How to prevent MS Exchange Adminstrator from accessing others mailboxes?

How to prevent MS Exchange Adminstrator from accessing others mailboxes?

Post by Zzz Kitt » Tue, 24 Apr 2001 17:59:35



Let's say I install MS Exchange 5.5 using "exadmin" nt account. By default,
"Exadmin" will be granted NT system and Exchange server administrator
rights. I can log on/ access to any mailboxes  in the exchange server  using
"Exadmin" account from any PC in the domain.

For security reason, how can I disallow "Exadmin" (Exchange Server
Administrator) from able to access others mailboxes?

 
 
 

How to prevent MS Exchange Adminstrator from accessing others mailboxes?

Post by ROU Dead of Nigh » Tue, 24 Apr 2001 18:51:07


AFAIK, you can't.  That's the whole point.

If you want to restrict access to people's mailboxes, write the password
down, lock it away in a fireproof safe and don't tell anyone what it is.
And give the safe key to your Managing Director.

(And audit object access for the account concerned in User Manager :-)


Quote:> Let's say I install MS Exchange 5.5 using "exadmin" nt account. By
default,
> "Exadmin" will be granted NT system and Exchange server administrator
> rights. I can log on/ access to any mailboxes  in the exchange server
using
> "Exadmin" account from any PC in the domain.

> For security reason, how can I disallow "Exadmin" (Exchange Server
> Administrator) from able to access others mailboxes?


 
 
 

How to prevent MS Exchange Adminstrator from accessing others mailboxes?

Post by Kirill S. Palagi » Tue, 24 Apr 2001 18:50:11


You can not.
For security reasons hire only trustworthy stuff.


> Let's say I install MS Exchange 5.5 using "exadmin" nt account. By default,
> "Exadmin" will be granted NT system and Exchange server administrator
> rights. I can log on/ access to any mailboxes  in the exchange server  using
> "Exadmin" account from any PC in the domain.

> For security reason, how can I disallow "Exadmin" (Exchange Server
> Administrator) from able to access others mailboxes?

--
Corrections are welcome.
Please keep all discussions in NG, so that everybody can participate.

Kirill

 
 
 

How to prevent MS Exchange Adminstrator from accessing others mailboxes?

Post by Zzz Kitt » Sun, 29 Apr 2001 11:48:06


Let's say I install MS Exchange 5.5 using "exadmin" nt account. By default,
"Exadmin" will be granted NT system and Exchange server administrator
rights. I can log on/ access to any mailboxes  in the exchange server  using
"Exadmin" account from any PC in the domain.

For security reason, how can I disallow "Exadmin" (Exchange Server
Administrator) from able to access others mailboxes?

 
 
 

How to prevent MS Exchange Adminstrator from accessing others mailboxes?

Post by mjb » Sun, 29 Apr 2001 14:28:34


The best solution I've found to make sure that email admins do not have
access (short of following Kirill's advice to only hire people you trust) is
to use a shared secret password for the exadmin account:

Change the password on the exadmin account with another person from the
appropriate dept (HR, VP, CxO, etc).
The email admin would type the first half of the password and remember
it/share it with others in the IT dept.
The other person would type the second half of the password and remember it.
Change the password in Exchange Admin the same way (admin types first part,
other person types second part) and restart the services.

Before doing this, make sure you have a disaster plan and consider
consequenses:
The other person/people must be willing to show up at 2:00 am in case of
problems and/or troubleshooting the server.
The other person/people must be willing to be there at 2:00 am to install
additional exchange services/software such as the IMS, virus scanners, etc.

The loophole in this is that the email admin could change the password, and
restart services during regular maintenance windows and nobody would notice
it was changed.

On the other hand, you could do what most companies do -- ensure that your
email admins are so busy that they'll never have time to read their own
mail, let alone someone else's mail.

mjb


Quote:> Let's say I install MS Exchange 5.5 using "exadmin" nt account. By
default,
> "Exadmin" will be granted NT system and Exchange server administrator
> rights. I can log on/ access to any mailboxes  in the exchange server
using
> "Exadmin" account from any PC in the domain.

> For security reason, how can I disallow "Exadmin" (Exchange Server
> Administrator) from able to access others mailboxes?

 
 
 

1. Preventing Users Giving Others Access To Their Mailbox

Hello folks,

I am looking for a way to prevent somebody granting access to their
mailbox folders from another account. I know outlook is there to
improve communication, but we have to prevent people reading each
others mailboxes, even with the users consent.

Exchange 5 is the server and the client is Outlook 97 8.02. I was
hoping that the server would have permissions to prevent this, but so
far I haven't found any way.

Thanks in advance

-Rob Stevens-
DERA Farnborough

2. Security 'hole' in blocking relaying with Exchange

3. GWISE to EXCH:are messages replicated?

4. Printing Resource Usage info from MS Exchange Adminstrator???

5. Multiple Addressing

6. keeping others out of each others mailboxes

7. How do I place a Footnote on every out going message?

8. Can't access one OWA mailbox - all others are fine

9. Hiding mailbox - but allowing others to access it

10. Allowing others access to a mailbox

11. Accessing others mailbox issue

12. Users accessing others mailbox