Solved

Logical security and administration delegation within Exchange 2003

Posted on 2008-10-11
3
210 Views
Last Modified: 2012-05-05
Hi Guys

I was searching for some tips/guidelines to design Administration delegation and access control for our newly implemented exchange organisation built upon 2003. There are various locations across the globe and the underlying Windows 2003 R2 infrastructure is that of a single forest/domain architecture.

Pls advise the best practices to go about logically securing this exchange organisation.

Thx in advance!  
0
Comment
Question by:fahim
  • 2
3 Comments
 
LVL 8

Expert Comment

by:sstone55423
ID: 22694542
This is a very general question.  SO, you will probably get general answers, if any.
 
Of course, with WIndwos 2003 R2 you can delegate administrative permissions over file system rights, roles, as well as exchange stores and roles within the stores.  You seem to indciate that the server structure for the forest and domain alreadty exist.  I assume that you have administrative rights delegated for those servers.  Are the exchange servers already set up and running, or are are you talking about a new implementation?  Do you know how you want to distribute your stores and the users for each store?  I assume they will probably be geographically distributed, and within that politically (by department -- or all departments sharing a store at a location).  WOuld it not make sense to distribute administrative rights to appropriate people along the same lines?
 
0
 

Author Comment

by:fahim
ID: 22694925
Hi Stone..I'll be more specific. The need is define roles for exchange administrators while maintaining centralised authority. Yes, exchange server are already running. Stores are geographically distributed and further business unit wise (call it political) but not further demarcated. Centralised IT is managing all of them though. Also! Can't distribute admin rights across the same way and need to maintain strict central administration and confidentiality of user's mailboxes even from local admins.

From what I read in Microsoft's exchange security hardening guide, I have the option of three levels of administrative roles within Exchange.
 
1. Exchange View Only
2. Exchange administrator
3. Exchange Full administrator

It further sates within the description of Exchange Admin: "Grants all permissions except for ability to take ownership, change permissions, or open user mailboxes."

And describing the function of Exchange Full Admin: " Grants all permissions to all objects below that container except for the ability to open user mailboxes or impersonate a user's mailbox, including the ability to change permissions. "

Now which one of these roles has full authority over user's mailboxes? My guess is, Full Admin--Right?
So, guys in this category should be the least.

Further the doc explains exchange hierarchical levels:

Exchange provides three levels at which you can apply Access Control Lists (ACLs) and administrative permissions. The three levels are:

1. Organization Level  Includes all Exchange Administrative Groups and the Exchange servers they contain. This is the top level and users with administrative permissions at this level can manage the entire Exchange organization.

2. Administrative Group Level  This level includes all Exchange servers in the Administrative group. An administrative group can be compared to an Active Directory domain, where the domain is the administrative boundary.
3. Server Level

.....How do I decide and map my administrative permissions vis a vis these hierarchical levels in best possible ways?
0
 
LVL 8

Accepted Solution

by:
sstone55423 earned 500 total points
ID: 22721798
The administrative group level would allow you on a domain by domain basis to limit access.  I don't know if your geograohical/departmental structure is consistent with that.  You may need to customize it based at a server by server level if the fit is not clean along the domain basis.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now