2. Retention Hold
A mailbox can be placed on retention hold when the user is absent for an extended period of time with no access to e-mail; this retention
hold can be indefinite, or have scheduled start and stop dates and
times. This temporarily suspends retention policy processing for that
mailbox, so that messages are not deleted or moved to the user's
personal archive before he has an opportunity to review them on his
return. A retention comment can also be configured; this comment can
inform the user about the retention hold, including when the hold is scheduled to start and end. Retention comments
are displayed in supported Outlook clients (Outlook 2010 and later),
and can be localized so that the user sees the comment in his preferred
language.
A retention
hold can be configured on a mailbox via the Exchange Control Panel or
the EMC. In the EMC, they are configured by accessing the Properties
dialog box for the mailbox and then accessing the Messaging Records
Management properties from the Mailbox Settings tab as shown in Figure 6.
3. Managed Folders
Although they are de-emphasized in Exchange Server 2010, Managed Folders are another technology that provides MRM; it is recommended that you migrate any existing Managed Folders to retention policies, and that you deploy retention policies for new MRM implementations.
Managed Folders are composed of the following components:
3.1. Managed Folders Requirements
A mailbox must reside on an
Exchange Server 2010 or Exchange Server 2007 computer to be able to
apply a managed folder mailbox policy to it. Mailboxes with a managed
folder mailbox policy applied to them can be accessed via Outlook 2010,
Outlook 2007, Outlook 2003 SP2, Exchange Server 2010 Outlook Web App,
and Exchange Server 2007 Outlook Web Access; versions of Outlook older
than Outlook 2003 SP2 are not supported. Outlook 2003 SP2 clients will
not have access to all the features that are available to Outlook 2007
or higher clients, although they can access the mailbox. For example,
they do not see any managed folder comments that have been configured
by the administrator.
3.2. Deploying Managed Folders
With a defined corporate e-mail policy to use as a framework, your managed folders can be planned and deployed. The following steps are involved in deploying managed folders:
Create managed content settings for the managed folders.
Define managed folder mailbox policies.
Apply managed folder mailbox policies to mailboxes.
Configure the Managed Folder Assistant (optional).
3.2.1. Creating Managed Folders
Managed
folders are created and then managed content settings are applied to
them, as required to satisfy your corporate e-mail policy. Managed
folders are Active Directory objects holding properties for defined
default and custom folders within a mailbox that the content settings
are applied to. Custom folders are presented in the user's mailbox in a
discrete folder hierarchy under a top-level folder named Managed Folders. An example of a requirement that managed
folders can satisfy is if your corporate e-mail policy states that
messages pertaining to client projects are retained for three years,
whereas messages containing privacy data as defined by legislation are
retained for 30 days. To satisfy this type of requirement, you can
create two managed custom folders with defined retention periods of 3
years and 30 days respectively. Users then file the appropriate
messages in each custom folder, and the Managed Folder Assistant
applies the defined retention settings to the messages in those folders.
Default
folders are folders created in a user's mailbox by default with or
without MRM implemented. These folders include the Inbox, Sent Items,
and Deleted Items folders. Within managed
folders, a managed default folder named One-Year Retention of (for
example) type Inbox can be created and managed content settings applied
to it. When this managed folder is included in a policy and assigned to
a user, the user's Inbox folder is subjected to the retention settings
defined for that managed default folder.
Note: Managed
default folders are always displayed in the user's mailbox with the
standard default name. For instance, in the example outlined earlier,
because the folder is of the Inbox type, users with the One-Year
Retention folder assigned to them would see the folder in their mailbox
as Inbox; the One-Year Retention name assigned to the folder when it
was created is not visible to them.In
addition, you can assign only one managed default folder of any
particular type, such as Inbox, to a managed folder mailbox policy, and
only one managed folder mailbox policy can be assigned per mailbox.
Managed custom folders are
created solely for MRM purposes, and appear in a mailbox's folder list
separately from default folders, under a special default folder named
Managed Folder. Created and assigned to users or groups of users
through the use of a managed folder mailbox policy, these folders
display in Outlook 2007 or higher with a special folder icon, as shown
in Figure 7. The managed folders are displayed similarly in Exchange Server 2010 Outlook Web App.
To create a managed custom folder named Contains Privacy Information using the EMS, use the following:
New-ManagedFolder -Name 'Privacy Act' -FolderName 'Contains Privacy Information'
-StorageQuota 'unlimited' -Comment 'Email content containing privacy information; to be
retained for 90 days'
3.2.2. Managed Content Settings
After creating managed
default and custom folders, the next step in your managed folder
implementation is defining managed content settings for those folders.
These settings manage the life cycle of items in users' managed folders by controlling retention periods and applying actions to content when the retention
period has been reached. Relevant content can also be journaled to a
storage location outside the mailbox; journaling is discussed in the
"Designing and Implementing Message Journaling" section of this chapter.
You can define when the retention period starts in one of two ways:
In addition, the following actions can be defined to occur at the end of the retention period:
Move to the Deleted Items folder
Move to a managed custom folder
Delete and allow recovery
Permanently delete
Mark as past retention limit
Managed
content settings can also be configured to journal content placed in
the managed folder to another location; this location can be any
destination that has an SMTP e-mail address, including a mail contact
or another Exchange mailbox. Text labels can be assigned to messages
as well to facilitate the preservation of classification information;
they can also enable automated sorting of journaled messages by the
recipient. A journaled item is attached as an unaltered copy to a new
e-mail message: certain properties of the journaled item are assigned
as properties of the e-mail message they're attached to. This enables
automatic sorting and review of the content.
The following EMS example creates managed content settings for the Contains Privacy Information folder, using Retain For 90 Days as the name for the managed content settings and configuring the retention period for 90 days:
New-ManagedContentSettings -Name 'Retain for 90 days' -FolderName 'Contains
Privacy Information' -RetentionAction 'MoveToDeletedItems' -AddressForJournaling
$null -AgeLimitForRetention '90.00:00:00' -JournalingEnabled $false
-MessageFormatForJournaling 'UseTnef' -RetentionEnabled $true -LabelForJournaling ''
-MessageClass '*' -MoveToDestinationFolder $null -TriggerForRetention 'WhenMoved'
3.2.3. Managed Folder Mailbox Policies
After managed
folders have been created, and managed content settings have been
defined for those folders, you can create managed folder mailbox
policies and assign managed folders to them.
Managed folder mailbox policies are logical groupings of managed
folders that are used for deployment and management purposes. These
policies are applied to users' mailboxes; this, in a single operation,
deploys all the managed
folders contained in the policy to those mailboxes. You can create as
many managed folder mailbox policies as required, and each policy can
contain as many managed folders as necessary. Keep in mind, though, that any one mailbox can be assigned only one managed folder mailbox policy.
The following example
creates a managed folder mailbox policy consisting of the Contains
Privacy Information managed custom folder:
New-ManagedFolderMailboxPolicy -Name 'Privacy Information Compliance Policy'
-ManagedFolderLinks 'Contains Privacy Information'
3.2.4. Applying Managed Folder Mailbox Policies to Users
After you have created managed folder mailbox policies and assigned managed
folders to them, these policies can be assigned to users. Policies can
be applied to users via the EMS, where you can script a solution that
incorporates powerful selection and filtering criteria to configure
users in bulk and target specified groupings of users.
The following example
retrieves all users whose title equals Human Resources Analyst, then
applies the Privacy Information Compliance Policy managed folder
mailbox policy to their mailboxes:
Get-User | Where-Object {$_.RecipientType -eq "UserMailbox" -and $_.Title -eq "Human
Resources Analyst"} | Set-Mailbox -ManagedFolderMailboxPolicy "Privacy Information
Compliance Policy"
As with retention policies,
after you have assigned managed folder mailbox policies to mailboxes,
those mailboxes are then processed by the Managed Folder Assistant. The
Managed Folder Assistant is discussed in detail in the Section 8.2.1.2 section of this chapter.
Some sources estimate that as
much as 90 percent of compliance costs for an organization are
staff-related, and that the overall cost of compliance runs into the
billions for sectors such as financials and securities. The features
provided in Exchange Server 2010 can enable organizations to meet their
compliance requirements with a much lower price tag in cost and effort
as well as reduced complexity.
As part of their design
goals to satisfy customer needs for messaging compliance within
Exchange, Microsoft determined that although regulations vary widely
across different jurisdictions, a complete e-mail compliance solution
can primarily be defined by the following capabilities:
Message Retention
Defined not only as the ability to retain e-mail automatically for
pre-determined time periods, but also the functionality to locate and
retrieve those e-mails when necessary. If you've retained the records,
but can't find them when needed, retention alone has done no good.
Legal discoveries (subpoenas) in the private sector as well as access
to information requests in the public sector are the primary drivers
behind message
retention. In Exchange Server 2010, these capabilities are provided by
journaling, retention policies, retention policy tags, personal
archives, and multi-mailbox search.
Controlled Access Aside from retaining records as required, another capability required by a compliance solution is the ability to
protect privacy information and prevent unauthorized access to data,
both in transit and at rest. Exchange Server 2010 provides this
capability through integration with Active Directory Rights Management
Services (AD RMS), transport rules, and Transport Layer Security (TLS)
for SMTP.
Information and Process Integrity This capability encompasses message classification and processing messages based on their classification. It may also include ethical walls
to block communication between specified departments or individuals of
the organization to help preclude conflicts of interest. An example of
an ethical wall is a financial institution that provides both brokerage
and market research services; these groups are typically mandated by
regulations to not communicate with each other in any way. Message
classifications are an integrated component in Exchange Server 2010,
whereas ethical walls can be implemented using transport rules in
Exchange Server 2010. Both message classifications and transport rules
were introduced in Exchange Server 2007.
Ed Banti
Program Manager, Microsoft Corporation, Redmond, WA
Any technology
implementation intended to impose certain behavior on end users or for
policy enforcement (and the technologies discussed in this chapter
certainly fall into these categories) can encounter challenges along
the way that prevent the implementation from being a success. Primary
among these challenges is the lack of a clearly defined and enforced
corporate e-mail policy; this policy is the cornerstone of a successful
compliance implementation. A large portion of messaging compliance is
fundamentally policy enforcement, so without a defined policy in place
you're like a dog chasing its tail; you may be getting good exercise,
but you're not accomplishing anything.
A corporate e-mail
policy is not a technical document—it's a business policy created by
your compliance or risk officers that includes compliance measures
based on the relevant regulations and/or laws for your industry. Areas
of risk and potential liability should also be defined in the policy.
Exchange Server 2010 messaging compliance-related technologies such as retention policies, Information
Rights Management (IRM) integration, and to a lesser extent message
classification may be seen by end users as intrusions or obstacles to
doing their job, and these perceptions can result in the project
failing through no fault of the technology. Resistance such as this is
the result of several factors in the majority of cases:
An unclear or non-existent e-mail policy
Insufficient (or non-existent) communication to end users regarding the purpose of the new features
Lack of upper management sponsorship for the compliance initiative
Forcing a taxonomy or classification system on your end users that is so rigid that it impedes their daily work
Policies that are so disruptive to daily work that users find ways to get around them
All of the above
As with any
technology implementation, if you design and present your messaging
compliance deployment as something that meets the needs of the
organization, rather than an obstacle to be overcome, the project is
much more likely to be a success.