Share via


Configure an Ethical Wall

Applies to: Exchange Server 2010

An ethical wall is a zone of non-communication between distinct departments of a business or organization to prevent conflicts of interest that might result in the inappropriate release of sensitive information. You can use Microsoft Exchange Server 2010 to configure ethical walls that comply with your organization's compliance policies and with regulations and laws that apply to your organization. For more information about ethical walls, see Understanding Ethical Walls.

To create an ethical wall, use the same procedure that you use to create a transport rule. When you implement an ethical wall by creating a transport rule, you can configure conditions and exceptions to control which e-mail messages the ethical wall blocks.

Warning

Before you create or modify transport rules in your production environment, we recommend that you use a test environment to understand how transport rules work. Test all rules before creating them in a production environment.
Ethical walls can block all messages if you don't define an appropriate scope. When you create a transport rule to enforce an ethical wall, you must specify conditions to define which recipients and senders are prohibited from sending messages to each other. If you don't specify any conditions, you must specify exceptions to narrow the scope of the transport rule. If you don't specify conditions or exceptions, the transport rule will block all messages sent to or from recipients or senders in your organization.

Prerequisites

Messages must be routed through an Exchange 2010 Hub Transport server for transport rules to be applied. Although this isn't a prerequisite for creating a transport rule, for transport rules to be applied to e-mail messages, the message must be routed by an Exchange 2010 Hub Transport server.

Use the EMC to create an ethical wall

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Transport rules" entry in the Messaging Policy and Compliance Permissions topic.

  1. In the console tree, navigate to Organization Configuration > Hub Transport.
  2. In the action pane, click New Transport Rule.
  3. On the Introduction page, complete the following fields:
    • Name   Enter a name for the transport rule.
    • Comment   [Optional] Type any notes for the rule.
    • Enable Rule   If you want the rule to be created in a disabled state, clear this check box.
  4. On the Conditions page, complete the following steps:
    1. In the Step 1. Select condition(s) box, select all the conditions that you want to apply to this rule.

      Note

      The between members of distribution list and distribution list condition is well suited for transport rules that enforce ethical walls.

    2. If you selected conditions in the previous step, in the Step 2. Edit the rule description by clicking an underlined value box, click each blue underlined word.
      When you click a blue underlined word, a new window opens to prompt you for the values to apply to the condition. Select the values that you want to apply, or type the values manually. If the window requires that you manually add values to a list, type a value. Then click Add. Repeat this process until you have entered all the values, and then click OK to close the window.

    3. Repeat the previous step for each condition that you selected. After you configure all the conditions, click Next.

  5. On the Actions page, complete the following steps:
    1. In the Step 1. Select actions box, click send rejection message to sender with enhanced status code. This transport rule action deletes the message and returns a non-delivery report (NDR) to the sender of the message.
    2. In the Step 2. Edit the rule description by clicking an underlined value box, follow these steps:
      Click rejection message. In the Specify rejection message dialog box, enter the text to display in the Diagnostic information for administrators section of the NDR that's sent to the sender of the rejected message. When you're finished, click OK.
      Click enhanced status code. In the Specify Enhanced Status Code dialog box, enter the delivery status notification (DSN) code you want to display in the Diagnostic information for administrators section of the NDR that's sent to the sender of the rejected message. Valid enhanced status code values are 5.7.1, and any value from 5.7.10 through 5.7.999. When you're finished, click OK. For more information about how Exchange 2010 associates a DSN code with a transport rule, see Associate a DSN Message with a Transport Rule.
      Modified transport rule
      Ethical wall created by using transport rule
    3. If you want to add more actions, repeat the previous step and select the transport rule actions that you want to apply. After you configure all the actions, click Next.
  6. On the Exceptions page, complete the following optional fields:
    1. In the Step 1. Select exceptions if necessary box, select all the exceptions that you want to apply to this rule. You aren't required to select any exceptions.
    2. If you selected exceptions, in the Step 2. Edit the rule description by clicking an underlined value box, click each blue underlined word.
      When you click a blue underlined word, a new window opens to prompt you to select the items that you want to add or to type the values manually. When you're finished, click OK to close the window.
    3. Repeat the previous step for each exception that you selected. After you configure all the exceptions, click Next.
  7. On the Create Rule page, review the Configuration Summary. If you're satisfied with the configuration of the new rule, click New, and then click Finish.

Use the Shell to create an ethical wall

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Transport rules" entry in the Messaging Policy and Compliance Permissions topic.

In this example, Woodgrove Bank wants to prevent members of its Brokerage group and the Sales group from communicating. The bank decides to implement an ethical wall between the two groups by using a transport rule.

Predicate   The BetweenMemberOf transport rule predicate is used to prohibit the members of the Brokerage Group distribution group and the Sales Group distribution group from communicating with each other. The BetweenMemberOf transport rule predicate is well suited for transport rules that enforce ethical walls. For more information about transport rule predicates, see Transport Rule Predicates.

Exception   Woodgrove Bank wants to create an exception to this policy that allows members of the Executive Group distribution group, who may also belong to either of the two groups, to communicate. The ExceptIfFromMemberOf predicate is used to implement this exception.

Action   The RejectMessage transport rule action is used to block messages sent to a prohibited recipient. When the RejectMessage transport rule action is applied to a message, an NDR is returned to the sender of the message, and the message itself is deleted. You can configure the user information text and the DSN code and message that are displayed in the administrator section of the NDR.

You can modify the text that's displayed to the sender in the Diagnostic information for administrators section of the NDR. This text can provide helpful information to enable the administrator to understand why the message was rejected.

DSN Codes   By default, the RejectMessage transport rule action uses the enhanced status code 5.7.1. You can modify the DSN code returned by specifying a custom DSN code. A custom DSN code must be associated with a custom DSN message. The DSN message appears in the user information section of the NDR. Specifying a custom DSN code allows you to provide the sender with more detailed information. You can also refer the sender to an internal or public Web page that contains more information about the specific policy or regulation.

This example specifies a new, unused, custom DSN code in the RejectMessageEnhancedStatusCode property.

New-TransportRule "Sample Ethical Wall" -Enabled $true -BetweenMemberOf1 BrokerageGroup@woodgrovebank.com -BetweenMemberOf2 SalesGroup@woodgrovebank.com -ExceptIfFromMemberOf ExecutivesGroup@woodgrovebank.com -RejectMessageReasonText "Sample Rejection Message" -RejectionMessageEnhancedStatusCode '5.7.228'

This example then creates the custom DSN code and specifies the text that should be displayed when a message is returned with that DSN code.

New-SystemMessage -DsnCode 5.7.228 -Internal $true -Language En -Text "A message was sent that violates company policy #123. For more information, please contact the Compliance department."

For more information about what values are accepted and how Exchange 2010 associates a DSN code with a transport rule, see Associate a DSN Message with a Transport Rule.

For detailed syntax and parameter information, see New-TransportRule and New-SystemMessage.