Information Security Policies for Exchange Server 2007
The next few sections outline policies that relate to messaging and that should be a part of your overall information security policies. Several examples are listed to help illustrate the points.
Because users need to authenticate to an Exchange Server 2007 server, and because they need to be authenticated in the Active Directory environment, you need password policies. Such policies could include the following topics:
Minimum password length
Reuse of old passwords prohibited
User-selected passwords prohibited
Storage of passwords
Anonymous user IDs prohibited (consider Microsoft Outlook Web Access)
Displaying and printing of passwords
Periodic password changes ...