2

This is admittedly a duplicate of this question: Secure Exchange mailboxes

In short, how can Microsoft Exchange 2010 be configured such that email is only visible to the owner of that mailbox, and perhaps the owner/CEO of the organization?

The answers to the linked question dealt with admin trust and the Microsoft "model" for Exchange, that is, it is assumed that admins will have all the power.

But let's assume that simply isn't an option: as someone who is new to Exchange, and Microsoft products in general, I have been tasked with setting up Exchange in such a way. No one, except the owner of the company, should be able to see anyone's email but his own. We realize that this will limit what the "admin" can do (e.g. fix mailbox corruption), but that is acceptable.

Furthermore, as a follow-up to the general theme of the answers to the duplicate question I linked: is it really true, in large organizations that use Microsoft Exchange, that the Enterprise Admins can potentially read anyone's email? For example, at Microsoft itself, there is someone (possibly many people) who can potentially read Steve Balmer's email? Or read sensitive HR documents about peoples' compensation, or maybe an employee asking about something like EAP (employee assistance program)? Or emails with the legal team, or conversations with the SEC, or perhaps an upcoming acquisition?

Community
  • 1
Matt
  • 1,037
  • 2
  • 14
  • 20
  • 4
    I think the solution enterprises use to keep Admins from casually snooping on user mailboxes is to have the Exchange server send audit trails to a different server (a servrer that the Exchange admins don't have access too - sometimes that server is run by a separate security department). Any access to a mailbox would show up in those audit logs. – Johnny Apr 18 '13 at 23:26
  • possible duplicate of [Secure Exchange mailboxes](http://serverfault.com/questions/167384/secure-exchange-mailboxes) – mdpc Apr 19 '13 at 06:15
  • Unless you use email encryption (and not mailbox encryption), at the very least your email service provider and the one of the sender/recipient can read your email. – Tobias Kienzler Apr 19 '13 at 11:41
  • Generally speaking, yes, mail server admins can read anyone's mail. Just as the janitor can enter anyone's room, and the phone techs can tap anyone's phone, and the SAN admins can get at any file on the SAN. How to keep people from abusing their power is a social problem, not a technical one. – Jenny D Apr 19 '13 at 12:32

2 Answers2

10

Yes, the MS model is very much centered around delegated trust. There are going to be super-users, and it is up to the Organization to manage who can see what, where. Engineering a system like you're looking for using Exchange will require some out-of-Exchange business practices.

  • Domain/Enterprise Admin accounts are not used. Such accounts are only broken out for very specific, and well logged, circumstances. These are the God users who can read and see everything.
    • Such actions are performed under the fly-with-a-friend rule. Anyone using such accounts will do so only with someone else there to watch.
    • Security EventLogs are tracked and admin-account usage cross-checked with approved usage. This critical audit step will help catch mis-use of elevated credentials.
  • Admin users are delegated the rights they need, and no others. This is hard, as Domain Admin is so easy. But Admin users, such as ourselves, do not run with God rights. During setup, our accounts are delegated the rights we need to do what we do.
    • Sometimes one of those rights is: permitted to submit a request for elevated access under these specific circumstances.
  • The Exchange organization is broken in to trust zones with local admin users. The group dealing with SEC communications has their own Mail Admin, who may have extended rights in to the relevant user mailboxes. This person is inside the trust-boundary for this internal organization.
    • Yes, this does create a lot more Exchange admins. But that's what happens when centralization is not an option.

Yes, Microsoft really does expect an organization to hold users with elevated privileges to a higher standard of behavior. This is because so much of our routine work requires exposure to private data. If those takeover negotiations are subjected to Legal Hold, we need to get in there and set that up. If the CEO is having trouble getting their iPhone talking with Exchange, we'll be the ones figuring out why.

At my old job where I was such an Exchange admin, we had to sign several agreements relating to privacy policy, impersonation, and penalties for failing to comply with same.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • You also need to take measures to prevent an admin from accessing the copies in your backups. – Grant Apr 19 '13 at 03:40
5

Mail encryption, performed on the client, where only the user has access to their private key, is the only foolproof way to accomplish this.

There are far too many ways an unscrupulous admin could "snoop", it's impossible to account for them all.

This raises the question, though. Why are these untrusted admins still employed?

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Nearly +1 for the question in the last line, but encryption only goes so far. It'll still be trivial for the admin to see who you have been communicating with, and the subject of those emails (assuming that you don't delete those emails and proceed to take out the trash). – user Apr 19 '13 at 07:49