If you don't trust your admins fire them and hire new admins. There's little you can do to prevent a malicious admin from bypassing security controls. I would be surprised if PCI requires that you protect your servers and the data on those servers from your admins.
You can look at the Outlook crypto settings (User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Cryptography in group policy), and you can also look at DRM, such as Microsoft's Rights Management Services. These will encrypt the email messages at the client and they should remain encrypted on the servers, but a malicious admin can get around these countermeasures in a variety of ways, e.g. they can change the RMS policies to grant themselves the right to read messages regardless of who wrote them or they could install a rootkit and keystroke logger that collects the executives logon credentials and later log onto the executive's computer to examine whatever files they want. -----Original Message----- From: Edgar Zapata [mailto:[email protected]] Sent: Wednesday, January 12, 2011 9:30 AM To: Kurt Dillard; [email protected] Subject: RE: HOW TO encrypt and store mail Thanks Kurt. I guess that won't do. As far as I know, and based on the tests that we've been performing, it only provides for a way so in case the disks are robbed/stolen they won't be readable unless you have a key (stored in a say removable USB drive). It won't prevent the system admin from reading the contents of the mails or even making copies of the .edb and .stm files for later misues. We're still searching and testing so I'm open to suggestions. Thank you. Edgar Zapata EMEA Data Systems +34 913.797.460 T +34 680.398.372 M [email protected] Sitel Calle Impresores, 20 - Planta 2 Parque Empresarial Prado del Espino Boadilla del Monte - Madrid 28660 SPAIN www.sitel.com Please consider the environment before printing. -----Mensaje original----- De: Kurt Dillard [mailto:[email protected]] Enviado el: miƩrcoles, 12 de enero de 2011 18:22 Para: Edgar Zapata; [email protected] Asunto: RE: HOW TO encrypt and store mail Your using Windows Server 2008, so why not use BitLocker to encrypt the entire drive? Regards, Kurt -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Edgar Zapata Sent: Wednesday, January 12, 2011 8:09 AM To: [email protected] Subject: HOW TO encrypt and store mail Hello, We are looking for a solution to store and encrypt mails. We need to comply with PCI (Payment Card Industry) standards. We have Windows 2008 and Exchange 2007 SP2. So far, we haven't found a way to encrypt and store mail in Exchange. We'll be encrypting communications with TLS. Plus, we need to use OE (Outlook Express) so we can use IMAP for incoming mail and SMTP for outgoing e-mail. Any ideas/suggestions are more than welcome. Thank you. **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail. **CONFIDENTIAL NOTICE** This e-mail and any files transmitted with it may contain PRIVILEGED or CONFIDENTIAL information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply e-mail.
