Symantec bv-control for Microsoft Exchange 9.0 Getting Started Guide

Symantec bv-control for Microsoft Exchange 9.0 Getting Started Guide

Symantec bv-control for Microsoft Exchange 9.0 Getting Started Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 9.0 Legal Notice Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, bv-control, BindView, ActiveAdmin are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com Third Party Legal Notices This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Licensed Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notices readme file accompanying this Symantec product for more information on the Third Party Programs. Privacy; Data Protection: Symantec may collect and store certain non-personally identifiable information for product administration and analysis. Symantec may disclose the collected information if asked to do so by a law enforcement official as required or permitted by law or in response to a subpoena or other legal process. In order to promote awareness, detection and prevention of Internet security risks, Symantec may share certain information with research organizations and other security software vendors. Symantec may also use statistics derived from the information to track and publish reports on security risk trends. By using the Licensed Software, You acknowledge and agree that Symantec may collect, transmit, store, disclose and analyze such information for these purposes. From time to time, the Licensed Software will collect certain information from the computer on which it is installed, which may include: (a) Information regarding installation of the WebClient Installer including username and password which should not be personally identifiable if You have chosen an alias to protect Your identity. (b) Information collected by the WebClient Profile such as mandatory user/employee information including, name, e-mail address, title, position, physical address and use ID/employee ID as well as IP address and username. (c) Other information including username, user events and IP addresses which is used for product administration and analysis. All of the above information is collected and stored on the Your side and is not transferred to Symantec. Consult Your company s privacy policy for further information.

Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system

Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

Maintenance agreement resources Additional enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.

Contents Technical Support... 4 Chapter 1 Overview... 9 bv-control for Microsoft Exchange architecture... 9 Features and functionality... 10 Data sources... 12 Chapter 2 Planning and deployment... 15 Deployment considerations... 15 RMS infrastructure considerations... 16 Infrastructure deployment types... 16 Console and Information Server deployment considerations... 18 Selecting an Information Server computer... 23 System requirements... 25 Hardware requirements... 25 Software requirements... 26 Trust relationships... 27 User and credential account rights... 28 Permission requirements for Exchange environment... 28 Windows account(s) usage... 29 Permissions to bv-control for Microsoft Exchange system... 29 Permissions to Windows servers running Exchange... 30 Access to mailbox specified in the configuration... 31 Permissions requirements for Tracking Log Database... 32 General requirements... 32 Permissions on SQL server database... 32 CredDB credentials... 33 Tracking Log Database sizing guidelines... 34 Performance parameters... 34 Configuration sizing guidelines... 36 Upgrading from previous version... 40

8 Contents Chapter 3 Installing and uninstalling the product... 41 Installing bv-control for Microsoft Exchange... 41 Uninstalling bv-control for Microsoft Exchange... 42 Chapter 4 Configuring the product... 43 Configuring the RMS Console... 43 Configuring bv-control for Microsoft Exchange... 43 Configuring bv-control for Microsoft Exchange... 43 Setting up the installation configurations... 45 Configuring the Tracking Log Database... 47 Configuring the tracking log database... 48 Adding or modifying a server group... 51 Marking the bridgehead servers... 52 Importing recipient information... 53 Chapter 5 Evaluating the product... 55 About evaluation scenarios... 55 Automating labor-intensive tasks... 56 Identifying stale Exchange objects... 56 Responding to compliance and legal requests... 57 Managing mailbox moves... 60 Messaging security management... 61 Assessing who has access to sensitive information in public folder and mailbox contents... 62 Security and configuration best practices... 66 Auditing configurations against the mandated standards... 67 Managing service level agreement and capacity... 69 Storage analysis report... 70 Determining message traffic patterns... 70 Measuring compliance with service level agreements... 71 Index... 73

Chapter 1 Overview This chapter includes the following topics: bv-control for Microsoft Exchange architecture Features and functionality Data sources bv-control for Microsoft Exchange architecture The architecture of bv-control for Microsoft Exchange is a client-server type of architecture. The architecture includes the Information Server, the Configuration container, and the Advanced Management Tools. The following information describes the interfaces between the components of the bv-control for Microsoft Exchange architecture: Information Server Performs the task processing and data storage. Your enterprise can contain a local Information Server or a remote Information Server. A local Information Server resides on the same computer as the Console. A remote Information Server resides on a computer other than the computer where the Console resides.

10 Overview Features and functionality Configuration container Lets you configure bv-control for Microsoft Exchange to manage your Exchange environment. You can perform the following tasks using the objects in the Configuration container: Defining a mailbox name Setting a default Exchange server that is used for queries Configuring optional Exchange settings to more efficiently collect information about your Exchange environment Advanced Management Tools Provides the utilities that help administrators manage their Exchange environment. By using these utilities, you can quickly move mailboxes from server to server, or administrative group to administrative group. You can add and remove members, and create distribution lists. Additionally, bv-control for Microsoft Exchange provides automatic distribution list maintenance. With the Group Actions, you can automatically update mail-enabled groups and schedule them to run nightly, weekly, or monthly. Features and functionality The Exchange administrators who are responsible for securing the Exchange servers can rely on bv-control for Microsoft Exchange for systems and security management solutions. bv-control for Microsoft Exchange identifies the risks to the health and integrity of the Exchange environments. bv-control for Microsoft Exchange enables the administrators to proactively find the problems even before they occur. The administrators can use the following bv-control for Microsoft Exchange key features to configure and manage their Exchange environment:

Overview Features and functionality 11 ActiveAdmin Configuration management Provides management capabilities to edit, delete, move, or copy the field values that are displayed in a grid dataset. Lets you automate mail-enabled group maintenance. Lets you use the rule-based content scanning. Lets you modify mailbox and public folder properties. Lets you delete mailbox and public folder contents. Lets you move or copy public folder and mailbox messages. Lets you export messages to PST. Lets you create or modify mail-enabled groups. Provides comprehensive reporting on security and critical aspects of the Exchange servers. By using the information that is provided by bv-control for Microsoft Exchange, the administrators can accurately view the current state of their Exchange environment. The administrators can also compare the current state of the Exchange environment with previous configurations through baselining. Advanced management tools Lets you import tracking log information. Lets you manage mailbox contents. Lets you Move mailboxes. Lets you manage mail-enabled groups. Lets you create server aliases. Lets you change containers. Query-based reporting Lets you easily build custom queries for your Exchange environment. The query results can be saved for trend analysis and capacity planning. The advanced capabilities allow the report information to be graphed, compared to an established baseline, and exported into a variety of data formats.

12 Overview Data sources Reporting on the tracking logs The Microsoft Exchange Server tracks all the messages that are sent and received by the server. The Exchange server stores these messages in a log file. bv-control for Microsoft Exchange leverages this information and reports on the log files by using the tracking log database functionality. With the reporting feature in bv-control for Microsoft Exchange the administrators can perform the following tasks: Schedule the import of the tracking logs from server groups. Add server groups to the database. Modify and delete servers and server groups from the database. Reporting on journal mailboxes bv-control for Microsoft Exchange has an ability to report on the following aspects that are related to journaling: Journal mailbox configuration Trends in journal traffic Data sources Data sources represent the categories of information within bv-control for Microsoft Exchange that can be queried. The data sources for bv-control for Microsoft Exchange include the following: Application Event Log MS-Exchange Events Connectors MS-Exchange Directory MS-Exchange Exchange Security Information Store Properties MS-Exchange Mail-Enabled Group Properties Mailbox Contents Mailbox Folder Properties Mailbox Properties Mailbox-Enabled User Properties

Overview Data sources 13 Organization Properties MS-Exchange Public Folder Contents Public Folder Properties Query-based Distribution Group Properties Server Properties Services for MS-Exchange Tracking Log Tracking Log Summary Tracking Log Summary (SQL Required) Transport Settings Unified Messaging Web Storage Folder Properties

14 Overview Data sources

Chapter 2 Planning and deployment This chapter includes the following topics: Deployment considerations RMS infrastructure considerations System requirements Trust relationships Permission requirements for Exchange environment Permissions requirements for Tracking Log Database Tracking Log Database sizing guidelines Upgrading from previous version Deployment considerations It is necessary to understand your Exchange environment before deploying bv-control for Microsoft Exchange. The administrators need to analyze the Exchange environment to determine the type of infrastructure to be deployed and the type of deployment that is best for your environment. Ensure the following for successful deployment of bv-control for Microsoft Exchange: The infrastructure is designed to meet the needs of your organization based on how you plan to use bv-control for Microsoft Exchange. The computers in your environment meet the minimum hardware and software requirements for using bv-control for Microsoft Exchange. The product is configured according to the product configuration requirements for trust relationships, user rights, and credential account rights.

16 Planning and deployment RMS infrastructure considerations The users have the appropriate rights and permissions to log on for using the product. The users have the appropriate rights and credentials for using the tracking log database features. The computers in your environment meet the recommended requirements for using the tracking log database based on the size of your environment. RMS infrastructure considerations It is necessary to deploy the RMS infrastructure in a certain way based on how you plan to use bv-control for Microsoft Exchange. The considerations while deploying the RMS infrastructure include the type of deployment, the number of infrastructure products and their locations. Infrastructure deployment types RMS infrastructure can be deployed in different ways based on the geographical location, security restrictions, and product usage. Some of the questions that need to be answered while deciding about the deployment type include the following: Geographical locations The following questions should be answered about the geographical locations: How many geographical locations does your enterprise have? Will your users be separated by geographical locations? How many users will there be in each location (The number of Console licenses you bought can answer this question. Security restrictions The following questions should be answered about the security considerations: What are the security restrictions or divisions for each location? How does your enterprise use firewalls? Is your enterprise network separated by WAN links? Are these links slow, mid-range, or fast?

Planning and deployment RMS infrastructure considerations 17 Product usage The following questions should be answered about the product usage: What will be the usage level of the product by individual users or groups? Do you have a Security and Auditing group that will use the product on a cyclical basis? Do you want to automate specific tasks? How often do you plan to run the automated tasks? Do you plan to perform extensive content scanning and tracking log analysis? After you have answered these questions, you will have a better idea of the type of deployment you should use. The basic infrastructure deployment types are as follows: Independent An Independent deployment has the following features: Single Console connected to a local or remote Information Server. Appropriate if you have a local Exchange server that is in close proximity to the user. Shared A Shared deployment type has following features: Multiple Consoles connected to a single remote Information Server. Appropriate if you are responsible for a site with Exchange servers. Dedicated A Dedicated deployment has the following features: Multiple connecting Consoles and a dedicated remote Information Server. Appropriate if you plan on performing extensive tracking log analysis.

18 Planning and deployment RMS infrastructure considerations Dedicated and Independent Combined A Dedicated and Independent Combined deployment has the following features: Multiple connecting Consoles and a dedicated remote Information Server, with independent Consoles and local Information Servers. Appropriate if you have a local Exchange server that is in close proximity to the user and plan on performing extensive tracking log analysis. Shared and Independent Combined A Shared and Independent Combined deployment has the following features: Multiple connecting Consoles and a remote Information Server, with independent Consoles and local Information Servers. Appropriate if you have a local Exchange server in close proximity to the user who is responsible for a site with Exchange servers. Console and Information Server deployment considerations The following factors determine the type of deployment for RMS Console: Number of users of bv-control for Microsoft Exchange Geographic location of bv-control for Microsoft Exchange users and Exchange servers Enterprise network areas to be queried bv-control for Microsoft Exchange feature usage Number of users It is necessary that every user of bv-control for Microsoft Exchange has an access to RMS Console or a Web browser if the RMS infrastructure is installed. The following table helps you determine the type of infrastructure deployment based on the number of users. Table 2-1 Number of users vs. type of infrastructure deployments No. of users Single user Type of Infrastructure deployment Independent Possible infrastructure components RMS Console and local or remote Information Server

Planning and deployment RMS infrastructure considerations 19 Table 2-1 Number of users vs. type of infrastructure deployments (continued) No. of users 1-6 Small workgroup Type of Infrastructure deployment Independent, shared, or both Possible infrastructure components RMS Console and local Information Server or Connecting RMS Consoles and remote Information Server or Connecting RMS Consoles and remote Information Server with independent RMS Consoles and local Information Servers 7-15 Large workgroup By default, the maximum number of bv-control for Microsoft Exchange users that connect to an Information Server is 15. Dedicated, or dedicated and independent combined Multiple connecting RMS Consoles and dedicated remote Information Server or Multiple connecting RMS Consoles, dedicated remote Information Server, and independent Consoles and local Information Servers Geographical location If your enterprise has multiple geographical locations, deploy a separate RMS Console and Information Server at each location that has bv-control for Microsoft Exchange users or Exchange servers. If the RMS Console and the Information Server are in the same physical geographical location, task processing is faster. It takes less time to retrieve datasets or perform ActiveAdmin tasks. Also, most enterprises usually have a firewall between the LANs located at separate geographical locations. Connecting a Console to an Information Server across a WAN increases task processing time and poses a security risk. It is hence not advisable to deploy a Shared or Dedicated infrastructure that spans multiple geographic locations. Use Windows Terminal Services (WTS) to access the Console and Information Server located at a remote location.

20 Planning and deployment RMS infrastructure considerations WAN considerations On a reasonably tuned LAN, the location of a Console has little impact on the overall performance of bv-control for Microsoft Exchange. On a WAN or a large LAN with multiple domains or workgroups, Consoles located on the same physical network or subnet exhibit quicker response times. The RMS Consoles that are separated from the Information Server by WAN links require more response time. Note: Response time can vary, depending on the amount of available bandwidth and network traffic, the size of the network, network tuning, and other factors. The RMS Console and the Information Server should not communicate over a VPN connection. Administrators should use the Remote Desktop Connection. Using the Remote Desktop Connection lets you minimize the number of Information Servers you deploy. Firewall considerations If you are deploying Microsoft Exchange servers across firewalls, the firewall settings should be configured so that the standard Exchange and Windows file or directory ports are open for external applications on the other side of the firewall. VPN should be implemented to handle the internal traffic passing through the firewalls. If the Information Server or the SQL Server is deployed across the firewall, following ports should be opened to collect the information through the firewall: DCOM Port (135) LDAP Port (389 or 390) SQL Server Port (1433) This port needs to be opened so that the RMS Client can communicate to the DCOM services on the Information Server computer. In the mixed mode environment, Active Directory uses port 389 and another port is assigned for the Exchange 5.5 servers. This port can be 390, 391, or any other port the Exchange administrator wants to use. When a remote SQL Server is used, the port used by the SQL Client to communicate with the SQL Server must be open. The default port number for the SQL Server is 1433 but can be changed by the Exchange administrator.

Planning and deployment RMS infrastructure considerations 21 Enterprise network areas to be queried You can use bv-control for Microsoft Exchange to run enterprise-wide queries or area or function-specific queries. The type of infrastructure deployment to be used depending upon the network areas to be queried are as follows: Enterprise-wide queries Area or function-specific queries Shared or Independent infrastructure Independent or Shared infrastructure Enterprise-wide and area or function-specific queries Shared and Independent or Dedicated and independent infrastructure Reporting areas A reporting area is the group of resource objects that an Information Server can access to query for specific user-requested information. The resource objects that an Information Server can access depend on the physical location of the Information Server. It also depends on the credential databases stored on the Information Server. An Information Server deployed in a domain can only potentially query the resource objects that the Information Server can access on the enterprise network. A credential database contains resource object credentials that allow users assigned to the database the right to query resource objects for desired information. The specific reporting area available to a specific Information Server user is limited to the resource objects indicated by the credential database assigned to them. Types of queries The number of records returned in a dataset depends on the following: Type of query run Fields and scope selected in the query definition Size of the reporting area from where the information is retrieved. Queries that are run across large reporting areas return large datasets. For example, content scanning queries that are run across a network with thousands of users may return a dataset containing a record for every email. For optimal processing speed and dataset accuracy, queries returning large datasets should be run using a dedicated remote Information Server. If deployment of a dedicated remote Information Server is not possible, improve the query processing time by deploying independent Information Servers. Use the

22 Planning and deployment RMS infrastructure considerations independent Information Server for less intensive area-specific and function-specific querying. Following are the considerations for determining the location of the Information Server: The available bandwidth between the Information Server and the Exchange servers The right location for the server, considering the most types of data to be gathered, and whether running general queries or performing extensive content scanning and tracking log analysis. Disk space and virtual memory considerations The Console computers must meet the minimum system requirements listed in the RMS Console and Information Server Getting Started Guide. Following are important considerations while deciding about the computers: As an MMC snap-in, the Console runs in the MMC job process. The MMC job process is allocated approximately 50 MB of RAM by the computer where the Console is installed. The installation of bv-control for Microsoft Exchange only increases RAM allocation by a few megabytes. If other MMC Snap-ins are in use at the same time as the RMS Console, the available RAM is shared between all open MMC applications. When a user submits a query, the query is passed to the Information Server for processing. Although the dataset is written to the disk on the computer where the Information Server resides, the Console pulls this information into virtual memory for display purposes. The amount of dataset data that can be displayed by a particular Console is limited by the amount of virtual memory available on the Console computer. Theoretically, a dataset that requires 20 MB of disk space in the Jet database of the Information Server requires 20 MB of virtual memory for the Console display. When planning for Console virtual memory allocation on a Windows 2000 system, the administrators should understand that the allocation of virtual memory is controlled by the operating system. The operating system and any other applications running on the Console computer require an indeterminate amount of virtual memory for their own use. The operation of the Console also requires a small amount of virtual memory that is unrelated to dataset display. Therefore, the administrators should over-estimate virtual memory requirements by 10-20% to allow for virtual memory demands that are not related to dataset display. The total amount of the virtual memory and the disk space required depends on the following:

Planning and deployment RMS infrastructure considerations 23 bv-control for Microsoft Exchange features to be used Size of the reporting area Frequency of running reports Selecting an Information Server computer The Information Server response time for processing bv-control for Microsoft Exchange tasks depends on the capabilities of the computer and server hardware. The following table shows the types of computers to be used for specific deployment types, their advantages and disadvantages. Table 2-2 Types of computers for deploying Information Servers Computer type Suitable deployment type Advantages Disadvantages Dedicated high-performance Independent or Shared Cost-effective. Ideal for a network that has one or two bv-control for Microsoft Exchange users. Ideal for deploying area or function-specific Consoles and Information Servers for specific users in a Shared and Independent Combined network. The Information Server is installed on a computer with a single standard CPU, and limited RAM and disk space. Virtual memory and free disk space limitations may adversely affect the ability of the Information Server to write dataset information or to save historical datasets. Response time for collecting and consolidating tracking log information may be longer.

24 Planning and deployment RMS infrastructure considerations Table 2-2 Types of computers for deploying Information Servers (continued) Computer type Suitable deployment type Advantages Disadvantages Standard server Shared Cost-effective and may not require any additional hardware for the installation and use of bv- Control for Microsoft Exchange. Permits effective use of additional RMS Consoles. Provides greater processing power, which may allow more users to connect to the Information Server with no noticeable effect on overall response time. The Information Server and any additional data or software that resides on the server share the same CPU, RAM, and disk space. If the data stored on the server requires frequent access or if other software installed on the server frequently caches information, it may have an overall negative effect on the server throughput. Virtual memory and free disk space limitations may adversely affect the ability of the Information Server to write dataset information or to save historical datasets. You may consider countering this limitation by adding additional hard disks.

Planning and deployment System requirements 25 Table 2-2 Types of computers for deploying Information Servers (continued) Computer type Suitable deployment type Advantages Disadvantages Dedicated server Dedicated Minimizes server-related response time limitations of bv-control for Microsoft Exchange (for tracking log analysis and content scanning). It requires the additional expense of adding a new dedicated server. If there are less than five users of bv-control for Microsoft Exchange, no difference is seen in the query response time. Response time for collecting and consolidating tracking log information may take longer because you have only one server for reporting on all the data System requirements Before installing bv-control for Microsoft Exchange, ensure that your workstation and network environment meet the following minimum requirements for using bv-control for Microsoft Exchange 9.0. Hardware requirements The minimum hardware requirements that your workstation must meet to run bv-control for Microsoft Exchange are as follows: Pentium III, 800 MHz 512 MB RAM 500 MB of free disk space SVGA monitor that supports 256 colors with the display set to 800 X 600 pixels or greater

26 Planning and deployment System requirements For workstation used as Information Server Following are the recommended hardware configurations for best results when querying the Tracking Log Summary (SQL Required) data source, if your workstation is being used as a Information Server: Pentium 4 Dual Processor, 2.4 GHz 512 MB RAM 500 MB of free disk space SVGA monitor that supports 256 colors with the display set to 800 X 600 pixels or greater For workstation used as SQL server Following are the recommended hardware configurations for best results when querying the Tracking Log Summary (SQL Required data source), if your workstation is being uses as a SQL server: Remote SQL Server installation used exclusively for hosting the tracking log database Pentium 4 Dual Processor, 2.4 GHz 1 GB RAM Software requirements 20 60 GB of free disk space on the volume where the tracking log database is created (for organizations with 1500 users and 5 servers) 60 160 GB of free disk space on the volume where the tempdb.mdf is located SVGA monitor that supports 256 colors with the display set to 800 X 600 pixels or greater A typical environment for a minimum SQL Server requirements is as follows: The number of Exchange servers in the organization is 5 or fewer. The total size of the tracking log files imported per day, per server is 500 MB or less. The retention period of the tracking logs is 2 weeks or less. The minimum software requirements that your workstation must meet to run bv-control for Microsoft Exchange are as follows: Windows 2000 SP3 (server or workstation), Windows Server 2003, or Windows XP Professional SP1

Planning and deployment Trust relationships 27 Microsoft Outlook 2000, Outlook 2003, or Outlook XP SP1 configured as the default mail client, and for corporate or workgroup mail support To move mailboxes greater than 2 GB in size, Microsoft Outlook 2003 must be installed on the same computer where bv-control for Microsoft Exchange is installed. bv-control for Microsoft Exchange allows you to move mailboxes up to 15 GB in size. Internet Explorer 5.5 SP2 or later Exchange 2000/2003 System Manager must be installed prior to installing the RMS Console and Information Server. Note: Do not install bv-control for Microsoft Exchange on a computer that is functioning as an Exchange server For Exchange 2000 and 2003 support Following are the minimum software requirements for your workstation for Exchange 2000 and 2003 support: Windows 2000 SP3 (server or workstation), Windows Server 2003, or Windows XP Professional SP1 Planning for deployment 25 Trust relationships. Microsoft Outlook 2000, Outlook 2003, or Outlook XP SP1 configured as the default mail client, and for corporate or workgroup mail support. To move mailboxes greater than 2 GB in size, Microsoft Outlook 2003 must be installed on the same computer where bv-control for Microsoft Exchange is installed. bv-control for Microsoft Exchange allows you to move mailboxes up to 15 GB in size. Internet Explorer 5.5 SP2 or later. Exchange 2000/2003 System Manager Must be installed prior to installing the RMS Console and Information Server. Note: Do not install bv-control for Microsoft Exchange on a computer that is functioning as an Exchange server. Trust relationships bv-control for Microsoft Exchange requires that there be a trust relationship between the domains containing the Microsoft Exchange servers. If the trusts do not exist, bv-control for Microsoft Exchange will not be able to report on servers residing in the un-trusted domain. The user must have certain rights and

28 Planning and deployment Permission requirements for Exchange environment permissions to be able to access information on the server in the Microsoft Exchange organization. The user s account that is specified in the Credential Database and the user logged onto the Console must have the following rights and permissions: The computer must be a member of the domain or in a trusted domain where the Exchange organization resides. Microsoft Outlook must be configured for Corporate or Workgroup mail support. Internet mail is not sufficient. Microsoft Outlook must be configured as your default mail provider. The user must have administrative rights on the local computer. The user and credential accounts must have Administrator rights to the Windows severs running Exchange. The user and credential accounts must have rights in the Exchange organization. User and credential account rights Ensure that the following requirements about the user and credential account rights are met: If your Exchange organization is in native Exchange 2000 or 2003, or mixed mode, the MAPI/Exchange mailbox account must be configured with the user s logon account. Otherwise, you can grant Windows administrator s rights to all mailboxes in the entire organization by changing the permissions on the organization object at the top of the Exchange System Manager tree. In Exchange 2000 and Exchange 2003, even Enterprise Administrators rights are denied rights to access all mailboxes, by default. Denying Receive As and Send As rights sets the explicit denial of rights to administrators on the organization object. You can clear these denials for accounts for which you want full access. Permission requirements for Exchange environment Prior to deploying bv-control for Microsoft Exchange, ensure that all the systems running the product are set up with the required permissions. The permissions required are dependent on your Exchange environment. The permissions required for Exchange 2000 or Exchange 2003 servers are as follows: Permissions to systems running bv-control for Microsoft Exchange

Planning and deployment Permission requirements for Exchange environment 29 Permissions to Windows servers running Microsoft Exchange Permissions to the Exchange 2000 or Exchange 2003 organization Permissions to Exchange 2000 or Exchange 2003 mailboxes Windows account(s) usage The RMS Console and bv-control for Microsoft Exchange software are designed to support the program operation under different security contexts. The Console runs as the login account and performs operations as the login user. Whereas, the Information Server runs as a Service or System Account and uses Credential Database credentials specified during the configuration to perform operations. Because of this design, features that execute on the Console rely upon the login account to have the required access. Features that execute at the Information Server rely upon the Credential Database account to have the required access. If the Login account differs from the account specified in the Credential Database, both the account must have access to your enterprise. Permissions to bv-control for Microsoft Exchange system The accounts must have the administrative rights to the Windows servers running bv-control for Microsoft Exchange. This requirement includes both the Console and the Information Server host systems. Administrative rights are granted by direct or indirect membership in Administrators groups using the default configuration. If the system or domain policy for the Administrators groups has been restricted, bv-control for Microsoft Exchange may not function properly. Windows domain member If you are running Windows 2000, Windows Server 2003, Windows XP Professional, or Windows Vista and your system is a domain member, the Windows rights can be granted by membership in the local computer Administrators group. Membership in this local machine group should be verified and granted using the Windows Computer Management application under Administrative Tools in the Control Panel. Ensure that the accounts are either members of groups that are members of the local machine Administrators group, or are explicitly added as members of the group. Windows domain controller If you are running Windows 2000, Windows Server 2003, Windows XP Professional, or Windows Vista and your system is a domain controller, rights are granted by membership in the domain local administrators group. Membership in this domain local group should be verified and granted using the Microsoft Exchange Active

30 Planning and deployment Permission requirements for Exchange environment Directory Users and Computers application. Ensure that the accounts are either members of groups that are members of this built-in group, or are explicitly added as members of the group. These rights are used when reading file or registry information and creating process threads during program operation. Permissions to Windows servers running Exchange The accounts must have the administrative rights to the Windows servers where Microsoft Exchange is installed. These rights can be granted by direct or indirect membership in Administrators groups using the default configuration. If the system or domain policy for the Administrators groups has been restricted, bv-control for Microsoft Exchange may not function properly. Windows NT domain member If Microsoft Exchange runs on a Windows NT server and is a domain member, Windows rights can be granted by membership in the local machine Administrators group. Membership in the local machine Administrators group should be granted using the User Manager for Domains application by connecting to the local computer (specify \\Computer_Name as the domain name). Ensure that the accounts are either members of groups that are members of the local machine Administrators group, or are explicitly added as members of the group. Windows NT controller If Microsoft Exchange runs on Windows NT server and is a domain controller, rights are granted by membership in the domain local Administrators group. Membership in this domain local group should be granted using the User Manager for Domains application. Ensure that the accounts are either members of groups that are members of this built-in group or are explicitly added as members of the group. Windows 2000, 2003, and XP domain member If Microsoft Exchange runs on a Windows 2000, Windows Server 2003, or Windows XP server and is a domain member, Windows rights can be granted by membership in the local machine Administrators group. Membership in the local machine group should be granted using the Windows Computer Management application under Administrative Tools in the Control Panel. Ensure that the Accounts are either members of groups that are members of the Local Machine Administrators group, or are explicitly added as members of the group.

Planning and deployment Permission requirements for Exchange environment 31 Windows 2000, 2003, or XP domain controller If Microsoft Exchange runs on Windows 2000, Windows Server 2003, or Windows XP server and is a domain controller, rights are granted by membership in the domain local Administrators group. Membership in this domain local group should be granted using the Microsoft Exchange Active Directory Users and Computers application. Planning for deployment 29 Permission requirements for Exchange environment Ensure that the accounts are either members of groups that are members of this built-in group, or are explicitly added as members of the group. The rights are used when reading file or registry information from the servers to retrieve configuration and current-state data about the Windows Exchange server. Access to mailbox specified in the configuration The accounts must have full control to the mailbox specified in the configuration. The accounts must have Full Mailbox Access rights if it is residing on an Exchange 2000 or Exchange 2003 server. Exchange automatically grants full control if the mailbox specified is the mailbox associated with the account. In this case, no changes are necessary. If the mailbox is not the associated mailbox for the account, permission must be granted. For mailbox residing on Exchange 2000/2003 For a mailbox that resides on an Exchange 2000 or Exchange 2003 server, permissions can be granted using the Microsoft Exchange Active Directory Users and Computers application. Mailbox rights can be obtained indirectly by Global Group membership or be assigned directly to the accounts. However, there cannot be a Deny for the groups. These rights are used when creating a MAPI profile and establishing MAPI connections to the Exchange Servers. Locate the Active Directory user object to which the mailbox is associated, select the Exchange Advanced tab, and click Mailbox Rights. Ensure that the accounts or the group either inherits the Full Mailbox Access right from the container object, or explicitly grant Full Mailbox Access rights to the mailbox. By default, the Exchange Advanced tab is disabled. You can enable it by clicking View and selecting Advanced Features. You must have Exchange System Manager installed on the system that is running the Microsoft Exchange Active Directory Users and Computers application to extend programmatic support.

32 Planning and deployment Permissions requirements for Tracking Log Database Permissions requirements for Tracking Log Database Specific permissions are required to utilize the tracking log database feature fully. The users must have appropriate logon credentials on the SQL Server database and permissions on the tracking log database. The operations that the users can perform with these credentials include the following: Create the tracking log database Perform configuration management on the tracking log database Import data into the tracking log database Query data in the tracking log database General requirements Following are the requirements that must be met to perform tracking log database operations: The logged-on RMS user must be an RMS administrator to be able to create the tracking log database, import or delete data from the tracking log database, and perform configuration management. The RMS client computer (where the RMS user is logged on) should be connected to a local Information Server to be able to create the tracking log database and configuration management. Permissions on SQL server database The SQL Server database can be accessed using Windows Authentication or SQL Authentication. If the tracking log database is configured with Windows Authentication, users should have server logon rights on the SQL Server and appropriate rights on the tracking log database. If the tracking log database is configured with SQL Authentication, the SQL user and password are given owner rights for the tracking log database. Any user can access the database using the SQL user name and password. The permissions required for actions specific to tracking log database are as follows: Tracking Log Database creation Exchange/AD: None SQL Server: System Administrator

Planning and deployment Permissions requirements for Tracking Log Database 33 Tracking Database configuration management: Read only Exchange/AD: None SQL Server: Read rights on the Tracking Log Database Import or delete tracking log data in the Tracking Log Database Import or update recipient data in the Tracking Log Database Exchange/AD: Administrator SQL Server: System Administrator Exchange/AD: Administrator SQL Server: Read and Write rights on the Tracking Log Database and Bulk Insert Administrator Role Querying from Tracking Log Database Exchange/AD: Administrator SQL Server: Read rights on the Tracking Log Database CredDB credentials Every RMS user/admin has a credential database assigned to them. When executing queries on the Tracking Log Database, the CredDB credentials are used. Therefore, the CredDB credentials should have admin rights on all Exchange resources that will be queried using the Tracking Log Database. Since every RMS user has different CredDB credentials, the CredDB credentials must also have Read/Write rights on the Tracking Log Database. Tracking Log Database with Windows authentication When the Tracking Log Database is configured using Windows Authentication, all Tracking Log Database operations are performed using the CredDB Credentials. Following are the required permissions for the CredDB credentials: Tracking Log Database configuration management - Read/Write Import or delete tracking log data in the Tracking Log Database Exchange/AD: None SQL Server: Read/Write rights on the Tracking Log Database Exchange/AD: Administrator SQL Server: System Administrator Role Import or update recipient data in the Tracking Log Database Exchange/AD: Administrator SQL Server: Read and Write rights on the Tracking Log Database and Bulk Insert Administrator Role

34 Planning and deployment Tracking Log Database sizing guidelines Querying from Tracking Log Database Exchange/AD: Administrator SQL Server: Read rights on the Tracking Log Database Tracking Log Database Configuration Management: Read/Write Exchange/AD: None SQL Server: Read/Write rights on the Tracking Log Database Tracking log database with SQL authentication When the Tracking Log Database is configured using SQL Authentication, a SQL user is created and becomes the owner of the Tracking Log Database. Therefore, the CredDB credentials only require Exchange/AD admin rights to access the Tracking Log Database. All Tracking Log Database operations are performed under the configured SQL user. Tracking Log Database sizing guidelines Sizing the environment is important for better performance of bv-control of Microsoft Exchange while using the reporting feature on tracking logs. The sizing requirements addressed by these guidelines are as follows: Information Server Remote RMS Client Remote SQL Server Appropriate sizing of the environment where bv-control for Microsoft Exchange will be deployed is important for optimum performance of the Tracking Log Database features. There are various parameters that can determine the performance of the Tracking Log Database features. Therefore, it is important to identify these parameters and how they impact the performance of bv-control for Microsoft Exchange. Performance parameters Performance parameters and their values impact the general application performance of the Tracking Log Database. The easy-to-control performance parameters that should be considered for all Exchange environments are as follows: Hardware configuration on Information Server and SQL server computers: Number of processors

Planning and deployment Tracking Log Database sizing guidelines 35 RAM Cache size Virtual memory CPU size Hard drive size Installed network bandwidth Number of threads for collection and pre-summary data preparation Remote SQL Server or SQL Server hosted on the Information Server computer Cluster for SQL Server Cluster for Exchange organization Number of threads for collection and pre-summary data preparation Schedule for recipient imports Schedule for tracking log collection on each server group Schedule for tracking log summary data generation Select bridgehead servers in the bv-control for Microsoft Exchange user interface The hard-to-control performance parameters that should be considered for all Exchange environments are as follows: Number of objects in Global Address List (GAL) Volume and frequency of changes to GAL Available network bandwidth Number of messages per tracking log file Number of messages per tracking log file Number of messages per day for the entire Exchange organization Number of unique recipients per tracking log file bv-control for Exchange build number Number of clients connected to the server Exchange scenario native Exchange 2000 or Exchange 2003, or Mixed Mode Log level for logging to application log files Number of processes running on the processor

36 Planning and deployment Tracking Log Database sizing guidelines Average size of tracking log files Number of log files imported Order of processed tracking log files Configuration sizing guidelines The following sizing guidelines will help in planning how you should configure your hardware and software to obtain the best results for tracking log analysis. The software configurations for all environments include the following: Console and Information Server: MSDE 2000 for RMS databases SQL Server: SQL 2000 SP3a The recommended hardware configurations for all environments is based on 30 days retention of tracking logs. Very small environment The recommendations for a very small environment are based on the following assumptions: Average tracking log size: 30 MB Number of servers: 3 The following table presents the configuration sizing guidelines based on the size of the tracking log data. Table 2-3 Configuration sizing guidelines based on tracking log data size Frequency Per Day Per Month Per Year Tracking Log Data (GB) 0.09 2.64 31.64 External Recipients/Senders 10,000 300,000 3,600,000 The following table presents the configuration sizing guidelines for very small environment based on the number of servers. Table 2-4 Configuration sizing guidelines based on the number of servers Property Processor Console and Information Server Single Pentium 4, 2.4 GHz SQL Server Single Pentium 4, 2.4 GHz

Planning and deployment Tracking Log Database sizing guidelines 37 Table 2-4 Configuration sizing guidelines based on the number of servers (continued) Property RAM Free space on hard drive Virtual Memory Network Speed Console and Information Server 512 MB 1 GB 1200-1532 MB 10/100 Mbps SQL Server 512 MB 1.2-1.5 GB 1200-1532 MB 10/100 Mbps Small environment The recommendations for a small environment are based on the following assumptions: Average tracking log size: 60 MB Number of servers: 10 The following table presents the configuration sizing guidelines for small environment based on the size of the tracking log data. Table 2-5 Configuration sizing guidelines based on the tracking log data size Frequency Per Day Per Month Per Year Tracking Log Data (GB) 0.59 17.58 210.94 External Recipients/Senders 20,000 600,000 7,200,000 The following table presents the configuration sizing guidelines for small environment based on the number of servers. Table 2-6 Configuration sizing guidelines based on the number of servers Property Processor RAM Free space on hard drive Console and Information Server Single Pentium 4, 2.4 GHz 512 MB 1 GB SQL Server Single Pentium 4, 2.4 GHz 512 MB 5.2-6.0 GB

38 Planning and deployment Tracking Log Database sizing guidelines Table 2-6 Configuration sizing guidelines based on the number of servers (continued) Property Virtual Memory Network Speed Console and Information Server 1200-1532 MB 10/100 Mbps SQL Server 1200-1532 MB 10/100 Mbps Medium environment The recommendations for a medium environment are based on the following assumptions: Average tracking log size: 100 MB Number of servers: 30 The following table presents the configuration sizing guidelines for medium environment based on the size of the tracking log data. Table 2-7 Configuration sizing guidelines based on the tracking log data size Frequency Per Day Per Month Per Year Tracking Log Data (GB) 2.93 87.89 1054.69 External Recipients/Senders 30,000 900,000 10,800,000 The following table presents the configuration sizing guidelines for medium environment based on the number of servers. Table 2-8 Configuration sizing guidelines based on the number of servers Property Processor RAM Free space on hard drive Virtual Memory Network Speed Console and Information Server Single Pentium 4, 3.0 GHz 1 GB 1 GB 1200-1532 MB 10/100 Mbps SQL Server Dual Xeon 2 GB 19.5-22.5 GB 2400-3072 MB 10/100 Mbps

Planning and deployment Tracking Log Database sizing guidelines 39 Large environment The recommendations for a large environment are based on the following assumptions: Average tracking log size: 150 MB Number of servers: 100 The following table presents the configuration sizing guidelines for large environment based on the size of the tracking log data. Table 2-9 Configuration sizing guidelines based on the tracking log data size Frequency Per Day Per Month Per Year Tracking Log Data (GB) 14.65 439.45 5273.44 External Recipients/Senders 150,000 4,500,000 54,000,000 The following table presents the configuration sizing guidelines for large environment based on the number of servers. Table 2-10 Configuration sizing guidelines based on the number of servers Property Processor RAM Free space on hard drive Virtual Memory Network Speed Console and Information Server Dual Xeon 2 GB 10 GB 2400-3072 MB 10/100 Mbps SQL Server Quad Xeon 8 GB 95-110 GB 16384-24576 MB 10/100 Mbps Note: For a large environment, you should have separate computers for the Information Server and the SQL Server. They should be located in one LAN segment with a high bandwidth connection between them. You should also have a dedicated SQL Server for the tracking log database. Very large environment The recommendations for a very large environment are based on the following assumptions:

40 Planning and deployment Upgrading from previous version Average tracking log size: 200 MB Number of servers: 500 Note: The numbers in this scenario are very unlikely even in a very large environment. While there may be 500 servers in your environment, most servers will have much smaller log files. You should survey your environment to obtain accurate calculations. The following table presents the configuration sizing guidelines based on the size of the tracking log data. Table 2-11 Configuration sizing guidelines based on the tracking log data size Frequency Per Day Per Month Per Year Tracking Log Data (GB) 97.66 2929.69 35156.25 External Recipients/Senders 4,500,000 54,000,000 For a very large environment, you should have separate computers for the Information Server and the SQL Server. They should be located in one LAN segment with a high bandwidth connection between the Upgrading from previous version bv-control for Microsoft Exchange 9.0 supports reporting on Exchange Server 2000, 2003, and 2007. It does not support tracking log database and the move mailbox functionality if the organization contains one or more Exchange 2007 servers. You must have RMS Console and Information Server 9.0 to use bv-control for Microsoft Exchange 9.0. Note: You must install the "CCS Data Collectors 8.60 June 2008 Update" before you upgrade bv-control for Exchange 8.60 to 9.0

Chapter 3 Installing and uninstalling the product This chapter includes the following topics: Installing bv-control for Microsoft Exchange Uninstalling bv-control for Microsoft Exchange Installing bv-control for Microsoft Exchange bv-control for Microsoft Exchange 9.0 requires the RMS Console and Information Server 9.0. Before you install bv-control for Microsoft Exchange, you must use the RMS Infrastructure DVD to install the Console and Information Server. For information on installing the Console and Information Server, see the RMS Console and Information Server documentation. You should also be familiar with the minimum system requirements for running the product, permission requirements and product configuration requirements, deployment recommendations, and how to upgrade from a previous version. See RMS infrastructure considerations on page 16. The Symantec Control Compliance Suite DVD is used to install the product on the Console and Information Server computers. The DVD must be available from either a local or remotely mounted DVD-ROM drive. If you do not have access to a DVD-ROM drive, contact Technical Support for assistance. For information on installing bv-control for Microsoft Exchange, refer to the Symantec Control Compliance Suite Installation Guide.

42 Installing and uninstalling the product Uninstalling bv-control for Microsoft Exchange Uninstalling bv-control for Microsoft Exchange The Windows Add and Remove Programs is used to uninstall bv-control for Microsoft along with the RMS Console and Information Server. For more information on uninstalling bv-control for Microsoft Exchange, refer to the Symantec Control Compliance Suite Installation Guide. Note: If you are uninstalling bv-control for Microsoft Exchange, reset the tracking log database (if already configured). The tracking log database settings are then returned even after the uninstallation.

Chapter 4 Configuring the product This chapter includes the following topics: Configuring the RMS Console Configuring bv-control for Microsoft Exchange Configuring the Tracking Log Database Configuring the RMS Console To operate bv-control for Microsoft Exchange, you must first configure the RMS Console. For more information, see the RMS Console and Information Server Getting Started Guide. Configuring bv-control for Microsoft Exchange bv-control for Microsoft Exchange must be configured properly before using. Configuring bv-control for Microsoft Exchange involves the following: Configuring bv-control for Microsoft Exchange Setting up the installation configurations Configuring bv-control for Microsoft Exchange bv-control for Microsoft Exchange must be configured before use. The bv-control for Microsoft Exchange Configuration Wizard guides you through the process of configuring the product.

44 Configuring the product Configuring bv-control for Microsoft Exchange To invoke the configuration wizard 1 Right-click the Configuration container under bv-control for Microsoft Exchange in the Console tree. 2 Select Configuration Wizard. 3 On the Welcome panel, click Next. To create a credential database 1 In the Credential Database panel, click Click and edit here to add new credential database. 2 In the Create New Database dialog box, enter the password. 3 Click OK. 4 In the Add Credential Database dialog box, click Next. 5 In the Select Credentials panel, select the resource object that you want to add credentials to. Move it in the Credentials section by using >>. 6 In the Additional Setting dialog box, specify the domain of the user account that is used to access Microsoft Exchange. 7 Specify a valid Windows account that has administrative rights for Exchange in the User Name field. 8 Type the password and click OK. 9 Click Next in the Select Credentials panel. To assign a credential database to each user 1 In the Assign Credential Database to Each User panel, click in the User Name field. 2 Select a credential database to assign to the selected user. 3 Click Next. To specify the Exchange organization details 1 In the Exchange Software Support Checks panel, select the check box next to the verifications you want to perform and click Perform Checks. 2 Click Next after the verification is completed. 3 On the Connecting to Exchange 2000/2003 and Active Directory panel, type the name of the Global Catalog in the GC Server field. 4 Click Validate. The organization name is then obtained from the specified GC server.

Configuring the product Configuring bv-control for Microsoft Exchange 45 5 On the Specify a Default Exchange Server panel, specify a default Exchange server in the Default Server field. 6 Type the name of a valid mailbox that resides on the Exchange organization in the Mailbox field. 7 Click Resolve to validate the mailbox name. 8 Click Next. 9 Review the summary information on the bv-control for Microsoft Exchange Summary panel and click Finish. Note: The tracking log database node cannot be seen and all the scheduled tasks about the tracking logs are disabled in the following scenario: bv-control for Microsoft Exchange is initially configured to an organization containing Exchange 2000 / 2003 server and an Exchange 2007 server is added. The organization cache is rebuilt and the bv-control for Microsoft Exchange node is refreshed. This happens because bv-control for Microsoft Exchange 9.0 does not support the tracking log database functionality. See Setting up the installation configurations on page 45. Setting up the installation configurations The Installation configuration for bv-control for Microsoft Exchange dialog box appears when you right-click the Configuration container under the bv-control for Microsoft Exchange container. This dialog opens with the Exchange Settings tab selected by default. To use the Exchange Settings tab 1 In the Organization field, enter the name of your Exchange organization 2 Click Select GC. 3 Enter the name of the GC server in the Connect to Windows 2000/2003 Global Catalog Server dialog box. The full distinguished name for the Global Catalog server can be used. The configured server must be a Global Catalog Server in the Windows 2000/2003 forest in which the configured Exchange organization resides. 4 Select the Global Catalog Server nearest to the Information Server. 5 Click Select Default Server. 6 Select a server from the Choose Exchange Server dialog box.

46 Configuring the product Configuring bv-control for Microsoft Exchange 7 In the Mailbox field, enter the name of a valid mailbox. bv-control for Microsoft Exchange requires the MAPI/Exchange mailbox account that is configured with the user s logon account. Otherwise, grant the "Windows administrator" rights to all the mailboxes in the organization by changing the permissions on the organization object. By default, Enterprise administrators are denied rights to access all mailboxes. The denial of the Receive As and Send As rights sets the explicit denial of rights to administrators on the organization object. You can clear these denial rights for the accounts that you want to have full access to. 8 Click Check Name. 9 Click Clear All if you want to specify the settings again or click Verify All to verify all the details. To use the Move Mailbox Options tab Do one of the following on the Move Mailbox Options tab: Click Log File Location to select the location of the file to log the information that is related to the mailbox moves. Click Batch Input Location to select the location where the batch input file should be stored. To use the Message Deletion tab Do one of the following on the Move Mailbox Options tab: Choose Hard delete of messages to permanently delete messages without moving them to the Deleted Items folder. Choose Soft delete of messages to mark the message for deletion until it is permanently deleted from the Information Store. To use the Mail Enabled Groups tab Click Exclude hidden recipients while adding to Mail Enabled Groups to exclude the hidden recipients while copying or moving the recipient objects such as mailboxes. To use the Organization Options tab Do one of the following on the Organization Options tab: Choose Load Organization Cache at startup to load the organization information from cache at startup. Click Rebuild Organization Cache to automatically update the organization cache information.

Configuring the product Configuring the Tracking Log Database 47 Choose Display EDB totals for server in the admin group browser if you want to display the Exchange database totals for objects in the Exchange organization. See Configuring bv-control for Microsoft Exchange on page 43. Configuring the Tracking Log Database The Microsoft Exchange Server can track all messages that are sent and received by the server. The tracked information is stored in a log file. bv-control for Microsoft Exchange can leverage this information and report on the log files by using the Tracking Log Database functionality. The information that is imported depends on how the Tracking Log Database has been configured. The Tracking Log Database container in the Console tree is used to configure the Tracking Log Database and to perform various operations on the configured database. Note: Reporting on tracking log database is disabled in case the organization already contains an Exchange 2007 server or is added later. Create server groups in the Tracking Log Database and then add servers to the server groups so that bv-control for Microsoft Exchange can report on the log files of the added servers. The server log files are imported based on the configuration settings specified. The tracking log database lets you perform the following tasks: Schedule the import of the tracking log information from server groups Add server groups to the database Modify and delete servers and server groups from the database Note: To modify the tracking log database, you must be an RMS Administrator. Before you can use the features of the tracking log database, you must perform the following tasks: Configuring the tracking log database Adding or modifying a server group Marking the bridgehead servers Importing recipient information

48 Configuring the product Configuring the Tracking Log Database Configuring the tracking log database You must configure the tracking log database before using it. The Tracking Log Database Configuration Wizard guides you through the process of configuring the tracking log database. Note: bv-control for Microsoft Exchange 9.0 does not report on tracking log database if the organization contains one or more Exchange 2007 servers. Note: Do not put the tracking log database under the BindView share while configuring. To configure the tracking log database 1 Expand the bv-control for Microsoft Exchange container in the Console tree and right-click Tracking Log Database (Not Configured). 2 Select Configure. 3 On the Configure Tracking Log Database panel, select the name of the SQL Server that is used as the database for importing the tracking logs. 4 In the Share Path text box, enter the share path to the SQL Server. You can also click Browse (...) to select the path. Create the share for the tracking log database in a folder outside the installation folder, if the SQL Server and the Information Server reside on the same computer,. \Symantec\RMS\Control\Exchange is the default product installation folder that is deleted during the uninstall process of bv-control for Microsoft Exchange. 5 Under SQL Server Credentials, type the credentials to access the SQL Server. The user credentials can be either Windows or SQL Server credentials. Specify how the SQL Server Credentials must be authenticated by selecting one of the following options: Use Windows Authentication Use SQL Server Authentication Lets you connect to the SQL server using Windows credentials Lets you provide SQL Server credentials if you have an SQL server account on the selected SQL server

Configuring the product Configuring the Tracking Log Database 49 6 Enter a valid User Name and Password. The specified user must have a Server Role of System Administrator on the SQL Server. 7 Click Configure Database. After the database is configured, the Configure Database option changes to Reset Database. Use the Reset Database option to clear the settings of the currently configured SQL server database. When you reset the tracking log database, the database is detached and a copy of the database file (.mdf) is saved in the directory that is specified in the SQL server share path. If the reset database operation is unsuccessful, you can reset the database manually. 8 On the Configure Tracking Log Database panel, click Next. To configure recipient information import settings 1 On the Configure Recipient Information Import Settings panel, select the days of the week that you want the recipient information to be imported into the database. The recipient information includes information about mailbox-enabled objects such as mailboxes and public folders. The settings in this panel indicate how often this information is updated. 2 In the Import Time field, select the time you want the import to occur. 3 Under Import Server Settings, specify the GC server in the Import Server field. 4 Click Next. To configure the retention and the threshold settings 1 On the Retention and Threshold Settings panel, specify the number of days that you want the imported tracking log data to be retained in the SQL database. The Retention and Threshold Settings panel is used to set the tracking log and the Exchange server log retention periods. You can also use the panel to set the threshold values for message size, recipient count, and delivery time. 2 Under Exchange Server Logs Retention, specify the number of days the tracking log files should be retained on the Exchange servers in your environment. If the retention period is not the same for all Exchange servers, specify the retention period for the Exchange server having the longest retention period.

50 Configuring the product Configuring the Tracking Log Database 3 Specify the following Message Threshold Settings: Delivery time greater than Lets you enter the threshold value for the delivery time, in seconds. The message trends are summarized to identify the messages that breach the threshold. When you run the queries that are filtered on delivery time, the value in this field is used. Message size greater than Lets you enter the threshold value for the message size, in kilobytes. The messages are summarized to identify the messages that breach the threshold. When you run the queries that are filtered on message size, the value in this field is used. Number of recipients greater than Lets you enter the threshold value for the recipient count. The messages are summarized to identify the messages that breach the threshold. When you run the queries that are filtered on the number of recipients, the value in this field is used. 4 Click Next. To configure the default tracking log import schedule 1 On the Configure Default Tracking Log Import Settings panel, select the days of the week you want the tracking logs to be imported into the database. The Configure Default Tracking Log Import Settings panel is used to set the default import values when configuring new Server Groups. The values that are specified in this panel are applied to all the servers in the Server Group. 2 In the Collection Time field, select the time you want the collection of the tracking logs to occur. 3 In the Address field, enter the email address for receiving failure notifications of the tracking log imports.

Configuring the product Configuring the Tracking Log Database 51 4 Enter the SMTP Server Name. The user account that is specified in the credential database must have the necessary privileges to send messages through the SMTP Server. The server is used to route emails to the specified address. 5 Click Finish. Adding or modifying a server group After the tracking log database is configured, you must add the Server Groups that are included in the tracking log database. You also can add servers to the server groups. By adding servers to a server group, the assigned default properties of the server group are applied to the servers in the group. To add a server group 1 In the Console tree, under the bv-control for Microsoft Exchange container, right-click Tracking Log Database and select Add Server Group. 2 On the Add Servers panel of the Add Tracking Log Server Group Wizard, specify the required values in the corresponding fields. The Add Servers panel provides the following options: Name Description Available Servers Selected servers Lets you type the name for the server group Lets you type the description for the server group Lets you select a server from the list to add a server to the server group You cannot remove a server from the server group using the arrows when the server group is created. The servers should be manually deleted from the server group. 3 Click Next.

52 Configuring the product Configuring the Tracking Log Database 4 On the Import Settings panel, specify the required values for the corresponding fields. The Import Settings panel provides the following options: Tracking Log Import Schedule Lets you select the days on which the tracking logs for the server group need to be imported into the SQL database The remaining tracking logs are imported on the next selected day. Collection Time Lets you specify the time for the tracking log import The local computer time is considered. 5 Click Finish. Note: The logs are imported from the default location on the Exchange server. To change the log location of the Exchange server, edit the settings of the server after the addition to the server group. Marking the bridgehead servers In an Exchange mixed-mode environment, the process of importing the tracking logs can be optimized by marking the servers that are the bridgehead servers. Marking the bridgehead servers is optional. You can also use this feature to unmark the previously marked bridgehead servers. To mark the bridgehead servers 1 In the Console tree, select the Server Group that contains the server that you want to mark as a bridgehead server. 2 In the Details pane, right-click the server and select Is BridgeHead from the shortcut menu. 3 In the confirmation dialog box, click Yes. The server is shown marked as a bridgehead server in the Is Bridgehead column of the Details pane, Unmarking the bridgehead servers In an Exchange environment, the process of importing the tracking logs can be optimized by marking the servers that are the bridgehead servers. Marking or

Configuring the product Configuring the Tracking Log Database 53 unmarking the bridgehead servers is optional. You can also use this feature to unmark the previously marked bridgehead servers. To unmark the bridgehead servers 1 In the console tree, select the server group that contains the bridgehead server. The servers appear in the Details pane. 2 Right-click the bridgehead server and select Is Bridgehead from the shortcut menu. The Is Bridgehead menu item has a check mark next to it. The check mark indicates that the server is currently set as a bridgehead server. 3 In the confirmation dialog box, click Yes. Importing recipient information The server now has a value of No in the Is Bridgehead column of the Details pane. The Exchange environment is not affected. The recipient information includes objects such as mailboxes and mail-enabled groups. After the server groups and servers are added to the database, you must import the recipient information into the database. The recipient information import is not dependent on the server group definitions. You can import the recipient information before or after creating server groups. However, you must import the recipient information before you start to import the tracking logs. To import recipient information 1 In the Console tree, under the bv-control for Microsoft Exchange folder, right-click Tracking Log Database. 2 Click Import Recipient Information from the shortcut menu. A message appears stating that the job for importing recipient information was successfully submitted. 3 Click OK.

54 Configuring the product Configuring the Tracking Log Database

Chapter 5 Evaluating the product This chapter includes the following topics: About evaluation scenarios Automating labor-intensive tasks Messaging security management Managing service level agreement and capacity About evaluation scenarios The evaluation scenarios let you test-drive bv-control for Microsoft Exchange. These scenarios provide an opportunity to learn how bv-control for Microsoft Exchange works and help you evaluate it. The scenarios cover the following product functionality: Automating labor intensive tasks Identifying stale Exchange objects Responding to compliance and legal requests Managing mailbox moves Messaging security management Assessing who has access to the sensitive information in the mailboxes and the public folders Security and configuration best practices Auditing configurations against mandated standards Service level agreement and capacity management Assessing capacity

56 Evaluating the product Automating labor-intensive tasks Measuring compliance with service level agreements Automating labor-intensive tasks The automation of labor-intensive tasks increases efficiency and reduces costs. Some of the labor-intensive tasks might include the following: Moving mailboxes Managing disk space utilization Identifying stale objects bv-control for Microsoft Exchange lets you automate the labor-intensive tasks with the help of pre-defined queries and ActiveAdmin features. Identifying stale Exchange objects In bv-control for Microsoft Exchange, you can identify the mail-enabled groups or mailboxes that have been inactive for certain days. This identification can be done by using a pre-defined report. Once the groups are identified, you can perform a bulk move or delete on them as the need be. The reports under the Risk Assessment and Control > bv-control for Microsoft Exchange > Pre-Defined > Upgrades and Migrations > Unused Mail Objects (Offline Tracking Log Analysis required) are helpful in identifying stale Exchange objects. The pre-defined reports for identifying stale objects include the following: Mail-Enabled Groups inactive for the last 7 days Mailboxes that have not received any mail in the last 7 days Mailboxes that have not sent and received any mail in the last 7 days Mailboxes that have not sent any mail in the last 7 days Public Folders that have notreceived email in the last 7 days Note: The tracking log database must be configured properly before running any pre-defined reports for identifying stale Exchange objects. See Configuring the Tracking Log Database on page 47.

Evaluating the product Automating labor-intensive tasks 57 To identify the mail-enabled groups that have been inactive for the last 7 days 1 Navigate to Risk Assessment and Control > Pre-Defined > bv-control for Microsoft Exchange > Upgrades and Migrations > Unused Mail Objects (Offline Tracking Log Analysis required) folder in the Console tree. 2 Click Mail Enabled Groups inactive for the last 7 days. 3 In the Details pane, click Run And View As Grid. Result: A report is generated displaying all the mail-enabled groups that have been inactive for the past 7 days. Responding to compliance and legal requests The legal department and compliance auditors often ask for the information that requires a large number of emails to be accessed and evaluated. The effort of scanning through the emails can be a time-consuming and expensive process if you search each mailbox manually. bv-control for Microsoft Exchange lets you find the answers quickly by using the content scanning feature. By automating the search, the Exchange administrators can reduce the time that is taken to obtain the data. The pre-defined reports for identifying the contents of the mailboxes and the mail messages are present under Risk Assessment and Control > Pre-Defined > bv-control for Microsoft Exchange > Storage Analysis > Content Scanning. Messaging compliance audits Messaging compliance audits You can modify the Mailbox Contents Detail Report under the Content Scanning folder to customize it for filtering the Subject field. Let s scan the mailbox contents for identifying the text string, tax accounting. To modify the Mailbox Contents Detail Report query 1 Open Mailbox Contents Detail Report under the Contents Scanning folder. 2 In the Details pane, under Available Tasks, click Modify Query Definition. 3 In the Query Builder dialog box, click Filter Specification. 4 Expand the Message Content folder and select Normalized Subject. 5 Click Add. 6 In the Filter Term Definition dialog box, select Specific Value. 7 From the drop-down list, select Contains.

58 Evaluating the product Automating labor-intensive tasks 8 In the Specify a value text field, type tax accounting or any other text string you want to search for. 9 Click OK. To add Scope to the Mailbox Contents Detail Report query 1 In the Query Builder- Mailbox Contents Detail Report dialog box, click Scope. 2 From the Available Item(s) list, select a storage group for scanning. 3 Click Add Scope. 4 Select Actions > Copy Message. 5 Navigate to the mailbox where the copies of all the identified messages are sent and select it. 6 Click Add Scope. The scope information appears in the Selected Item(s) box on the lower portion of the Query Builder dialog box. 7 Click OK to run the query. Result: A report is generated displaying all the mailboxes that contain emails with tax accounting in the subject of the email. Addressing legal requests and compliance audits Addressing legal requests and compliance audits You can quickly scan mailbox contents to locate specific objects in response to legal requests or a compliance audit. By using the pre-filters and the actions you can narrow the search results. The pre-filters are used to create rules for the Mailbox Contents data source. Let s search for the emails with the following characteristics: Revenue as the text string in Subject or Body Has an attachment Sent on the previous day You can perform these tasks by using the pre-filters and actions of the Scope tab of the Mailbox Contents data source. To specify the pre-filters and the actions by using the Mailbox Contents data source 1 In the Query Builder dialog box of the Mailbox Contents data source, select Scope. 2 Under Available Item(s), expand the Pre-Filters container. 3 Select From, Subject, Has Attachment, Attachment Extension, and Message Age Grater Than from the Pre-Filters and click Add Scope.

Evaluating the product Automating labor-intensive tasks 59 4 Enter the values for them in the Additional Settings dialog box as follows: From Subject Has Attachment Attachment Extension Message Age Greater Than Sender's name Revenue With Attachment zip 1 5 Expand the Actions container. You can choose from the following actions: Export messages to PST Delete Message Delete Attachment Move Message Copy Message Post Message Send Mail To Exports message(s) as a PST file and saves it to the specified location Deletes any message that meets the filter condition Deletes any attachment that meets the filter condition Moves any message that meets the filter conditions to a specific public folder or mailbox Copies any message that meets the filter condition to a specific public folder or mailbox Posts a message to each mailbox that matches the filter condition Sends the content summary scan to the specified email address 6 Select Delete Message and click Add Scope. A warning message appears that confirms the deletion. 7 Click OK.

60 Evaluating the product Automating labor-intensive tasks Managing mailbox moves 8 In the Query Builder dialog box, click OK. 9 Select to view the query as a Grid and click Run. Result: All the emails that matched the pre-filter criteria are deleted from the query results. Moving mailboxes can be a difficult task. bv-control for Microsoft Exchange provides the ability to move mailboxes within and across sites in the Exchange network. Moving a mailbox includes the following: Moving calendar Moving contacts Moving mail-enabled groups Moving permissions You can move the mailboxes by using one of the following methods: Drag-and-drop Shortcut menu command Command line Scheduled Task Wizard From query results Note: The move mailbox functionality is disabled if the organization already contains one or more Exchange 2007 server or is added later. Moving mailboxes using the Scheduled Tasks Wizard Mailboxes can also be moved using the Windows Scheduled Task Wizard or any third-party scheduling tools. To move mailboxes using the Scheduled Tasks Wizard 1 Select Start > Programs > Accessories > System Tools > Scheduled Tasks. 2 Double-click Add Scheduled Task in the Scheduled Tasks folder. 3 In the Schedules Tasks Wizard, click Next. 4 Click Browse.

Evaluating the product Messaging security management 61 5 In the Select Program to Schedule dialog box, navigate to the directory that contains the executable file for the batch move. Select the appropriate file and click Open. 6 In the Scheduled Task Wizard - Type a Task Name panel, select the option for how often you want to run the task and click Next. 7 In the Scheduled Task Wizard - Select Time/Date panel, select the time and day you want the task to start and click Next. 8 In the Scheduled Task Wizard - Name/Password panel, enter your user name and password, and verify the password by reentering it. You must have appropriate permissions to run a scheduled task. Click Next. 9 In the Scheduled Task Wizard - Successfully Scheduled Task panel, select the Open advanced properties for this task when I click Finish option and click Finish. 10 In the BatchMoveMailbox dialog box, enter the appropriate arguments in the Run text box: The Input_File_Name.txt file is the Input text file name that was specified when you created the Input.txt file. The /LogFilePrefix: is an optional parameter that contains the prefix for the log files that are created in the following directory: System Root\Program Files\Symantec\RMS\Control\Exchange All log files created on the Information Server computer are specified in the input file (Input_File_Name.txt). If no log file prefix is specified, the input file name is used as the prefix for the log file, which may cause older log files to be overwritten. Before running BatchMoveMailbox.exe, ensure that the BVProcessManager service is running on the Information Server computer. 11 In the Set Account Information dialog box, enter the password and then confirm by reentering it. 12 Click OK to complete the scheduled task process. Messaging security management Some of your company s most important information is delivered through email. A secure mail system is necessary for protecting the intellectual property and meet regulatory and internal compliance requirements. bv-control for Microsoft Exchange identifies inappropriate files in the system so that you can copy, move,

62 Evaluating the product Messaging security management or delete them, secure intellectual property, and protect legal evidence. By automating the search, the Exchange administrators can dramatically reduce the time taken to obtain the required data. The administrators can then focus on other critical issues. Assessing who has access to sensitive information in public folder and mailbox contents The mail system of an organization can contain sensitive information such as customer information, financial data, competitive strategy documents, or human resource data. This information is not secure if Public Folders, Mail Enabled Groups, or Mailboxes are vulnerable. Generating public folder permissions report The Public Folder Permissions report lists Windows NT Accounts with Permissions and Client Permissions to the Public Folders. To generate the public folder permissions report 1 Under the Risk Assessment and Control container, expand the Pre-Defined > bv-control for Microsoft Exchange > Security Best Practices folder. 2 Select Public Folder Permissions report. 3 In the Details Pane, click Run And View As Grid. 4 Proceed through the Query Completion Wizard. The Client Permissions column of the query results displays who has the permissions to the public folders and the types of access permissions. 5 To view the information in the Client Permissions field, click the red arrow. A text box appears that provides a description of the client permissions for the server that was specified in the Scope of the query. Note that one of the mailboxes shows 'Unknown in the NT Accounts With Permissions' column. This column indicates that the permissions that are associated with that mailbox are unknown. The legitimacy of the account should be investigated in such cases.

Evaluating the product Messaging security management 63 6 In the NT Accounts with Permissions field, click the red arrow to open a text box that provides a description of the account permissions. 7 Select a row in the Client Permissions field and double-click it. The Dialog Book appears. The Dialog Book provides an alternative view of the information available from the data source. The Dialog Book presents the following tabs: General Replicas E-mail Addresses Mail-enabled groups Represents the fields in the Public Folder Properties data source. Shows the replicating server name, replicated object version, and where the folders are replicated to. Shows the email addresses of the user. Shows the mail-enabled groups the user is a member of. In this example, the user is not a member of any mail-enabled group. Message Counts Limits Shows the information about the messages in the user s mailbox. Shows the information such as the size limitation of incoming messages and the storage limit warning. Generating mail-enabled users security report bv-control for Microsoft Exchange provides pre-defined Configuration Management reports that let you secure the public folders, the mail-enabled groups, and the mailboxes by identifying who has access to these folders.

64 Evaluating the product Messaging security management To generate the mail-enabled users security report 1 Navigate to the Risk Assessment and Control > Pre-Defined > bv-control for Microsoft Exchange > Configuration Management > Mail-Enabled Users 2 Select the Mail-Enabled Users Security report. The Mail-Enabled Users Security report lists the security settings that are associated with the mail-enabled users. The details include the accounts with permissions, sent on behalf of other mailboxes, and sent on behalf of this mailbox. To maintain tighter control over permissions to the mailboxes run the report regularly and use the baselining feature to list the changes. 3 In the Details pane, click Run And View As Grid under Available Tasks. 4 Proceed through the Query Completion Wizard. Result: A report is generated displaying the accounts with permissions, whether the account is disabled or locked, and the mailbox delegates. With this information, you can now determine whether you need to change the permissions on certain accounts. Having excessive permissions and inappropriate delegates makes your organization vulnerable. About the mail-enabled groups report The Mail-Enabled Groups folder under the Configuration management contains reports for querying the mail-enabled groups in your enterprise. Access the Mail-Enabled Groups folder by expanding the Risk Assessment and Control > Pre-Defined > bv-control for Microsoft Exchange > Configuration Management folders in the Console tree. Some of the Mail-Enabled Group pre-defined reports that are useful for managing your messaging security include the following: Mail-Enabled Groups Detail Mail-Enabled Groups With Delivery Restrictions Queries the Exchange, 2000/2003 directory, and forms details of Mail Enabled Groups Lists all Mail-Enabled Groups that have defined Delivery Restrictions Delivery restrictions include "Accept Message From" and "Deny Message From" fields. By running this query, you can audit access to email that is sent to the mail-enabled group. For example, for a mail-enabled group for financial reporting, no one involved in the production of financial reports should receive this email.

Evaluating the product Messaging security management 65 Mail-Enabled Groups That Are Members of Other Groups Mail-Enabled Groups Membership Mail-Enabled Groups Nested Membership-Long Query This report documents which Exchange 2000/ 2003 mail-enabled groups are members of other mail-enabled groups Details the mail-enabled group s membership Resolves who is effectively a member of an Exchange 2000/2003 mail-enabled group About the query-based distribution groups report About the query-based distribution groups reports The Query-based Distribution Groups folder under Configuration Management contains reports that let you audit query-based distribution groups. The query-based distribution groups provide for dynamic memberships. Instead of directly adding the members to a group, a query-based distribution group is defined by rules. For example, a query-based distribution group can be created for Joe Smith s direct reports, and all mailboxes that have Joe Smith listed as their manager will be members of the group. This group will dynamically include anyone with Joe Smith marked as their manager. The Query-based Distribution Group folder can be accessed by expanding Risk Assessment and Control > Pre-Defined > bv-control for Microsoft Exchange > Configuration Management in the Console tree. The use of query-based distribution groups reduces the administrative burden of managing groups. However, auditing the transient memberships of the query-based distribution groups can be challenging. bv-control for Microsoft Exchange solves this problem. The pre-defined reports for auditing the query-based distribution groups include the following: Query-based Distribution Groups Detailed Reports Query-based Distribution Groups With Delivery Restrictions Displays the details of the query-based distribution groups, including memberships and custom attributes Displays a list of all query-based distribution groups that have defined delivery restrictions Delivery restrictions include "Accept Message From" and "Deny Message From" fields.

66 Evaluating the product Messaging security management Query-based Distribution Groups That Are Members of Other Groups Displays a list of query-based distribution groups in the environment that are members of other groups Security and configuration best practices Regular configuration audits of the Exchange environment ensure that the security and configuration policies are followed. Administrators can quickly identify configuration best practice violations and revise them before a security breach occurs, thus reducing unplanned downtime and loss of productivity. The pre-defined reports that can be helpful in identifying compliance violations include the following: Exchange Server Versions Mailbox Folders With Anonymous Permissions Granted Admin Groups With Explicit Full Administrator Permissions Granted The Exchange Server Versions report can be accessed from the Getting Started > Exchange folder. The report displays a list of the server name and associated version numbers. The report also includes the Windows NT version numbers, build numbers, and hotfix information. Servers should always have the latest version of service packs and hotfixes installed. To obtain the latest service packs and hotfix information, follow the link under the references section to Microsoft's download section. The Mailbox Folders With Anonymous Permissions Granted report can be accessed from the Configuration Management > Exchange > Security folder. The report displays a list of the Mailbox Folders that have anonymous permissions assigned to them. By not knowing what permissions are assigned, your organization is vulnerable to security breaches. The Admin Groups With Explicit Full Administrator Permissions Granted can be accessed from the Configuration Management > Security folder. The report displays a list of the Admin Groups that have Explicit Full Administrator permissions.

Evaluating the product Messaging security management 67 Public Folder Permissions Report Public Folder Owners Report The Public Folder Permissions report can be accessed from the Configuration Management > Security folder. The report displays a list of the client permissions and NT Accounts with permissions to the public folders. The Public Folder Owners report can be accessed from the Configuration Management > Security folder. The report displays a list of the owners of the public folders. Auditing configurations against the mandated standards You can audit the configurations against the mandated standards in the following ways: Identifying servers with incorrect Exchange versions Identifying mailbox folders with anonymous permissions Tracking changes using the baseline feature Identifying servers with incorrect Exchange versions Let s run the Exchange Server Versions pre-defined query to determine the versions of Exchange servers that are installed. You can then identify which servers have incorrect versions installed and revise them to be in compliance with your company s policy. To identify the versions of Exchange servers 1 Under the Risk Assessment and Control container, expand the Pre-Defined > bv-control for Microsoft Exchange > Getting Started > Exchange. 2 Select the Exchange Server Versions report. 3 Click Run And View As Grid in the Details pane. 4 Proceed through the Query Completion Wizard by changing the default scope to a specific group in your organization. The change in scope decreases the time taken to run the query. The query results display all the servers in the organization and the specific Exchange versions that are installed. With this information, you can now easily revise those servers that have outdated or incorrect versions installed.

68 Evaluating the product Messaging security management Identifying mailbox folders with anonymous permissions Let s identify mailbox folders in an Exchange 2000 organization that have anonymous permissions. Not knowing who has what permissions increases the security risk in your organization. To identify mailboxes with anonymous permissions 1 Under the Risk Assessment and Control container, expand the Pre-Defined > bv-control for Microsoft Exchange > Configuration Management > Security folder. 2 Select Mailbox Folders With Anonymous Permissions Granted and click Run And View As Grid in the Details pane. 3 Proceed through the Query Completion Wizard by changing the default scope to a specific group in your organization. This decreases the time it takes to run the query. The query results display all the mailbox folders that have anonymous permissions. 4 Click Grid > Save As to save the dataset so that you can use it for a baseline comparison later. 5 Save the query as Mailbox Folders With Anonymous Permissions Granted in the My Items folder. Tracking changes using the baseline feature The baseline feature allows you to track changes to verify that security or compliance violations have been corrected, or to ensure that other violations have not occurred since you ran the last query. n this scenario, you will compare two datasets. The first dataset is the query you ran in the previous scenario when identifying mailboxes with anonymous permissions. You can browse to the saved query and run it again so as to compare the new results with the saved dataset using the Baseline feature. To save a query to run the baseline feature 1 Assuming you saved the previous query as Mailbox Folders With Anonymous Permissions Granted in the My Items folder, navigate to the Items folder. 2 Select the Mailbox Folders With Anonymous Permissions Granted report and click Run And View As Grid in the Details pane. 3 Proceed through the Query Completion Wizard. The query results display all the mailbox folders that have anonymous permissions.

Evaluating the product Managing service level agreement and capacity 69 4 Click Grid > Save As to save the dataset so that you can use it for a baseline comparison. The Save Query dialog box appears. 5 Navigate to the My Items folder where you saved the previous query and select Mailbox Folders With Anonymous Permissions Granted. 6 Click OK in the Save Query dialog box. To track changes using the baseline feature 1 Right-click Mailbox Folders With Anonymous Permissions Granted in the My Items folder and select Manage > Historical Data from the shortcut menu. 2 In the Manage Historical Data dialog box, select the two datasets you want to compare and click Run Baseline. 3 In the Baseline Options dialog box, select RecordStatus and ListFieldDisplay options that you want included in the baseline. 4 Click OK. The baseline query runs and displays the mailboxes that have been added, deleted, or changed since the first dataset was run. You can use this information to verify that compliance with mailbox policies is being enforced. You can also schedule the baseline to run at specified times, and have the baseline report automatically e-mailed to the appropriate personnel when changes have occurred. Managing service level agreement and capacity Messaging is the most mission-critical application in any organization. If service levels are not maintained, productivity throughout the entire organization is lost due to downtime, and the cost of downtime affects the organization s bottom line. To maintain a proper service level, there must be measurement and proactive capacity management. bv-control for Microsoft Exchange helps ensure system availability by proactively performing the tasks as follows: Determining traffic patterns to evaluate capacity and plan the location of new mail servers Reviewing traffic patterns to reorganize mailboxes to minimize network traffic Reporting on email mailbox size to determine who is using the largest percentage of resources..

70 Evaluating the product Managing service level agreement and capacity Storage analysis report Using the Service Level Agreements pre-defined reports, you can measure the amount of storage space being utilized. With this information, you can prevent unnecessary downtime associated with running out of disk space. These reports can be accessed under the Risk Assessment and Control container by expanding the Pre-Defined > bv-control for Microsoft Exchange > Service Level Agreements folders. The Servers Free Disk Space Detailed Report is helpful in determining the amount of free disk space on each drive of the Exchange servers in the Scope. It uses Windows Management Instrumentation to obtain this information. You can use the Storage Analysis pre-defined reports to determine the size of the mailbox stores in your Exchange 2000 organization. These reports can be accessed under the Risk Assessment and Control container by expanding the Pre-Defined > bv-control for Microsoft Exchange > Storage Analysis folders. You can also use reports in the Configuration Management folder to determine capacity levels. The Public Folder Storage Report is helpful in determining the Exchange 2000/2003 servers and the amount of disk space used by public folders residing on the server. This report can be accessed by expanding the Pre-Defined > bv-control for Microsoft Exchange > Configuration Management > Information Stores > Public Information Stores folders. Determining message traffic patterns Determining message traffic patterns bv-control for Microsoft Exchange provides several pre-defined reports that you can use to proactively determine message traffic patterns in your organizations. These reports are stored in the Log Analysis folder in the Console tree. Note: Before you use any of the reports in the Log Analysis folder, you must configure the Tracking Log Database. See Configuring the Tracking Log Database on page 47.

Evaluating the product Managing service level agreement and capacity 71 To determine message traffic patterns 1 Under the Risk Assessment Control folder in the Console tree, expand the Pre-Defined > bv-control for Microsoft Exchange > Log Analysis > Traffic Log > Offline folders. 2 Select the Messages by Server folder and review the available reports. The Mail Flow for Internal Messages - Originator Server to Recipient Server report is particularly helpful because it displays the volume of messages that were sent by mailboxes on the originator server to recipients on the recipient server. The originator server is the home server where the originator (sending mailbox) resides. The recipient server is the home server where the recipient resides. 3 Select the Internet Traffic Reports folder and view the available pre-defined reports. Some particularly useful reports for determining message traffic patterns include, Total incoming traffic into Exchange organization, Total outgoing traffic from Exchange organization to Internet, Reports that identify most frequently used mailboxes such as top 10 receivers or senders of external messages, and Reports that can show results by size or by count. Measuring compliance with service level agreements There are also several pre-defined reports in the Traffic Log folder that allow you to measure compliance with service level agreements.

72 Evaluating the product Managing service level agreement and capacity To measure compliance with service level agreements 1 Under the Risk Assessment Control folder in the Console tree, expand the Pre-Defined > bv-control for Microsoft Exchange > Log Analysis > Traffic Log > Offline folders. 2 Select Messages by Server and review the available reports. One report particularly helpful in measuring compliance with service level agreements is the Delivery Time for Internal Messages - Originator Server to Recipient Server report. This report displays the time taken for internal messages to be delivered from the originator site to the recipient site. 3 Navigate to the Messages by Site folder. The queries to be reviewed include the following: Delivery Time for Internal Messages Originator Site to Recipient Site This report displays the time taken for internal messages to be delivered from the originator server to the recipient server. The originator server is the home server where the originator (sending mailbox) resides. The recipient server is the home server where the recipient resides. Message volume by Delivery Time threshold value This report displays the messages that took longer than n minutes to deliver, where n is the user-specified time in minutes. The Delivery Time threshold value is the value specified in the Retention and Threshold Settings panel of the Tracking Log Database Configuration Wizard.

Index A adding server group 51 architecture 9 C configuration considerations trust relationships 27 user and credential account rights 28 configuring bv-control for Microsoft Exchange 43 installation configurations 45 RMS Console 43 tracking log database 47 48 H hardware requirements 25 for workstation used as Information Server 26 for workstation used as SQL server 26 I importing recipient information 53 R RMS Console and Information Server deployment considerations 18 enterprise network areas to be queried 21 geographical location 19 number of users 18 S sizing guidelines for configuration 36 for tracking log database 34 software requirements 26 software requirements for Exchange 2000/2003 support 27 system requirements 25 hardware requirements 25 software requirements 26 U upgrading bv-control for Microsoft Exchange 40 M moving mailboxes using the scheduled tasks wizard 60 P performance parameters 34 permission requirements for bv-control for Microsoft Exchange system 29 for Exchange environment 28 for SQL server database 32 for tracking log database 32 for Windows servers running Exchange 30