Ability of Domain Admins to open anothers mailbox
We have a new CIO who just figured out that domain admins can open other's mailboxes. He is concerned that there is no tracking mechansim and is concerned of abuse of power. Has anyone else been challenged with this?
Do you have a procedure on how to document these occurances or use software to track this?
Thanks
August 28th, 2008 6:28pm
What version of Exchange are you using? I think Exchange 2003 and later (maybe a service pack level) this has been changed. I'll find documentation and post back.
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2008 7:13pm
see here:
http://technet.microsoft.com/en-us/library/aa996940(EXCHG.65).aspx
August 28th, 2008 7:19pm
Exchange 2007 does not allow an administrator to view others mailboxes by default. See this conversation here:
http://www.eggheadcafe.com/software/aspnet/30479343/exchange-2007-open-other.aspx
August 28th, 2008 8:01pm
Q: I have a third-party messaging application that requires full access to each user's mailbox. With Exchange Server5.5, we grant a special account the Service Account Admin permissions, and then tell the application to use this account. How can I achieve similar functionality in Exchange2007?
A: Exchange2007 security works differently from that of ExchangeServer5.5. In fact, Exchange2007 does not use a site service account. Instead, all services start as the local computer account.
If your logon account is the Administrator account, a member of the root Domain Administrators, a member of the Enterprise Administrators groups, or a member of the Exchange Organization Administrators role, you are explicitly denied access to all mailboxes that are not your mailbox, even if you have full administrative rights over the Exchange system. All Exchange2007 administrative tasks can be performed without having to grant an administrator sufficient rights to read other people's mail.
You can achieve the results that you want in the following ways, but do so only in accordance with your organization's security and privacy policies:
In the Exchange Management Shell, use the following commandto allow access to all mailboxes on a given mailbox store:
Copy CodeAdd-ADPermission -identity "mailbox database" -user "serviceaccount" -ExtendedRights Receive-As
In the Exchange Management Shell, use the following commandto allow access to an individual mailbox:
Copy CodeAdd-MailboxPermission -identity "user" -user "serviceaccount" -AccessRights FullAccess
http://technet.microsoft.com/en-us/library/bb310792(EXCHG.80).aspx
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2008 8:04pm
we granted ourselves access just like we had under 2003. my bigger question is, has anyone else been challenged on this area?
August 28th, 2008 8:15pm
I would say the answer is "yes". Which is why Microsoft changed the default behavior.
See here for auditing:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1970977&SiteID=17
and
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.exchange.misc&tid=0b6abafb-4abe-4d23-85b7-8a5154f1844b&cat=en_US_ebfc6506-4b13-485c-880c-3723d4b551a6&lang=en&cr=US&sloc=&p=1
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2008 8:20pm
Out of the box, E2K, E2K3, and E2K7 do NOT allow admins to have access to the mailbox, but you are missing the bigger issue. In most every messaging system in existence, someone with full admin access can manage to give themselves permissions to other people's mail. Trust of your admins (and hiring trustworthy admins) is of paramount importance.
This risk can be somewhat mitigated by having 2 person integrity on domain admin/enterprise admin accounts, DRM, and/or S/MIME technologies.
August 30th, 2008 11:39pm