Chapter 10: Implementing Exchange Server 2007 Security
In this chapter, you'll learn how to implement Microsoft Exchange Server 2007 security and auditing. In Active Directory, you manage security using permissions. Users, contacts, and groups all have permissions assigned to them. These permissions control the resources that users, contacts, and groups can access. They also control the actions that users, contacts, and groups can perform. You use auditing to track the use of these permissions, as well as logons and logoffs. You manage Exchange administration permissions using either the Active Directory tools or the Exchange management tools.
Controlling Exchange Server Administration and Permissions
In Exchange Server 2007, management of permissions is greatly simplified over Exchange Server 2003. The reason for this is that all Exchange information is now stored in Active Directory, and you can use the features of Active Directory to manage permissions across the Exchange organization.
Assigning Exchange Server Permissions to Users, Contacts, and Groups
Users, contacts, and groups are represented in Active Directory as objects. These objects have many attributes that determine how they are used. The most important attributes are the permissions assigned to the object. Permissions grant or deny access to objects and resources. For example, you can grant a user the right to create public folders but deny that same user the right to view the status of the information store.
Permissions assigned to an object can be applied directly to the object, or they can be inherited from another object. Generally, objects inherit permissions from parent objects. A parent object is an object that is above another object in the object hierarchy. However, you can override inheritance. One way to do this is to assign permissions directly to an object. Another way is to specify that an object shouldn't inherit permissions.
In Exchange Server 2007, permissions are inherited through the organizational hierarchy. The root of the hierarchy is the Organization node. All other nodes in the tree inherit the Exchange permissions of this node. For example, the permissions on the Recipient Configuration node are inherited from the Organization node.
For the management of Exchange information and servers, Exchange Server 2007 uses several predefined groups. These predefined security groups have permissions to manage Exchange organization, Exchange server, and Exchange recipient data in Active Directory. In Active Directory Users And Computers, you can view and work with the administrator-related groups using the Microsoft Exchange Security Groups node (see Figure 10-1).
Figure 10-1: You can use Active Directory Users And Computers to manage Exchange administrator groups.
Tip In Active Directory Users And Computers, there's a hidden container of Exchange objects called Microsoft Exchange System Objects. You can display this container by selecting Advanced Features on the View menu.
Understanding the Exchange Administration Groups
Table 10-1 lists predefined groups created in Active Directory for Exchange Server 2007. As the table shows, each group has a slightly different usage and purpose. Three of the six groups are used by Exchange servers. These groups are: Exchange Install Domain Servers, Exchange Servers, and Exchange2003Interop. You use the other three groups for assigning administrator permissions. These groups are: Exchange Organization Administrators, Exchange Recipient Administrators, and Exchange View-Only Administrators.
| Group | Group Type | Description |
|---|---|---|
| Exchange Install Domain Servers | Global Security Group | Members of this group include domain controllers on which Exchange is installed. You can see this group only when you select View, and then click Advanced Features in Active Directory Users And Computers. |
| Exchange Organization Administrators | Universal Security Group | Members of this group have full access to all Exchange properties and objects in the Exchange organization. |
| Exchange Recipient Administrators | Universal Security Group | Members of this group have permissions to modify any Exchange property on an Active Directory user, contact, group, dynamic distribution list, or public folder object. Members of this group can also manage Unified Messaging mailbox settings and Client Access mailbox settings. |
| Exchange Servers | Universal Security Group | Members of this group can manage the Exchange information store, mail interchange, and mail queues. By default, all computers running Exchange Server 2007 are members of this group, and you shouldn't change this setup. |
| Exchange View-Only Administrators | Universal Security Group | Members of this group have read-only access to the entire Exchange organization tree in the Active Directory configuration container and read-only access to all the Windows domain containers that have Exchange recipients. |
| Exchange2003Interop | Universal Security Group | Members of this group are granted Sent To and Receive From permissions, which are necessary for routing group connections between Exchange Server 2007 and Exchange 2000 Server or Exchange Server 2003. Exchange 2000 Server and Exchange Server 2003 bridgehead servers must be made members of this group to allow proper mail flow in the organization. |
Open table as spreadsheet When working with Exchange-related groups, it is important to keep in mind that Exchange Organization Administrators grants the widest set of Exchange administration permissions possible. Members of this group can perform any Exchange administration task, including organization, server, and recipient management. Members of the Exchange Recipient Administrators group, on the other hand, can manage only recipient information. Exchange View-Only Administrators can view Exchange organization, server, and recipient information but cannot manage any aspects of Exchange.
Table 10-2 provides an overview of the group membership for the Exchange groups. Membership in a particular group grants the member the permissions of the group.
| Group | Members Of | Members |
|---|---|---|
| Exchange Install Domain Servers | Exchange Servers | Domain controllers on which Exchange is installed |
| Exchange Organization Administrators | Administrators, Exchange Recipients Administrators | Administrator |
| Exchange Recipient Administrators | Exchange View-Only Administrators | Exchange Organization Administrators |
| Exchange Servers | Exchange Install Domain Servers, individual Exchange servers | |
| Exchange View-Only Administrators | Exchange Recipient Administrators | |
| Exchange2003Interop |
Understanding how group membership affects permissions is extremely important. As an example, if you follow the membership of the Exchange Organization Administrators group, you can see why its members have the widest set of Exchange permissions. Its members are granted permissions of the Exchange Recipient Administrators group. Members of the Exchange Recipient Administrators group are, in turn, members of the Exchange View-Only Administrators group. Because the Exchange Organization Administrators group is also a member of Administrators, its members gain all the permissions of this group and any groups of which Administrators is a member. In the local domain, members of the Administrators group have full administration privileges, allowing them to manage Active Directory information throughout the domain. Finally, Exchange Organization Administrators has as its only default member the built-in Administrator user. This means the only user account that, by default, has administrative permissions in Exchange is the built-in Administrator account. Other users that perform Exchange administrator tasks must be specifically granted permission to do so.
Assigning Exchange Administrator Permissions in Active Directory Users and Computers
To grant Exchange administrator permissions to a user or group of users, all you need to do is make the user or group a member of the appropriate Exchange administrator group. The tool of choice for managing users in a domain is Active Directory Users And Computers. You can make users, contacts, computers, or other groups members of an Exchange administrator group by completing the following steps:
-
Click Start, point to All Programs, select Administrative Tools, and select Active Directory Users And Computers.
-
In Active Directory Users And Computers, double-click the Exchange administrator group you want to work with. This opens the group's Properties dialog box.
-
Click the Members tab, as shown in Figure 10-2.
-
To make a user or group a member of the selected group, click Add. The Select Users, Contacts, Computers, Or Groups dialog box appears, as shown in Figure 10-3.
-
Type the name of the account to which you want to grant permissions, and then click Check Names. If matches are found, select the account you want to use, and then click OK. If no matches are found, update the name you entered, and try searching again. Repeat this step as necessary. Click OK.
Figure 10-2: Use the Members tab to view and manage membership in the group.
Figure 10-3: Specify the name of the user, contact, computer, or group to add.
You can remove a user, contact, computer, or other group from an Exchange administrator group by completing the following steps:
-
Open Active Directory Users And Computers.
-
In Active Directory Users And Computers, double-click the Exchange administrator group with which you want to work. This opens the group's Properties dialog box.
-
On the Members tab, click the user or group you want to remove, and then click Remove. Click OK.
Understanding Advanced Exchange Server Permissions
Active Directory objects are assigned a set of permissions. These permissions are standard Microsoft Windows permissions, object-specific permissions, and extended permissions.
Table 10-3 summarizes the most common object permissions. Keep in mind that some permissions are generalized. For example, with Read Value(s) and Write Value(s), Value(s) is a placeholder for the actual type of value or values.
| Permission | Description |
|---|---|
| Full Control | Permits reading, writing, modifying, and deleting |
| List Contents | Permits viewing object contents |
| Read All Properties | Permits reading all properties of an object |
| Write All Properties | Permits writing to all properties of an object |
| Read Value(s) | Permits reading the specified value(s) of an object, such as general information or group membership |
| Write Value(s) | Permits writing the specified value(s) of an object, such as general information or group membership |
| Read Permissions | Permits reading object permissions |
| Modify Permissions | Permits modifying object permissions |
| Delete | Permits deleting an object |
| Delete Subtree | Permits deleting the object and its child objects |
| Modify Owner | Permits changing the ownership of the object |
| All Validated Writes | Permits all types of validated writes |
| All Extended Writes | Permits all extended writes |
| Create All Child Objects | Permits creating all child objects |
| Delete All Child Objects | Permits deleting all child objects |
| Add/Remove Self As Member | Permits adding and removing object as a member |
| Send To | Permits sending to the object |
| Send As | Permits sending as the object |
| Change Password | Permits changing the password for the object |
| Receive As | Permits receiving as the object |
Table 10-4 summarizes Exchange-specific permissions for objects. You use these extended permissions to control Exchange administration and use. If you want to learn more about other types of permissions, I recommend that you read Microsoft Windows Server 2003 Administrator's Pocket Consultant (Microsoft Press, 2003) or Microsoft Windows Vista Server Administrator's Pocket Consultant (Microsoft Press, 2007).
| Permission | Description |
|---|---|
| Read Exchange Information | Permits reading general Exchange properties of the object |
| Write Exchange Information | Permits writing general Exchange properties of the object |
| Read Exchange Personal Information | Permits reading personal identification and contact information for an object |
| Write Exchange Personal Information | Permits writing personal identification and contact information for an object |
| Read Phone and Mail Options | Permits reading phone and mail options of an object |
| Write Phone and Mail Options | Permits writing phone and mail options of an object |
| Allow Impersonation To Personal Exchange Info | Permits impersonating another user to access personal Exchange information |
| Allowed To Authenticaet | Permits authentication of the object to authenticate in the domain |
Assigning Advanced Exchange Server Permissions
In Active Directory, different types of objects can have different sets of permissions. Different objects can also have general permissions that are specific to the container in which they're defined. For troubleshooting or fine-tuning your environment, you may occasionally need to modify advanced permissions. You can set advanced permissions for Active Directory objects by following these steps:
-
Open Active Directory Users And Computers.
-
In Active Directory Users And Computers, right-click the user, group, or Computer account with which you want to work.
Caution Only those administrators with a solid understanding of Active Directory and Active Directory permissions should manipulate advanced object permissions. Incorrectly setting advanced object permissions can cause problems that are difficult to track down.
-
Select Properties from the shortcut menu, and then click the Security tab in the Properties dialog box, as shown in Figure 10-4.
-
Users or groups with access permissions are listed in the Name list box. You can change permissions for these users and groups by doing the following:
-
q Select the user or group you want to change.
-
q Use the Permissions list box to grant or deny access permissions.
-
q When inherited permissions are dimmed, override inherited permissions by selecting the opposite permissions.
-
-
To set access permissions for additional users, computers, or groups, click Add. Then use the Select Users, Computers, Or Groups dialog box to add users, Computers, or groups.
-
Select the user, computer, or group you want to configure in the Name list box, click Add, and then click OK. Then use the fields in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups. Click OK when you're finished.
Figure 10-4: Use the Security tab to manage advanced permissions.
EAN: 2147483647
Pages: 119