6

Is it safe to store data such as account log-in information (for vendor websites, not administrative accounts), settings policies, activation documentation, and operating system keys in a public folder on microsoft exchange and setting the permissions for only members of a specific security group are allowed to add/edit/view the posts?

I find the following two benefits: The exchange server is incrementally backed up every hour and sent off site at night, so in a disaster once the restore is complete the documentation is still available.

Users can update, post, and read as needed on the flow from OWA or outlook.

But I am not aware of security risks I may be presenting.

Jeff
  • 509
  • 1
  • 4
  • 8

1 Answers1

3

You'd have to consider the benefits to your approach as well as drawbacks and compare it with other alternatives to make an informed decision.

a few pointers:

  • Who is managing those public folders / exchange? Those users might not need to have access to those settings/accounts, but since it's their job to manage the exchange server, they now also have access to those details.
  • What happens if an employee leaves their desktop unlocked and walks away for a short while? or if somebody is looking over their screen when this mailbox is open (those passwords won't be masked in any way)
  • Is there any audit trail of who's accessing this data, or making changes to it? (even by mistake)
  • What happens when one of the users leave the company (or gets fired)? How quickly/effectively can you change the passwords?
  • Is there any regulation/standard that your company must comply with that prevents storing passwords in plain-text?

My personal preference is using some kind of a password manager. There are several reliable solutions to help manage shared accounts/passwords. Have a search online for "online password manager" or something similar and I'm sure you'll find a few. There are free, open source and commercial ones, self-hosted or offered as a service. You can pick and choose the best one for you. Generally speaking, they take security much more seriously, since that's their core function. They offer protection against some of those drawbacks I mentioned, and probably others I didn't. Some might not even require you to make your own backups, and will do it for you, or will keep track of changes etc.

That said, there's no absolute right or wrong. If those passwords and data aren't really very sensitive it's possible that the built-in security offered by the Exchange shared mailbox is good-enough for your needs.

Yoav Aner
  • 5,299
  • 3
  • 24
  • 37
  • Based on your post - I think exchange may be good enough. I am the only one who manages the exchange server and all public folders / mail boxes, when someone is fired password is changed same day and there is no regulation - I will check into the online password managers as well though - just to see what seems more comfortable / willing to be used. Thanks for your answer! – Jeff Feb 20 '12 at 22:37