Security: OWA Users vs Domain Users
Hello,I am currently rolling out an Exchange 2007 server as a replacement for Merak IceWarp. I am not very experienced in this particular area and I am looking to see if there area any holes or flaws in the design and layout of my user configuration and domain security. Here is our situation...In essence, we have 2 classes of users; Internal and External. Internal Users are users who work out of our office and who have full domain user accounts and standard domain access. (~20 users)External Users are for the lack of a better description contract/field employees that have NO domain access but require mailboxes and webmail (OWA). (~750 users)Initially, I planned to use disabled users accounts in AD and Room Mailboxes associated with those accounts however disabled users cannot log into OWA so I devised this strategy. I have my users segregated into 2 main OU's , Internal and External. Any user in the External OU is also in an External Security group as well. This is handled by a Powershell script so that the two stay in synch at all times. On the domain policy level I have added the following...
Policy
Setting
Deny access to this computer from the network
Domain\Domain External Users
Deny log on as a batch job
Domain\Domain External Users
Deny log on as a service
Domain\Domain External Users
Deny log on locally
Domain\Domain External Users
Deny log on through Terminal Services
Domain\Domain External UsersThis allows these users access to OWA but no access to any other network resources. Are there any further steps I should take to secure my domain? Does anyone have any further advice?ThanksJeff Waskiewicz
January 9th, 2009 11:16pm
Issue description: How to secure the user accounts, so they can have the permissions to access the mailboxes via OWA but not any other resources in the domain?
You can also restrict all external users remote access permission by Dial-in or VPN, so external users cant remote visit domain resourceSetting location: ADUC->Properties of external user-> Dial-in tab [Please use ADModify for bulk modifying users]
Notes: Since the question is more inclined to restrict the permissions in AD rather than handle issues in exchange, I suggest you use Windows Server 2008 forum for more advices from AD experts
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2009 12:43pm
Well, the main reason I asked it here was to thresh out what permisions OWA required to work.I found out today that after applying those policies I cannot log into OWA with any of those accounts. I get a security failure in the audit log..
Logon Type: 8Account For Which Logon Failed:Security ID: NULL SIDAccount Name: userAccount Domain: XXXXX
Failure Information:Failure Reason: The user has not been granted the requested logon type at this machine.Status: 0xc000015bSub Status: 0x0...based on what I have found so far, OWA will not work with these to permissions the Exchange Server and Domain Controllers.Deny access to this computer from the networkDeny log on locallyIf I override these everything seems to work OK but that seems to be rather a lot of permisions for OWA to work?
January 13th, 2009 7:08pm
Just in case anyone else ever bumps across this looking for advice, here is what I ended up doing...Default Domain Policy
Policy
Setting
Deny access to this computer from the network
Domain\Domain External Users
Deny log on as a batch job
Domain\Domain External Users
Deny log on as a service
Domain\Domain External Users
Deny log on locally
Domain\Domain External Users
Deny log on through Terminal Services
Domain\Domain External UsersDefault Domain Controller Policy: OverrideDeny access to this computer from the networkExchange ServerPolicy: OverrideDeny access to this computer from the network &Deny log on locallyI added James suggestion and used a Powershell script to restrict all users in that OU from Dial-in/VPN Access. So far it seems good...If anyone see anything I missed or has further suggestions let me know.Regards,Jeff
Free Windows Admin Tool Kit Click here and download it now
January 15th, 2009 6:45pm
J Glad you figured it out and share it here
January 16th, 2009 4:10am