Downloads
96458.zip

Executive Summary:

Microsoft Office Outlook 2007 and Microsoft Exchange Server 2007 support a feature called message classification, which provides metadata about an email message's intended audience, content, or use. To set up message classification, you first install it, export the default classifications to an XML file via a Windows PowerShell script, and add a Windows registry entry to enable Outlook 2007 to access the XML file. You can use message classification with Exchange Server 2007 transport rules to limit messages to certain senders or recipients.

Microsoft Office Outlook 2007 includes a new feature called message classification—not to be confused with Outlook’s message categories. Classifying a message enables it to convey additional metadata about the message to the recipient—for example, information about the message’s intended audience, content, or use. By providing such information, message classification can assist companies with regulatory and policy compliance as messages move through an organization. Administrators can enable Outlook to use the default classifications included in Outlook 2007, such as Attorney/Client Privileged (A/C Privileged), or define their own classifications for specific needs or locales. However,enabling and configuring Exchange Server 2007 and Outlook 2007 to support message classifications isn’t trivial. To use message classification, you need to perform several configuration steps in both Exchange and Outlook.

Configuring Message Classification in Exchange 2007
When you install Exchange 2007, the installation process saves some Windows PowerShell scripts in the Scripts folder; one of these scripts contains the Exchange 2007 default message classifications (which are XML files). The default script name and location is c:\program files\microsoft\exchange\scripts\Export-OutlookClassification.ps1.

To enable message classification in Exchange 2007, you need to export the default classifications from the PowerShell file to an XML file (named, for example, MessageClass.xml) by executing the following command from the script’s folder via Exchange Management Shell:

Get-MessageClassification | `<br>./Export-OutlookClassification.ps1 `<br>>path\MessageClass.xml

(Note: Some code in this article wraps to multiple lines because of space constraints in the print and PDF versions of the article.) The resulting MessageClass.xml file, which Listing 1 shows, contains these default classifications:

  • Attorney/Client Privilege (A/C Privileged)—This classification is for messages specifically between the company and its attorneys (i.e., they’re deemed to be covered by attorney-client privilege).
  • Attachment Removed— Exchange generates this classification to advise recipients that an attachment was removed from the message.
  • Company Confidential—The message contains confidential information.
  • Company Internal—Only company employees should be seeing content from this message classification.
  • Partner Mail—This classification applies to messages with content intended for specific vendors or strategic partners.

When you send a message in Outlook 2007, you can choose one of these default classifications for the message, as Figure 1 shows (more about this later).

Creating a New Message Classification
The XML file also represents the mechanism for customization of message-classification descriptors, which you do via Exchange Management Shell. PowerShell provides four commands to manage message classifications:

  • Get-MessageClassification—retrieves information about a specific classification
  • New-MessageClassification—creates a new message classification
  • Remove-MessageClassification—deletes a specific message classification
  • Set-MessageClassification—allows configuration of current message-classification items

You might want to create a message classification specific to your company; to do so, you’ll need to write a PowerShell command using the New-MessageClassification cmdlet. The sample command in Figure 2 creates a message classification called Executive Only Communication, which is specifically intended for communication between executives and the Human Resources department. The sample command includes the required parameters for New-MessageClassification. There are also several optional parameters that you can either implement in the cmdlet or configure later by using the Set-MessageClassification cmdlet. Exchange will assign optional parameters their defaults if you don’t explicitly configure them here. (You can find detailed information about the various optional switches for this command in the Powershell Help. Run the cmdlet

'get-help new-messageclassification `
 -detailed'

to obtain a complete explanation of the switches available for this command.) Additionally, Exchange will assign a globally unique identifier (GUID) to the message classification when creating it.

After creating the new message classification, you’ll need to export an updated list of message classifications to a new XML file and distribute that to your Outlook 2007 clients that can use it. To do so, once again run the export command that you ran earlier to obtain the defaults. This time, you’ll see that the new classification resides in the XML file. Then copy that XML file to the location where the Outlook 2007 client can reference it. In our example, I’ve placed the XML file on the local machine, but it could be served from a network location, although doing so would render the XML file and classification unavailable for offline use. You can push out the file by a number of mechanisms, such as using a logon script, a Group Policy Object (GPO), or Microsoft Systems Management Server (SMS).

Using Message Classifications
In Exchange 2007, message classifications can be useful for compliance and policy management. However, keep in mind that one limitation of message classification is that it’s dependent on a user’s action; an Outlook user needs to select a classification for a message before sending it.

Alternatively, you could define a transport rule on your Exchange 2007 server to assign a message classification based on another parameter. Note that in Exchange 2007, the Hub Transport server role handles message classification, and the Exchange transport agents recognize classification. An administrator can implement message-transport rules on the Hub Transport server, which can take actions based on message classification, such as preventing delivery of a message to an unauthorized person. So, for example, you could use a transport rule to block messages with the Company Confidential classification (i.e., messages sent from the CFO) from being sent to certain groups of people. Either way, once an Outlook user selects a message classification or one is applied through a transport rule, Exchange 2007 can reference that value in applying subsequent message transport rules.

A basic rule might enforce an ethical wall where messages flagged with the new Executive Only Communication classification can be sent only to members of the Executives and Human Resources groups, assuming these groups exist in Active Directory (AD). You can even bounce a custom Delivery Status Notification message back to the internal sender advising that the sender cannot send a classified message outside of allowable addresses. The existence or lack of a specific message classification can be used to control a message’s delivery.

You can define a transport rule that applies to messages with a particular classification through Exchange Management Console. As you can see in Figure 3, I’ve assembled a transport rule called Executive-Confidential that limits messages with the Executive Only Communication classification. Listing 2 shows the Exchange Management Shell (PowerShell) code for that rule. Unauthorized senders of messages flagged with the Executive Only Communication classification will receive the RejectMessageAction.

Using Message Classification in Outlook 2007
To enable message classification on an Outlook 2007 client, you must add a registry entry advising Outlook where to get the XML file containing the classifications. Copy the text in Listing 3, which contains the new registry entry, into Notepad, then save it as a .reg file. Executing the registry file on the client will configure the Outlook 2007 installation for that user to display message classifications in Outlook. Of course, you can manually enter the registry changes instead.

Outlook 2007 will now show the message classifications found in the XML file referenced through the Set Permissions button in the Options area of the new-message ribbon, as Figure 1 shows. This button is also where you’d control Information Rights Management (IRM) in Outlook.

The new Executive Only Communication message classification is now available for use by enabled Outlook 2007 clients that use Exchange 2007. After you’ve copied the XML file to the appropriate location, matching the previously mentioned registry entry, the user will need to restart Outlook because Outlook reads the XML file’s content at startup. Figure 4 shows the new message classification selected for a new message. The text at the top of the sender’s window is directly from the -SenderDescription value assigned in our New-MessageClassification cmdlet. The new transport rule is set to reject messages with the new classification if the recipient isn’t a member of the Executives or Human Resources groups. Figure 5 shows the Delivery Status Notification message sent after a user tried to send such a classified message to someone outside of those groups.

Note that Microsoft Office Outlook Web Access (OWA) for Exchange 2007 will also display the new message classifications, as Figure 6 shows, with a yellow bar atop the message in the preview pane. However, you can’t use the OWA interface to assign message classifications.

Worth the Effort
Although message classification requires a little effort to set up, it’s a powerful new tool for supporting compliance and auditing in your Exchange 2007 environment. By using message classification, you can help secure communication between groups of people in your company. And by defining transport rules associated with specific classifications, you can help prevent confidential content from getting into the wrong mailboxes.