Exchange 2007 offers a neat feature called Managed Folders. They work in much the manner as Mailbox Manager in previous versions but with more options. Like Mailbox Manager, you can use them to keep the user's Deleted and Junk E-mail folders clean, as well as archive larger or old messages and appointments. Managed Folders can do so much more though, including journaling messages for archival and compliance policies.

Before you can use Managed Folders, you need to configure the folders you want to manage, create a content policy and assign it to the mailbox then create a schedule for the folder management service.

Begin by opening the Exchange Management Console, expand the Organization configuration and select Mailbox, Managed Default Folders tab. Right click on the folder on which you want to be managed and select New Managed Content Settings and complete the wizard. If you are moving items to a custom managed folder, create the folder first. If you want to remind users of a folder's management policies, you can display a banner under the folder name in Outlook2007 and OWA. Do this by right clicking on the folder name and choose Properties and entering the text. You can also prevent users from minimizing the banner.

Next, create your Managed Content Policies. From the Organization configuration section, right click on Mailbox and select New Managed Folder Policy from the flyout. Add the managed folder to the policy and finish the wizard.

Now that you have policies created, you need to add the policy to the mailbox. Expand the Recipient Configuration, Mailbox and right click on the user's mailbox and choose Properties, Mailbox Settings tab and edit the Messaging Records Management properties to add the policy to the mailbox. You can only have one policy per mailbox and one managed setting per folder but can have multiple folders in each policy.

Now start the managed folder assistant. Expand the Server Configuration node and right click on Mailbox, choosing Properties. Setup a customized schedule on the Messaging Records Management tab. You can also run the managed folder service at any time using the Exchange Management Shell with the command
Start-ManagedFolderAssistant

If you'd like to configure Managed Folders from start to finish using the management shell, see
http://technet.microsoft.com/en-us/library/bb123473.aspx 

Time and again this question comes up: "How do I send email from another address assigned to my mailbox?"

You have several ways to handle this:

Use Send As permission. This works with other mailboxes, mail enabled public folders, and Contacts added to the Active Directory. It will not work for additional SMTP addresses on your mailbox. To do this the administrator needs to give the account Send As permission to the other account in the Active Directory. Click on View, Advanced in the Active Directory Users and Computers snap to show the Security tab before opening the AD object for the user or contact. Once you are assigned Send As permission, type the address in the From field or select it from the GAL and send.

If the addresses are already associated with your mailbox and you receive incoming mail on those addresses, create an IMAP or POP3 account in the profile and select the account when composing the message. I prefer using IMAP accounts or an invalid incoming server name to prevent problems when doing a send and receive.

Another option is ChooseFrom. This utility allows you to choose the From address on your mailbox without adding additional accounts to your profile.
http://www.ivasoft.biz/choosefrom.shtml 

Users with only Internet accounts can usually just enter any email address in the From field and most ISPs will accept the message. However, since the Internet header will list both addresses with the message sent from 'address1 on behalf of address2', they'll want to create a second account in Outlook. As with Exchange accounts, use the IMAP protocol or an invalid server name for the incoming server to prevent problems.

This question came up last week: "How do I save attachments to SharePoint Document Workspace? I'm using Outlook 2007 and the document workspace window doesn't show any more and I don't know how to enable it. "

After you attach the file, press the (very tiny) expand arrow on the lower right corner of the Include group (the group where the Attach files button is) to open the Attachment Options pane, when you can choose between regular or shared attachments. If the attachment is an image, you'll also have the option of reducing the file size.

Yes, it would be better if you could toggle it off and on using a button in the Include group or in the Insert File dialog, but until that happens, you'll need to remember to check the expand button.

Service Pack 1 on Windows Server 2003 updates a new security tool called the Security Configuration Wizard (SCW) which has implications for Exchange Servers. The SCW is designed to harden your server through attack surface reduction. Many administrators already engage in this practice as a way of life, but the SCW is a somewhat comprehensive tool for locking down a server, even one running Exchange Server, especially for those less experienced in Windows server security. The SCW walks through the roles, services, and ports and more on the server and creates a policy file in XML. This can be immediately applied to the current server, which will likely need a reboot for Exchange, or saved for later or used on additional servers.

The SCW is not installed by default with Windows Server 2003 sp1 but is easily deployed using the Add/Remove Windows components applet from Add or Remove Programs in Control Panel. Installation does not require a reboot and a shortcut for the SCW is added to Administrative Tools in the start menu.

There are a couple of Exchange-specific issues when creating and implementing a new SCW policy file on an Exchange Server. For an Exchange 2003 Server, a better alternative may be to follow the comprehensive Exchange Server Security Hardening Guide in TechNet (http://technet.microsoft.com/en-us/library/aa997203.aspx). SCW is intended to simplify the server hardening process.

SCW is extensible, and Exchange 2007 Server has extensions that need to be manually registered. These add the roles, services and ports for an Exchange 2007 Server to the SCW database for that server so they can be included in a local SCW security policy. This is done using the Command Line supplement to the SCW called swccmd.exe:
C:\>scwcmd register /kbname:Ex2007KB /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007.xml"

There is a separate file, Exchange2007Edge.xml to register on Exchange Servers running the Edge role instead. For a list of the items extended through this process, see: Services and Port Executables Enabled by the Exchange 2007 SCW Registration Files, http://technet.microsoft.com/en-us/library/bb397223.aspx.

The SCW first verifies components on the server against the local SCW database file. All other unneeded services and ports are disabled by SCW. The database file is then updated with the current component information. These components are grouped into categories:

• Server Roles
• Client Features
• Services
• Ports
• Applications
• Administration and other options

 After the SCW database is generated, SCW asks what action it should take regarding security policy - Create a new policy, edit and existing policy, or apply or rollback a policy as evident in Figure 1. In creating a new SCW policy file, the administrator can implement granular control over the specific security settings for the server. It is important to know what applications and services are needed and how they interact over the network interface. There are many screens of information to work through with the SCW. I chose a couple to reflect some simple options in Figures 2 and 3.

Figure 2

 

 

 Figure 3:

 

 

The SCW policy files are saved in XML and can be applied to servers that perform the same functions with the same configurations. This is possible with Exchange Servers, too, but things can stop working if the administrator is not careful. The most common issue involves Exchange installations to non-default locations, or when applying a policy to another server with a different installation location for Exchange. Microsoft KB 896742 which explains how Outlook users can lose connectivity after an SCW policy is applied to a server running Exchange 2003. Some services need to be added manually at the Network Configuration of the SCW when Exchange is installed in a non-default location. Specifically, the Exchange services, with paths to the related executable, need to be added to the firewall exceptions tab.

Figure 4 shows the simple form to add a port and the tab where the administrator would navigate to the executable that leverages that port or enter the exact path. Incidentally, all of my Exchange Servers are installed in a non-default drive location.

The Security Configuration Wizard in Windows 2003 sp1 adds reasonable steps to create a security policy file for your servers. We see Exchange 2003 has a couple of issues with it and Exchange 2007 needs to register some extensions first. A well planned SCW policy applied to an Exchange Server reduces the potential attack surface available to those with malicious intent and accident-prone administrators.

Resources

After you run the Security Configuration Wizard in Windows Server 2003 SP1, Outlook users may not be able to connect to their accounts
http://support.microsoft.com/kb/896742

Exchange Server Security Hardening Guide
http://technet.microsoft.com/en-us/library/aa997203.aspx

Using the Security Configuration Wizard to Secure Windows for Exchange Server Roles
http://technet.microsoft.com/en-us/library/aa998208.aspx

-- William Lefkovics