Solved

Logical security and administration delegation within Exchange 2003

Posted on 2008-10-11
3
215 Views
Last Modified: 2012-05-05
Hi Guys

I was searching for some tips/guidelines to design Administration delegation and access control for our newly implemented exchange organisation built upon 2003. There are various locations across the globe and the underlying Windows 2003 R2 infrastructure is that of a single forest/domain architecture.

Pls advise the best practices to go about logically securing this exchange organisation.

Thx in advance!  
0
Comment
Question by:fahim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 8

Expert Comment

by:sstone55423
ID: 22694542
This is a very general question.  SO, you will probably get general answers, if any.
 
Of course, with WIndwos 2003 R2 you can delegate administrative permissions over file system rights, roles, as well as exchange stores and roles within the stores.  You seem to indciate that the server structure for the forest and domain alreadty exist.  I assume that you have administrative rights delegated for those servers.  Are the exchange servers already set up and running, or are are you talking about a new implementation?  Do you know how you want to distribute your stores and the users for each store?  I assume they will probably be geographically distributed, and within that politically (by department -- or all departments sharing a store at a location).  WOuld it not make sense to distribute administrative rights to appropriate people along the same lines?
 
0
 

Author Comment

by:fahim
ID: 22694925
Hi Stone..I'll be more specific. The need is define roles for exchange administrators while maintaining centralised authority. Yes, exchange server are already running. Stores are geographically distributed and further business unit wise (call it political) but not further demarcated. Centralised IT is managing all of them though. Also! Can't distribute admin rights across the same way and need to maintain strict central administration and confidentiality of user's mailboxes even from local admins.

From what I read in Microsoft's exchange security hardening guide, I have the option of three levels of administrative roles within Exchange.
 
1. Exchange View Only
2. Exchange administrator
3. Exchange Full administrator

It further sates within the description of Exchange Admin: "Grants all permissions except for ability to take ownership, change permissions, or open user mailboxes."

And describing the function of Exchange Full Admin: " Grants all permissions to all objects below that container except for the ability to open user mailboxes or impersonate a user's mailbox, including the ability to change permissions. "

Now which one of these roles has full authority over user's mailboxes? My guess is, Full Admin--Right?
So, guys in this category should be the least.

Further the doc explains exchange hierarchical levels:

Exchange provides three levels at which you can apply Access Control Lists (ACLs) and administrative permissions. The three levels are:

1. Organization Level  Includes all Exchange Administrative Groups and the Exchange servers they contain. This is the top level and users with administrative permissions at this level can manage the entire Exchange organization.

2. Administrative Group Level  This level includes all Exchange servers in the Administrative group. An administrative group can be compared to an Active Directory domain, where the domain is the administrative boundary.
3. Server Level

.....How do I decide and map my administrative permissions vis a vis these hierarchical levels in best possible ways?
0
 
LVL 8

Accepted Solution

by:
sstone55423 earned 500 total points
ID: 22721798
The administrative group level would allow you on a domain by domain basis to limit access.  I don't know if your geograohical/departmental structure is consistent with that.  You may need to customize it based at a server by server level if the fit is not clean along the domain basis.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question