Within an organization there is often communication that occurs between staff that should remain confidential and kept within the business only.  However any time confidential information is placed in an email there is the risk that someone will accidentally send the information outside of the business.

Exchange Server 2007 and Outlook 2007 use a feature called Message Classification to prevent this accidental information leakage from occurring.

What are Message Classifications?

A message classification is simply metadata added to an email message that describes the intended use or audience of the message.  Message classifications can be created or customized to suit any type of business with any type of classification need.

When combined with Exchange Server 2007 Transport Rules message classifications can be used to enforce email policies such as the forwarding of confidential information.

Enabling Message Classifications

Although it it possible to create your own message classifications, Exchange Server 2007 ships with several default classifications that will suit most businesses.  These message classifications must be exported to an XML file and distributed to clients.Run the Export-OutlookClassification.ps1 script from C:Program FilesMicrosoftExchange ServerScripts.

[PS] C:>.Export-OutlookClassification.ps1 > c:msgclass.xml

The file must now be placed somewhere for the client PC’s to access it.  Although a network share can be used it is more reliable to distribute the file to the local hard drive of each computer.

Next, create the following registry keys to reference the classifications file.

[HKCUSoftwareMicrosoftOffice12.0CommonPolicy]
"AdminClassificationPath"="c:\admin\msgclass.xml"
"EnableClassifications"=dword:00000001
"TrustClassifications"=dword:00000001

When Outlook 2007 is next launched by the end user they will have access to the message classifications when composing new messages.

Creating Transport Rules

With message classifications in use it is now possible to configure Transport Rules to protect confidential emails from being sent outside of the company.  Launch the Exchange Management Console and navigate to Organization Configuration/Hub Transport.  Click on the Transport Rules tab and then start a new Transport Rule.

Give the rule a meaningful name, for example “Block Outbound Confidential Emails”.

Set the conditions for email sent outside the organization and classified as “Company Confidential”.

Configure the rule action to send a bounce message to the original sender with a message that makes it clear to them why the message was blocked.  Don’t forget to also configure the rule actions to drop the message as well.

If there is any reason for an exception, such as allowing the CEO to send confidential emails to outside partners, you can configure it as well.  Otherwise just complete the Transport Rule wizard.

Testing the Transport Rule

You can test the new Transport Rule by simply sending any email classified as “Company Confidential” to an outside email address.  The Exchange server will return an error message to the sender.

Limitations of Message Classifications

The important thing to note here is that message classifications require some implementation effort, must be deliberately used by end users when sending emails, and only prevent accidental exposure of confidential information.  For example, a user who receives a classified message is free to remove that classification when they forward the email to an outside recipient.  Of course, such deliberate acts are almost impossible to guard against anyway.  Still, message classifications provided a decent option for enforcing email policies.