Exchange 2013 In-Place Hold and In-Place eDiscovery (Part 1)

If you would like to read the other parts in this article series please go to:

Introduction

E-mail has become one of the most important forms of communication for information workers in organizations of all sizes. Messaging stores and mailboxes have become repositories of valuable data. It is important for organizations to formalize messaging policies that dictate the fair use of messaging systems, provide user guidelines for how to act on the policies, and where required, provide details about the types of communication that may not be allowed.

Organizations must also create policies to manage e-mail lifecycle, retain messages for the length of time based on business, legal and regulatory requirements, preserve e-mail records for litigation and investigation purposes, and be prepared to search and provide the required email records to fulfill eDiscovery requests.

Leakage of sensitive information such as intellectual property, business plans or personally identifiable information must also be protected.

The following table provides an overview of the messaging policy and compliance features in Exchange 2013:

Feature Description
Messaging Records   Management (MRM) To meet legal or business requirements, organizations include e-mail lifecycle policies as part of their messaging policy. Exchange 2013 includes MRM features that allow administrators to implement organization’s e-mail lifecycle policies.

MRM can be used to apply uniform retention settings to all messages, or to allow users to classify messages so that they can be retained for a specified duration.

In-Place Archiving In-Place Archiving helps regain control of the organization's messaging data by eliminating the need for personal store (.pst) files and allowing users to store messages in an archive mailbox accessible in and Outlook Web App. In-Place Hold Organizations are required to preserve electronically stored information, including e-mail that is relevant to a litigation case. In-Place Hold allows the search and preservation of messages matching query parameters. Messages are protected from deletion, modification, and tampering and can be preserved indefinitely or for a specified period. In-Place eDiscovery In-Place eDiscovery allows the search of mailbox data across an Exchange organization, preview search results and copy them to a Discovery mailbox. Journaling Journaling can also help organizations respond to legal, regulatory and organizational compliance requirements by recording inbound and outbound e-mail communications. Transport Rules Transport rules can look for specific conditions for messages that pass through an organization and   then take action on them. Transport rules can also apply messaging policies to e-mail messages, secure messages, protect messaging systems and prevent information leakage. Data Loss Prevention   (DLP) DLP capabilities help protect sensitive data and inform users of policies and regulations. DLP can   also help prevent users from mistakenly sending sensitive information to unauthorized people. Information Rights   Management (IRM) IRM provides persistent online and offline protection for e-mail messages and attachments using Active Directory Rights Management Services (AD RMS). Mailbox audit logging Because mailboxes can potentially contain sensitive, high business impact information, it is important to keep track of who logs on to the mailboxes in an organization and what actions are taken. It is especially important to track access to mailboxes by users other than the mailbox owner (known as delegate users). Mailbox audit logging logs mailbox access by mailbox owners, delegates   (including administrators with full mailbox access permissions) and administrators. Administrator audit logging Administrator audit logging keeps a log of changes made by administrators to an Exchange environment. They can be used as part of a change control process or to track changes and access to configuration and recipients for compliance purposes.

Table 1

Immutability of data is another key feature of any messaging and archiving product and the way Exchange treats immutability is slightly different from other products. Traditionally, immutability was associated with WORM storage that would guarantee that the data could not be tampered with once it was written to disk. In Exchange, this is all done at the software level using the In-Place Archive feature, and is fully independent from the storage used.

Exchange 2013 also introduced improvements to In-Place Hold (previously known as Litigation Hold) and In-Place eDiscovery (previously called Multi-Mailbox Search) in order to help organizations meet their compliance needs. These two features are what we will be covering in this article series, with Rights Management covered in a future article. Note that practically all other topics have already been covered here at MSExchange.org.

In-Place Hold

If an organization is involved in a legal action, it may have to take steps to preserve relevant data, such as e-mail messages, that may be used as evidence. In situations like this, administrators may have to retain all e-mails sent and received by specific people or by the entire organization for a specific period of time. The purpose of In-Place Hold is to address this and preserve mailbox items that need to be held, without having to move them to a separate repository. In-Place Hold prevents the destruction or alteration of evidence which could have a catastrophic impact on the defense or accusation, and could expose the organization to legal and financial risks.

With Exchange 2013, administrators can now easily define policies that specify whether items should be preserved indefinitely, according to their age, or based on keyword contents. Once an item is identified as the target of a hold, Exchange performs copy-on-write operations to preserve both the original item and all changes made to it.

While in Exchange 2010, administrators could only either hold all mailbox data indefinitely or until the hold was removed, in Exchange 2013 In-Place Hold allows administrators to specify what to hold and for how long to hold it for. This allows administrators to create granular hold policies to preserve mailbox items in the following scenarios:

  • Indefinite In-Place Hold is similar to litigation hold in Exchange 2010 as it is intended to preserve all mailbox items indefinitely, during which period items are never deleted;
  • Query-based In-Place Hold preserves items based on specified query parameters such as keywords, senders and recipients, start and end dates, and also item types such as e-mails, calendar items, etc. After a query-based In-Place Hold is created, all existing and future mailbox items (including e-mails received at a later date) that match the query parameters are preserved. Note that a query-based hold cannot be used to place unsearchable items on hold (items that could not be indexed by Exchange Search);
  • Time-based In-Place Hold allows administrators to specify an exact duration of time to hold items for. The duration is calculated from the date a mailbox item is received or created. For example, if a mailbox is placed on a time-based hold with a retention period of 365 days and an e-mail is deleted after 300 days from the date it was received, it is held for an additional 65 days before being permanently deleted;
  • Multiple holds - place a user on multiple holds to meet different case requirements. In this scenario, search parameters of all In-Place Holds are applied together using an OR operator. If a mailbox is placed on more than five holds, all items are held until the holds are removed, replicating the indefinite hold behavior until the number of holds on the mailbox is reduced to five or less.

Preserving Lync Content

Exchange 2013, Lync 2013 and SharePoint 2013 provide an integrated preservation and eDiscovery experience that allows administrators to preserve and search items across the different data stores. As such, Exchange 2013 allows the archive of Lync 2013 content in Exchange, removing the requirement of having a separate SQL Server database to store archived Lync content.

When placing a mailbox on In-Place Hold, Lync content (such as instant messaging conversations and files shared in online meetings) are archived in the mailbox. Searching the mailbox using the eDiscovery Center in SharePoint 2013 or In-Place eDiscovery in Exchange 2013, any archived Lync content matching the search query is also returned.

To enable archiving of Lync 2013 content in Exchange 2013, administrators must configure Lync integration with Exchange.

Conclusion

In the first part of this article series, we introduced In-Place Hold and its main differences when compared to Litigation Hold in Exchange 2010. In the next article, we will go through placing mailboxes on In-Place Hold.

If you would like to read the other parts in this article series please go to:

Nuno Mota

Nuno Mota is an Exchange MVP working as a Microsoft Messaging Specialist for a financial institution. He is passionate about Exchange, Lync, Active Directory, PowerShell, and Security. Besides writing his personal Exchange blog, LetsExchange.blogspot.com, he regularly participates in the Exchange TechNet forums and is the author of the book “Microsoft Exchange Server 2013 High Availability.”

Share
Published by
Nuno Mota

Recent Posts

Qumulo raises $125M for cloud data management across a hybrid setup

Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…

2 days ago

Why SMBs need a standalone solution for Windows 10 patch management

Is patch management for the Windows PCs at your business driving you crazy? Maybe there's…

2 days ago

Microsoft Teams guest access: How to enable and manage it

Two of the main factors that affect the total cost of an organization’s Microsoft 365…

2 days ago

Samsung Galaxy Unpacked 2020: Everything you need to know

Samsung rolled out the all-new Galaxy Z Fold 2, Note 20, Note 20 Ultra handsets…

3 days ago

SAN vs. NAS: Detailed comparison of these two storage technologies

SAN and NAS provide dedicated storage for a group of users using completely different approaches…

3 days ago

Generation 1 virtual machines: Modernize them and bring them up to date

In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…

3 days ago