Exchange Server 2003 Security Review
The question was recently posed on a mailing list asking whether there was any book that covered the Exchange 2003 security model in depth.
The question came up for the poster because of a recent video that is making the rounds on youtube and elsewhere (http://www.thewebsiteisdown.com). In that video, an errant system administrator deletes a message from his bosses Sent Items folder, so that the boss cannot verify that the administrator was told something specific.
Can that happen??? Well - yes. And it isn't unique to Exchange Server. And yes, that administrator should be fired.
A savvy Exchange administrator, who also has appropriate permissions in Active Directory, can assign herself permissions at any level of an Exchange organization - per mailbox, per mailbox store, per storage group, per server, or for the entire Exchange organization.
While the backend permission sets have expanded dramatically in Exchange Server 2007, the store and user permissions are still quite similar to Exchange Server 2003. There are three whitepapers at Microsoft that can help you learn about the various permissions and how they work within themselves and within Active Directory:
Exchange Server 2003 Technical Reference Guide
Working with Active Directory Permissions in Microsoft Exchange Server 2003
Working with Store Permissions in Microsoft Exchange 2000 and 2003
Another resource is Alain Lissoir's web site. Alain wrote a couple of great white papers on scripting in Exchange 2000 and 2003 and they contain some excellent security related resources.
Until next time...
As always, if there are items you would like me to talk about, please drop me a line and let me know!