Exchange advanced security is not designed to protect communications between servers and sites within an organization. Internal protection schemes depend on the type of connection and the protocols that flow across the connection. Within a site, all communication between Exchange servers is remote procedure call (RPC)-based; the same is true when sites connect using the Site Connector or Dynamic RAS Connector. RPCs are encrypted on the wire as they pass between servers, using either a 40-bit algorithm (international systems) or 128-bit algorithm (North American systems). Note that 128-bit encryption is available only if you're running North American NT 4.0 Service Pack (SP)2 or later or have installed the NT Encryption Pack.

Servers that connect with RPCs authenticate each other to ensure that a would-be intruder can't introduce a rogue server into an organization to steal data. Authentication uses standard Windows NT challenge/response handshakes exchanged between servers. If an Exchange server cannot be authenticated, any request to connect to another Exchange server is refused.

Because the Simple Mail Transfer Protocol (SMTP) and X.400 recommendations do not incorporate encryption technology, data isn't encrypted as it flows between servers. The ability to specify Mail Transfer Agent (MTA) passwords affords some level of protection to sites that connect with X.400 connectors, but SMTP servers don't expect to give a password before they can send messages to another system.

Given the increasing importance of Internet protocols to Exchange, Microsoft now provides extra security for sites connected with Internet Mail Server (IMS) through Extended Simple Mail Transport Protocol (ESMTP) in Exchange 5.0. ESMTP allows vendor-specific extensions, and Microsoft uses this feature to support 40-bit or 128-bit encryption, much like RPCs. Today, this extension works between only Exchange 5.0 (or later) servers­it doesn't encrypt connections between ISM and other SMTP servers, such as Digital's AltaVista Mail Server. Cross-vendor encryption for SMTP mail systems will be possible only when the industry agrees on a standard. Although the industry is working toward that standard, it is unlikely to be finalized in the next year.