Controlling User Access to IM


Before any user can use Exchange IM, they must be IM-enabled. This enablement does nothing more than add five Active Directory attributes to the selected user’s account; in particular, the msExchIMPhysicalURL and msExchIMVirtualServer attributes specify which IM home server the user is on, and the msExchIMACL property contains an access control list (ACL) that controls which other users are allowed to see the user’s presence status by requesting it from the server. Note that these controls are blunt, not surgical: users can either use your IM server or not, but Exchange doesn’t directly offer a way to restrict what they do with it past that point.

Controlling Access for Individual Users

You can enable or disable individual users’ access to IM, or set their individual privacy properties, by using the Active Directory Users And Computers snap-in. Open the Properties dialog box for the selected user, then click the Exchange Features tab (see Figure 16-1). Select Instant Messaging and click Enable; you’ll be asked to select the IM domain name and home server you want this account to use, and that’s it. The same process works in reverse for disabling users—just click Disable.

click to expand
Figure 16-1: IM is treated as an Exchange feature, so you turn it on or off in the Exchange Features tab.

If you want to IM-enable multiple users at once, you can select them in Active Directory Users And Computers, then right-click any selected user and select Exchange Tasks. One of the built-in tasks allows you to disable or enable multiple users at once.

Setting User Privacy Properties

When you select Instant Messaging in the Exchange Features tab, clicking Properties displays the Instant Messaging dialog box. The most interesting part of this dialog box is the Privacy tab, shown in Figure 16-2, which allows you to specify servers and clients that can see the presence information of, and send messages to, the selected user.

click to expand
Figure 16-2: The Privacy tab lets you control who can see selected users’ presence information.

This dialog box has two separate ways to control access, evidenced by the Allow Access By All Servers And Users Except and Allow Access Only From These Servers And Users options. As their names indicate, these two mutually exclusive options let you specify a list of users who are blocked from contacting the specific user, or a “white list” representing the only users who are allowed to contact the specific user. Don’t confuse these options with the individual client-side restrictions that you can set from the client. Windows Messenger has a slightly more flexible interface for setting basically the same options.

Controlling Access for Groups

Enabling or disabling individual users’ IM access is useful, but it’s much more useful to be able to selectively grant or deny access to members of selected security or distribution groups, based only on their group memberships. Exchange itself doesn’t offer any way to do this, but it’s relatively simple to accomplish: all you need is a script that stamps the correct values of five attributes onto the user accounts you want to touch. The following attributes are all you need:

  • MsExchPhysicalURL The Uniform Resource Locator (URL) to the user’s actual home server, including the /instmsg/aliases virtual directory (for example, http://im.fabrikam.com/instmsg/aliases/paulr). The fully qualified domain name (FQDN) of the home server comes from a DNS SRV lookup.

  • MsExchIMAddress The IM domain address, which is composed of the account alias address combined with the FQDN of the IM domain, if you’re using one. For example, paulr@fabrikam.com or paulr@im.fabrikam.com would both be valid, with the former used with an SRV record and the latter used without one.

  • MsExchIMMetaPhysicalURL The logical URL to the user’s IM address. The physical URL points directly to the DNS name of the IM server; the logical URL points to the DNS name as listed in the SRV record. This attribute will either point directly to the user’s IM home server or the IM router for the user’s organization.

  • MsExchIMVirtualServer The full distinguished name of the virtual server that’s hosting this particular user. This includes the virtual server number and protocol; for example, CN=3, CN=RVP, CN=Protocols, CN=serverName, CN=Servers,CN=First Administrative Group, CN=Administrative Groups, CN=Fabrikam, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=Fabrikam, DC=com

Although you could clearly type all these attributes into ADSIEdit, you couldn’t type in the fifth, msExchIMACL, a magic attribute that IM requires. Accordingly, you can use the EnableUser() call in the CDOEXM library. The following snippet enables a single user for IM; you can easily extend it to iterate over multiple organizational units (OUs) or groups:

Set Servers    = WScript.CreateObject("MSExchangeIM.IMServers.1") Set UserAdmin  = WScript.CreateObject("MSExchangeIM.IMUserAdmin.1") Set Users      = Servers(1).VirtualServers(1).Users IMDomain       = "im.fabrikam.com" Set imUser    = GetObject("LDAP:// CN=Paul Robichaux,CN=Users,DC=fabrikam, DC=com") IMAlias       = UserAdmin.UserEmailAlias(imUser) Set objIMUser = Users.EnableUser(imUser, IMAlias, IMDomain) imUser.SetInfo

Controlling Access Using Internet Information Services

When you install an IM home server, you’re actually setting up a new virtual directory in Internet Information Services (IIS)—that’s why you can install the Exchange IM server on any computer running IIS 5 or later versions, not just on machines that are running Exchange 2000, too. This offers some interesting possibilities, including the ability to use IIS access controls to restrict access to the virtual directory, effectively giving you group-level access control to the IM server without writing any scripts or resorting to any Active Directory tweaking. To make this work, set the desired permissions on the IM virtual directory on the IM server—deny access to the groups you don’t want to have access, just as you would for a conventional Web application. Two caveats: first, Microsoft doesn’t officially support setting IM access controls using IIS, so test your changes thoroughly in a lab before putting them into production. Second, don’t try to require the use of Secure Sockets Layer (SSL) for your IM traffic, or you’ll find that your users cannot connect to the server.

Of course, IIS has other access control features, too; you can restrict or allow access from specified IP addresses, and you can control which authentication methods clients can use. Don’t overlook these options when applying security to your IM network.




Secure Messaging with Microsoft Exchange Server 2000
Secure Messaging with Microsoft Exchange Server 2000
ISBN: 735618763
EAN: N/A
Year: 2003
Pages: 169

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net