Solved

Rogue admin access to mail via Exchange 2007

Posted on 2012-03-09
8
392 Views
Last Modified: 2012-03-28
What can we do to secure our email so that a rogue Domain Admin can't read it?

Obviously he can't copy our PST files over the network while we have Outlook open, or while our laptops aren't on the network.  Can he download our mail from the Exchange server?  We are also Domain Admins and he doesn't have our logins.  If he changed them, we would obviously know.  

So can he download and read our mail from the server without us knowing?  If so, how can we secure our mail, or at least know if he has accessed it?

And please don't say something stupid like "don't make him domain admin" or "fire him."  These are not options right now.  

Thanks for your help.
0
Comment
Question by:readymade
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 1

Expert Comment

by:DGM87
ID: 37704117
Is there a way you can restrict his network access?  What server/network setup are you currently using?  Usually we just limit permissions in this case until one of the two "unspeakables" above become a viable choice.
0
 

Author Comment

by:readymade
ID: 37705377
Like I said, that's not an option right now.
0
 
LVL 47

Assisted Solution

by:apache09
apache09 earned 500 total points
ID: 37707638
Unfortunatley, as they are a domain Admin, there is virtually nothing you can do.

If there are particualr individuals of concern here you could go into their AD Account, Open their Mailbox Rights, and find the Domain Admin Entry

Here you can restrict the domain Admins Access to the entire mailbox by choosing Deny

UNfortunaly, this will also deny access to all other domain admins

And its likely that if this domain admin is accessing the mailbox for any particular reason they will check this setting

If they find their access has been denied,. all they need to do is re-instate it as they are the domain admin

What I would do, if this person is suspected of unauthorized access to Mailboxes
Have a look on the exchange server
Look at the Mailboxes in the mailbox store

Here you should find the Mailbox info/details as well as last logon By:

If the person is question is accessing the mailboxes you will see their account name listed here.

Take a screen shot, and make a good record of the number of times access and the individual users accessed.

Then take this info to HR to deal with accordingly, as they wouldnt be able to do anything with out proof anyhow.

Note this would only work as long as the user was not using a generic admin account like
Administrator, Admin, DomainAdmin, System ect ect

They will need to be accessing the account under their personal logoin UserName which is a member of the Domain Admin Group
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:readymade
ID: 37708242
Thats good info man.  I will check that.  Question though... can he download mail from the server without knowing the person's login?  The person's mail he is possibly accessing is also a domain admin.  

I guess he could quickly give himself full access to that mailbox, download it, then uncheck that.  Hmmmm.
0
 

Author Comment

by:readymade
ID: 37716922
How do I look at the mailboxes in the mailbox store?  I can view them on the management console but it doesn't show this info.  I'm on Exchange 2007.  Thanks!

Also, would they be able to access his mail without his login?  Is there a way for a domain admin to just download the pst or ost from the server without the other person's login, and view the mail?  

thanks
0
 

Author Comment

by:readymade
ID: 37745423
Bump.  Can an admin use the Queue Viewer to stop emails from certain addresses, read them, then send them on?  

Any other way an admin could read somebody elses mail without knowing their domain login?  

thanks!
0
 
LVL 47

Accepted Solution

by:
apache09 earned 500 total points
ID: 37745440
If they are a domain admin, its likely they are an Exchange Admin

As a result they dont need other users logon info for the domain.

All they need to do is go into their amil seetings on their computer.
Create an new outlook profile, Enter the Exchange Server Name
Enter the users AD ID

Outlook will then load as that user
In such instances you wouldnt know if the admin has accessed it, as it would show as the user accessing it.


Look, at the end of the day. Theres really nothing you can do about this until officially sorted.

If you and the other admins are concerned about this admin with unauthorized access to your mailboxes, you need to do three things

1 - Use your mail only for work purposes.
Make sure there is nothing dodgy in your mailbox, and any thing the suspected admin would be interested in.

2 - If there is info in your mailbox, you dont want the admin to see.
You need to move it into a PST, W/Password

For extra security you then move that pst on to a removeable media device.

Prefferably, insert the USB Drive first.
Then create a PST directly on it from Outlook
Then Save your emails in to the PST.

If you create it on your local system first or on a netwrok drive, there is a possibility it can be recovererd via various backup and data recovery processes.

3. Make sure its being reported to HR and HR is following up on the issue.

Now if I didnt know better myself here:

From the line of questioing above, and the actions being taken to limit a Domain Admin access to ones work email...

I have to admit, Im starting to feel like this "Dodgy Admin" might just be you.
0
 

Author Comment

by:readymade
ID: 37745463
Good one....  I'm new at the company and i've not used Exchange much before.  The boss is also new and knows nothing about exchange.  However this other person always seems to know about things he isn't copied on.  He has info on projects he isn't involved in and he shares it with other departments to align himself with them.  It's pathetic actually.  If he is doing it, I would love to find a way to catch him.
0

Featured Post

Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What does UTC stand for?  “Coordinated Universal Time” – Think of this as the true time on Planet Earth that never changes with the exception of minor leap seconds here and there to account for the changes in the planet's rotation.   What does th…
Changing a few Outlook Options can help keep you organized!
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question