Exchange Server 2003 Security Review

The question was recently posed on a mailing list asking whether there was any book that covered the Exchange 2003 security model in depth.

The question came up for the poster because of a recent video that is making the rounds on youtube and elsewhere ( In that video, an errant system administrator deletes a message from his bosses Sent Items folder, so that the boss cannot verify that the administrator was told something specific.

Can that happen??? Well - yes. And it isn't unique to Exchange Server. And yes, that administrator should be fired.

A savvy Exchange administrator, who also has appropriate permissions in Active Directory, can assign herself permissions at any level of an Exchange organization - per mailbox, per mailbox store, per storage group, per server, or for the entire Exchange organization.

While the backend permission sets have expanded dramatically in Exchange Server 2007, the store and user permissions are still quite similar to Exchange Server 2003. There are three whitepapers at Microsoft that can help you learn about the various permissions and how they work within themselves and within Active Directory:

Exchange Server 2003 Technical Reference Guide

Working with Active Directory Permissions in Microsoft Exchange Server 2003

Working with Store Permissions in Microsoft Exchange 2000 and 2003

Another resource is Alain Lissoir's web site. Alain wrote a couple of great white papers on scripting in Exchange 2000 and 2003 and they contain some excellent security related resources.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Published Tuesday, July 22, 2008 1:34 PM by michael


Thursday, July 24, 2008 2:05 PM by subject: exchange

# Weekend reading

Speeding Up PowerShell Startup MS08-039: Which users are vulnerable to the OWA XSS vulnerability? Reducing

Friday, November 07, 2008 7:06 AM by John Boyles

# re: Exchange Server 2003 Security Review

There is also a new solution called <a href="">security explorer for exchange</a> that can help in dealing with exchange security.

It's great for managing permissions on mailboxes and mailbox folders, public folders, administrative groups, storage groups, mailbox and public folders stores.