Local\Administrators vs. Builtin\Administrators - Exchange Server on a DC
Originally published in January of 2005, my blog post Exchange Server 2003 and Domain Controllers - A Summary has been the most searched-out article on my blog.
While, with the release of Exchange Server 2007, the post is beginning to show it's age, the information contained in the article still applies to Exchange Server 2007 - just some links need to be updated.
One item not covered in that post is the security aspect of installing Exchange on a DC. An Exchange Administrator needs to be a local administrator of the Exchange Server she is responsible for administering. That's simply the way permissions are done within Exchange. (This does not apply to viewing information, only to modifying it.)
I recently came across a document that suggested that when installing Exchange on a DC, the proper way to assign permissions to an Exchange Administrator was to add that user to the BUILTIN\Administrators group on the DC.
Don't do it.
A member of LOCAL\Administrators is a far cry from a BUILTIN\Administrators, and here are the two primary reasons why:
One - BUILTIN\Administrators is not stored locally to a single DC - its membership is in the Active Directory, in the CN=Builtin,DC=domain,DC=com container. The contents of this container are replicated to all domain controllers. Therefore, adding a user to a member of this group on one DC makes them a member of the group on all DCs. (A member server has a local accounts database called a SAM that is not visible to the domain.)
Two - Since BUILTIN\Administrators gives local Administrator permissions to its members - they can do anything on any DC in the domain. Anything. Making themselves a Domain Administrator is a trivial exercise.
A final note of caution: it is now widely recognized that forests are the security boundaries in Active Directory, not domains (regardless of what the original Windows 2000 Server A/D documentation said). Domains are simply administrative boundaries. As a corollary to item two above, once a person is a domain administrator, it is fairly easy to become an enterprise administrator.
Now, if you are a small shop with one or a handful of servers; this may not concern you. Your Exchange Administrators are probably Domain Administrators already.
But if you are larger - don't do it. The recommendations to do so just give you a false sense of security.
This is just another good reason to NOT install Exchange on a DC.
Until next time...
As always, if there are posts you would like to see, please let me know! Drop me a line or make a comment on the blog. Thanks for reading.