Solved

Logical security and administration delegation within Exchange 2003

Posted on 2008-10-11
3
208 Views
Last Modified: 2012-05-05
Hi Guys

I was searching for some tips/guidelines to design Administration delegation and access control for our newly implemented exchange organisation built upon 2003. There are various locations across the globe and the underlying Windows 2003 R2 infrastructure is that of a single forest/domain architecture.

Pls advise the best practices to go about logically securing this exchange organisation.

Thx in advance!  
0
Comment
Question by:fahim
  • 2
3 Comments
 
LVL 8

Expert Comment

by:sstone55423
Comment Utility
This is a very general question.  SO, you will probably get general answers, if any.
 
Of course, with WIndwos 2003 R2 you can delegate administrative permissions over file system rights, roles, as well as exchange stores and roles within the stores.  You seem to indciate that the server structure for the forest and domain alreadty exist.  I assume that you have administrative rights delegated for those servers.  Are the exchange servers already set up and running, or are are you talking about a new implementation?  Do you know how you want to distribute your stores and the users for each store?  I assume they will probably be geographically distributed, and within that politically (by department -- or all departments sharing a store at a location).  WOuld it not make sense to distribute administrative rights to appropriate people along the same lines?
 
0
 

Author Comment

by:fahim
Comment Utility
Hi Stone..I'll be more specific. The need is define roles for exchange administrators while maintaining centralised authority. Yes, exchange server are already running. Stores are geographically distributed and further business unit wise (call it political) but not further demarcated. Centralised IT is managing all of them though. Also! Can't distribute admin rights across the same way and need to maintain strict central administration and confidentiality of user's mailboxes even from local admins.

From what I read in Microsoft's exchange security hardening guide, I have the option of three levels of administrative roles within Exchange.
 
1. Exchange View Only
2. Exchange administrator
3. Exchange Full administrator

It further sates within the description of Exchange Admin: "Grants all permissions except for ability to take ownership, change permissions, or open user mailboxes."

And describing the function of Exchange Full Admin: " Grants all permissions to all objects below that container except for the ability to open user mailboxes or impersonate a user's mailbox, including the ability to change permissions. "

Now which one of these roles has full authority over user's mailboxes? My guess is, Full Admin--Right?
So, guys in this category should be the least.

Further the doc explains exchange hierarchical levels:

Exchange provides three levels at which you can apply Access Control Lists (ACLs) and administrative permissions. The three levels are:

1. Organization Level  Includes all Exchange Administrative Groups and the Exchange servers they contain. This is the top level and users with administrative permissions at this level can manage the entire Exchange organization.

2. Administrative Group Level  This level includes all Exchange servers in the Administrative group. An administrative group can be compared to an Active Directory domain, where the domain is the administrative boundary.
3. Server Level

.....How do I decide and map my administrative permissions vis a vis these hierarchical levels in best possible ways?
0
 
LVL 8

Accepted Solution

by:
sstone55423 earned 500 total points
Comment Utility
The administrative group level would allow you on a domain by domain basis to limit access.  I don't know if your geograohical/departmental structure is consistent with that.  You may need to customize it based at a server by server level if the fit is not clean along the domain basis.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now