Exchange 2007 SP1 and 2 serious security issue
HiI have just installed Exchange 2007 SP1 into a new child domain in an existing forest. There has been no previous exchange installation in the forest so I followed schema, ADprep then domain preps then installed a single mailbox server, then applied SP2. Weintend to replace Groupwise for many reasons, however an important one was to ensure mailbox security. The intention is to lock down mailbox access for all users to just a single Enterprise Admin account in the root domain (also the sole Exchange Org admin) to give confifdence and assurance to the business that mailboxes could not be accessed. So far so good, however in testing security to ensure that only the exchange org admins could asign mailbox access I found what seems to be a serious security issue. Basically I have a test domain admin account (TestAdmin) in the new child domain that is not any type of exchange admin (org or recipient), just purely a domain admin for the child and not a domain admin in the root, and I can use the this account to grant full mailbox access toitself, exactly what I want to avoid. To do this seems to be simple:TestAdmin creates a new user account (TestUser), but can't create a mailbox in EMC as has not the permission. The Test Exchange Org Admin then creates the mailbox in EMC. Before the TestUser can logon to the mailbox the mailbox is not actually created in the background, and if TestAdmin then goes into EMC and uses "Manage Full Access Permission" on the new mailbox he can assign any user account including himself to full access. Once TestUser logs onto the mailbox the 1st time, the mailbox is created and the deny permissions on the mailbox are inheirited. At this point TestAdmin cannot access the "Manage Full Access Permission" button is there is a access denied error message. However the altered full access eg TestAdmin is still there. This means that TestAdmin, without even being allowed any form of Exchange rights can gain access to anothers users mailbox if quick enough. This is also the case if TestAdmin is an Exchange Recipient Admin as the problem is the lack of deny permissions before the mailbox is created.This does not seem to occur using the command shell...This seems to be a bad issue for us and I would like to ask if this is a "feature"?regards
September 15th, 2009 9:11pm

What you are describing is actually more ofa "feature" than a bug. The actual mailbox permissions are stored on one of the user's attributes and then inherited by the mailbox in the Exchange database.A Domain Admin in any given domain must be able to edit any attribute of any object within his/her domain. You bring up an interesting point that I have made time and time again. You MUST trust your Domain Admins and Enterprise Admins for any domain in your forest. I am NOT advocating resource forests (Buddha forbid!!!!!) because I loathe resource forests. I think resource forests *usually, not always* generate more work an interoperability issues than they are worth.What I am advocating is hiring, training, and managing trustworthy, componentadministrators. I am advocating creating a delegated permissions model in your Active Directory whereby Snuffy the account admin is given ONLY Account Operators permissions and Zippy the workstation admin is given only permissions to manage workstations. Putting people in to Domain Admins is an easy way around actually solving a real problem (finding the permissions the person needs to do their job.)Anyways, that is my $0.02 worth. For better or worse, this is a "feature."Jim McBee - Blog - http://mostlyexchange.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2009 4:18am

Hi Jim,Thanks for taking the time to respond, I assumed that this was not a mistake in the installation or a bug but a feature. I agree that Domain Admins need to be trusted and managed properly etc and I also agree that it is best practice to have delegated permissions short of Domain Admin for most IT Administrators. However the main problem I have is that this issue only manifests itself using the EMC console specificallywith the"Manage Full Access Permission" button which was introduced in SP1 to make administration of Exchange easier, not less safe. ADomain Admin, or delegatedrights administratorwith no exchange administrator rights whatsoever can insert themselves into a users mailbox, without the user or other Exchange Administrators knowing about it if they are quick. When the mailbox has been physically created the normal security regime is in place and working. Thus we can have the scenario that a junior member of the IT staff whose responsibility is User Account Management (with or without domain admin rights) can create user accounts, gain full mailbox permission using the EMC without anyone being aware. Could not the code behind the button have an update to check if the mailbox has been created and not function if it has not? Would this be morein the spirit of the exchange administrator security regime?Regards Giles
September 21st, 2009 1:10pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics