your organization are sent by your organization. In addition, your management wants to make sure that in case someone outside your organization altered the message, the recipient knows about this. What should you implement? A. Sender filtering B. Recipient filtering C. Content filtering D. Message encryption E. Digital signatures 18. You are an Exchange administrator responsible for an Exchange 2007 organization that contains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. You recently hired a new Exchange administrator who will be responsible for your Hub Transport server and your Client Access server. What role should you delegate to your new colleague? A. Exchange Organization Administrator B. Exchange Recipient Administrator C. Exchange View-Only Administrator D. Exchange Server Administrator 81461.book Page 231 Wednesday, December 12, 2007 4:49 PM 232 Chapter 5  Defining Policies and Security Procedures 19. You are an Exchange administrator, and you have a single Exchange Server 2007 server that houses 300 mailboxes. You recently deployed an Edge Transport server role. You would like to configure your Edge Transport server to block all messages that contain attachments with an extension .XYZ. What should you do? A. Enable and configure attachment filtering on your Exchange Server 2007 server. B. Enable and configure attachment filtering on your Edge Transport server. C. Enable and configure content filtering on your Hub Transport server. D. Enable and configure content filtering on your Edge Transport server. 20. You are an Exchange administrator responsible for an Exchange 2007 organization that con- tains two Exchange 2007 Mailbox servers, one Client Access server, and one Hub Transport server. You would like to enable attachment filtering, and you choose to deploy an Edge Trans- port server. You would like to have blocked attachments sent to a quarantine mailbox; what should you do? A. Enable and configure attachment filtering. B. Enable and configure content filtering. C. Enable and configure recipient filtering. D. Enable and configure Microsoft Forefront Security for Exchange Server. 81461.book Page 232 Wednesday, December 12, 2007 4:49 PM Answers to Review Questions 233 Answers to Review Questions 1. D. Encrypting messages will make sure that only the intended recipient can view the contents. Sender filtering, recipient filtering, and content filtering are used to prevent spam from entering the exchange organization. Digital signatures will allow the recipient of the message to be sure the sender actually sent the message but the message itself will not be encrypted when sent. 2. D. You don’t want to invest in new hardware and software, so you cannot go for the Edge Transport server role. You want to stop spam before it reaches your messaging environment, thereby eliminating the possibility of deploying the antispam agents on the Hub Transport server. It is not possible to deploy antispam agents on the Mailbox server. You can only choose to use Exchange Hosted Services. 3. B. You don’t want to invest in new hardware and software, so you cannot go for the Edge Transport server role. Since you want to reduce the amount of spam that reaches your users’ mailboxes, you should enable the antispam transport agents on your Hub Transport server. You don’t want to stop spam from entering your organization, you just want to stop spam from reaching the user’s mailboxes, thereby there is no requirement to go for Exchange Hosted Services. 4. A and B. Because you are using the Standard Edition version of Exchange Server 2007, you are not able to create an additional store since you already have the maximum number of stores in use. The Standard Edition version of Exchange only supports the creation of five stores. You can, however, create a new universal distribution group and use a new feature available in Exchange Server 2007: per-distribution-group journaling. 5. A. It is best practice to enable authentication to provide additional security for email sent from associated organizations. Creating a dedicated SMTP Send Connector does not provide secure mail flow if you don’t require authentication. Installing and configuring MIIS would enable directory synchronization which is not asked for in this scenario. The Exchange organization’s connector does not exist. 6. A. Sender ID filtering can provide you with a valid result only if the sender’s domain has a Sender Policy Framework (SPF) record registered in DNS. 7. B. You can use the Exchange Management Console or Exchange Management Shell to con- figure disclaimers on computers that have the Hub Transport server role installed. Creating and registering a transport event sink is not recommended. Educating your users will require more effort than creating a transport rule. You shouldn’t apply a transport rule to messages that are sent inside your organization, because you only want messages that go outside the organization to receive a disclaimer. 8. A. You can configure a transport rule to prepend a subject with a string, and you can specify the value of the SCL as a condition. A journaling rule is used to journal messages, and therefore not valid for changing a message subject. Creating a transport event sink would require admin- istrative effort to create and deploy it. Group policies cannot be used to change the subject of a mail. 81461.book Page 233 Wednesday, December 12, 2007 4:49 PM 234 Chapter 5  Defining Policies and Security Procedures 9. B, C, and E. Deleted item retention time is the amount of time that messages that are deleted from the mailbox are available for recovery. We are covering the messages that are still in the mailbox, in the Deleted Items folder, so deleted item retention time doesn’t matter here. Instead, it is feasible to create two new Deleted Items managed folders and specify for each one different managed content settings, and use managed folder policy to hand them out to the users that need those settings. 10. D. You can configure connection filtering to check with real-time Block lists if the connecting SMTP server is a known relaying server. 11. C. Sender ID filtering will check if the sender (or most probable sender) is sending the mail using the SMTP services of a server that is authorized to send mail from that sender’s domain. If there is an SPF record configured for the SMTP mail domain, you can check if domain spoofing is done. Sender filtering only provides the ability to block mail from specific domains, without checking if it’s spoofed or not. Recipient filtering is used to filter mail sent to specified recipients, and Connection filtering is used to check if the connection was initiated from a valid IP address. 12. B. A user needs to have the Exchange Recipient Administrator role in order to be able to give users a mailbox. 13. A. To be able to fully manage an Exchange organization, a user needs to be delegated the Exchange Organization Administrator role. 14. A and B. If you want to enable the use of message classifications in Outlook, you need to deploy on the client computer a local file (Classifications.xml) that contains the defini- tions of the message classifications. And you also need to create and deploy a registry key that will enable the use of message classification by referencing the Classifications.xml file on the client computer. You don’t need to add a registry key on the Exchange Mailbox servers, and you don’t need to deploy a local file on the Exchange Mailbox servers. 15. C. Information Rights Management can be used in Microsoft Office Outlook 2003 and Microsoft Office Outlook 2007 to prevent email forwarding, copying, editing, or printing. Implementing signing and sealing will not prevent a user from forwarding or copying the con- tents of an email message. A secure SMTP connection only secures the SMTP mail flow, but does not imply that the email message is not able to be forwarded or copied. 16. B and C. You need at least Microsoft Office Outlook 2003 to be able to use the services pro- vided by IRM. You can use the abilities offered by IRM by running Office Outlook 2003 (or later) on XP Professional. You don’t need to have Windows Rights Management server, since you can use the limited-trial version offered by Microsoft. 17. E. Digital signatures provide authentication, nonrepudiation, and data integrity. By digitally signing your email messages, you enable recipients to verify if the email message has been sent by the person or organization that claims to have sent the message, and you enable recipients to verify if the message has been altered. 18. D. You need to delegate the role of Exchange Server Administrator since you want your new colleague to have full control over the specified servers’ configuration data. 81461.book Page 234 Wednesday, December 12, 2007 4:49 PM Answers to Review Questions 235 19. B. Attachment filtering allows you to block attachments from entering your Exchange orga- nization, by attachment content type, or by attachment file name. You can enable and config- ure attachment filtering only on the edge Transport server. Content filtering is set as an SCL value for messages so you can configure your Edge or Hub Transport server to block them, quarantine them, or deliver them to a user’s junk mail folder. 20. D. Forefront Security for Exchange Server enables you to quarantine blocked attachments. Attachment filtering, content filtering, and recipient filtering do not allow you as an adminis- trator to have blocked attachments sent to a quarantine mailbox. 81461.book Page 235 Wednesday, December 12, 2007 4:49 PM [...]...8 146 1.book Page 236 Wednesday, December 12, 2007 4: 49 PM 8 146 1.book Page 237 Wednesday, December 12, 2007 4: 49 PM 70-238: Pro: Deploying Messaging Solutions with Microsoft Exchange Server 2007 PART II 8 146 1.book Page 238 Wednesday, December 12, 2007 4: 49 PM 8 146 1.book Page 239 Wednesday, December 12, 2007 4: 49 PM Chapter 6 Planning an Upgrade to Exchange Server 2007 MICROSOFT EXAM OBJECTIVES... organization to Exchange Server 2007 The main subjects in this chapter are as follows: Exchange 2000 Server features not supported in Exchange Server 2007 Exchange Server 2003 features not supported in Exchange Server 2007 Features that are gone in Exchange Server 2007 De-emphasized features in Exchange Server 2007 Planning the upgrade process from Exchange 2000 Server and Exchange Server 2003 Planning... with Exchange Server 5.5 Exchange Server 2007 does not support coexistence with Exchange Server 5.5 If your Exchange organization still uses Exchange Server 5.5, you will need to transition first to Exchange 2000 Server or Exchange Server 2003, followed by transitioning to Exchange Server 2007 8 146 1.book Page 250 Wednesday, December 12, 2007 4: 49 PM 250 Chapter 6 Planning an Upgrade to Exchange Server. .. foreign X .40 0 mail environment, plan to keep at least one Exchange 2000 Server or Exchange Server 2003 server in your organization 8 146 1.book Page 248 Wednesday, December 12, 2007 4: 49 PM 248 Chapter 6 Planning an Upgrade to Exchange Server 2007 Administrative Groups Administrative groups were introduced with the release of Exchange 2000 Server Every Exchange 2000 Server or Exchange Server 2003 server. .. to Exchange Server 2007, you will be transitioning your Exchange organization to 2007 However, when you decide to upgrade your existing Exchange 2000 Server or Exchange Server 2003 to a new Exchange Server 2007 organization you will be migrating to Exchange Server 2007 Upgrading from Exchange 5.5 or any other third-party messaging system to Exchange Server 2007 is also referred to as migrating to Exchange. .. Legacy Exchange Features In this part of the chapter we will have a look at all features that were available in Exchange 2000 Server and Exchange Server 2003, but are not supported anymore in Exchange Server 2007 We will also highlight the features that are de-emphasized in Exchange Server 2007 8 146 1.book Page 241 Wednesday, December 12, 2007 4: 49 PM Planning for Migration of Legacy Exchange Features 241 ... from Exchange 2000 Server and Exchange Server 2003 that are not supported anymore in Exchange Server 2007 If you decide to transition to Exchange Server 2007, you will need to plan a solution for all features that do not exist anymore in Exchange Server 2007 In this chapter we will dig into all those features, and we will have a look at the best way to transition your Exchange 2000 Server or Exchange Server. .. the Exchange Server 2007 migration implementation Plan the Exchange Server 2007 upgrade implementation 8 146 1.book Page 240 Wednesday, December 12, 2007 4: 49 PM Before we start talking about upgrading to Exchange Server 2007, it is important to make the distinction between two types of upgrades: transitioning and migrating When you decide to upgrade your existing Exchange 2000 Server or Exchange Server. .. solutions, and antivirus solutions.) Active Directory Settings As you have already seen in Chapter 3, Exchange Server 2007 stores most of its configuration information in Active Directory just like Exchange 2000 Server and Exchange Server 2003 8 146 1.book Page 255 Wednesday, December 12, 2007 4: 49 PM Planning the Exchange Server 2007 Upgrade Implementation 255 did, with the exception of the Exchange Server 2007. .. interrupted 8 146 1.book Page 243 Wednesday, December 12, 2007 4: 49 PM Planning for Migration of Legacy Exchange Features 243 Propagate and view presence information of other users Control who can and who cannot contact you Instant Messaging could be installed as part of an Exchange 2000 Server deployment, or you could deploy Instant Messaging on a non -Exchange server in an Exchange 2000 Server environment . are an Exchange administrator, and you have an Exchange Server 2007 organization with one Client Access server/ Hub Transport server Exchange Server 2007 instance, and one Exchange Server 2007. administrator, and you have an Exchange Server 2007 organization with one Client Access server/ Hub Transport server Exchange Server 2007 instance and one Exchange Server 2007 Mailbox server with. December 12, 2007 4: 49 PM PART II 70-238: Pro: Deploying Messaging Solutions with Microsoft Exchange Server 2007 8 146 1.book Page 237 Wednesday, December 12, 2007 4: 49 PM 8 146 1.book Page