Configuring membership-blind mailing lists in Outlook for AD/external users with replay-all disabled?

Question

[Note: These needs are external demands from the client and can/will not change. Please keep that in mind when answering]

We have a small overworked 2.5 man Windows admin team (2 vets, 1 junior). As an I.T. infrastructure group, we have been asked to implement the following:

• We must set up mailing lists (dist. groups) for use in Outlook.
• All mailing lists will include internal AD Users and external mail contacts
• For all dist. groups, Reply-All for both internal users and external contacts should always fail, no exceptions. (A bounce is acceptable)
• SECURITY: If a person is not allowed to send to a distribution group, then:
  • It must be 100.000% guaranteed they are NEVER, IN ANY CONCEIVABLE WAY, allowed to discover the existence of the group, even if they are an internal AD user.
  • It must be 100.000% guaranteed they are NEVER, IN ANY CONCEIVABLE WAY, able to dig and determine what individual members are in a group, even if they are an internal AD user.

• SECURITY: If a person IS allowed to send to a security-enabled dist. group, then:

  • They must be able to see that group in a specific address book (we've done that already)
  • They must easily be able to determine who is in the group

• IN NO WAY, SHAPE, OR FORM, IS "USER-TRAINING" ALLOWED. People sending to these lists are extremely non-tech-savvy, extremely powerful within the organization politically, and will not change their habits in any way. This means we can't suggest they use the 'Bcc:' field. It also means we can't suggest "Don't click the '+' button to expand the group or you lose security."

Reminder - you can't change the facts above.

On a scale of 1 to 10, with 1 being 'Trivial' and 10 being 'A factual impossibility', where does this project rate? We have a manager that is cracking the whip, not understanding that the requirements, as stated precisely above, are pretty conflicting. Even given a reasonable amount of time, I don't think this can be done without a substantial inconvenience and risk to the overall AD infrastructure. (Extreme security permissions so users can't go digging through objects.)

I'm not so concerned with the guts and tech. details of how you'd implement such a thing, but feel free to share them. I'm more curious the feasibility of the above and how long it would take, IF it's even doable.

As you consider your answer, please keep the strict requirements in mind. We have triple-confirmed they can not bend, by even one word. For example, "You could use a custom mail client." Wrong. Outlook is the required client. "You could just hide the groups". Wrong. Someone in AD can still go digging and find them. Etc. etc.

THANK YOU!!! I'm a Unix guy who's heavily involved because I've gotten pretty decent with Powershell and have about 1,000 lines of code to help build and maintain these (thousands of) contacts and groups.

EDIT: I know there are a lot of good answers on this topic, but please keep your thoughts coming. I need as much ammunition as possible to take back to the business. Five people saying this is next to impossible is great. Ten people saying it is even better. Thanks everyone.

Answer 1

Here's my suggestion. While it doesn't answer your question it does give you a direction to follow to either:

1. Accomplish this

2. Unrefutably disprove it's viability

Open a support case with the Microsoft Exchange Server support team. It'll cost you less than US $300.00 and is going to either help you accomplish this or prove to the PHB that it's not possible.

Answer 2

10.

Say I'm an authorized user. I send an email to a super-secret group, and carbon copy someone who shouldn't know about it (or the message gets forwarded to them); "security" defeated. This scenario is pretty much guaranteed to occur when there's no training allowed.

One horribly ugly idea I'll throw out would be to write a custom transport agent to enforce some of the crazy confidentiality rules, as normal transport rules aren't at all flexible enough.

---

Authorized User 1 has a hallway conversation with Authorized User 2 about sending out a mail to Super Secret Group X. Unauthorized User 3 overhears. Group name compromised.

Treating distribution groups with the sensitivity level of nuclear secrets is pretty much destined for failure. As we've discussed in some of your previous questions, there are some means to hide groups on the Exchange side with a lot of wrangling, but when you're trying to enforce policy completely on the technical side and not on the human side at all, it's not going to work.

Answer 3

On your scale, given your requirements, I'd give this a 9.

Outside of significant amounts of code, exchange/outlook plugins, etc. Exchange/Outlook are just not designed to meet your needs. There are a lot of your requirements that are theoretically possible, but what breaks it for me is the:

It must be 100.000% guaranteed they are NEVER, IN ANY CONCEIVABLE WAY

Doing a lot of those things would be "rigs" at best, so I'd never be willing to back that statement.

Answer 4

Sounds basically impossible. Specifically...

It must be 100.000% guaranteed they are NEVER, IN ANY CONCEIVABLE WAY, able to dig and determine what individual members are in a group, even if they are an internal AD user.

and

They must easily be able to determine who is in the group

Don't really align themselves very well. As recommended by @joequerty I'd get MS on the phone (sounds like you are probably a pretty big shop and probably have a support contract in place) and see what they say about all this. They may have some super secret hacks they can use to make this happen that aren't published to the outside world.

Answer 5

This is email we're talking about - in the end, it's insecure by design. Get a secret document/communications system instead.

Why isn't encryption and digital rights management of the actual message content part of the requirement? Wouldn't that be a lot more important? ^^

tl;dr: Kill it, kill it with fire.

Answer 6

I would give it a 9.5 too. Another crazy idea (also on a 9.5 scale probably) is to deploy an Exchange server for each group and make them all work together. Or even an Exchange server for each of the users.

Given a million monke- .. err, developers, it could be done.

One side note. You should make it clear to the business that this might be feasible at extreme cost (thousands or tens or hundreds of thousands of $, depending who is doing it) technically. The social aspect (carbon copy, hallway leaks) is guaranteed to make some of the requirements fail.

Edit: beside the social aspect, you have external users which may have <strikethrough>spyware</strikethrough> contact managing application which will leak the group names.