You may have noticed the following folder on the Duet 1.5 install media, under the “Microsoft | IT Administrator Files | Exchange Event Sink”. This folder contains the bits to install a Exchange Event Sink into your infrastructure’s Exchange server. The Exchange Event Sink documentation listed in our readme is to make sure customers are aware of potential security issues that can arise with Duet. Customers may be apprehensive about such a massive intervention to their existing productive Exchange infrastructure. This post will help explain the need for this component.
Details / explanation of the Duet 1.5 Exchange event sink
The Duet 1.5 install guide contains a section on how to register / install the “Exchange Event Sink” on all exchange servers where Duet users will receive new or forwarded control messages. Please also be aware that this solution does require registering of DLL’s on the Exchange Server to provide this functionality.
So why would we ask customers to install this into their environment? Its security of course. First, lets think about a scenario where a user accidently forwards a control message. Control Messages are how we move Duet information from the backend to the client. These messages are moved to a hidden folder on the client by a rule on the Exchange Server. Since the control message can have business data in an unencrypted form, it might lead to accidental information disclosure if the user forwards that control message. In practice, this is not a very common scenario because control messages should not be visible to the user, and thus the user should not be able to forward a control message. But it is indeed possible for these messages to show up in the Inbox, in rare occasions.
But if this does occur, and the user does forward such a message, Duet’s implementation of a Exchange Event Sink will go ahead and strip off the business data from the message so that this data is not exposed to a potential outside recipient. Thus keeping any personal data from being exposed.
Please note this Exchange event sink is only for solving the particular issue mentioned and has *no* impact on Duet functionality.