Microsoft Exchange Server Permission Insight

Question

I was just assigned management of our Exchange Servers. The person who installed and configured our Exchange 2010 Servers did not set up permissions correctly. I noticed that anyone within the organization can open a users mailbox without them being assigned. This is something the organization has NOT recognized as an issue but as a Network Administrator, is an major security issue.

Here is an example of what I am talking about.

A entry level engineer can open another engineers mailbox if they wanted. Again, I did NOT set permissions this way.

I am currently reading about the Exchange 2010 Server in order to properly figure everything out. However I need a quick fix right now. How can I set permissions so someone like a Entry Level Engineer can not open another engineers mailbox?

["setup" is not the same as "set up"](http://notaverb.com/setup). — ewwhite, Nov 09 '14 at 16:53

ewwhite · Accepted Answer · 2014-11-09T16:59:23.897

5

Please post the list of AD groups that this "Entry Level Engineer" belongs to.

In the Exchange Management Console, select a representative user and select "Manage Full Access Permission". It should look like this:

enter image description here

If there are other users or groups present in that dialog, that's where you'll need to begin to remove access.

This is something the organization has NOT recognized as an issue but as a Network Administrator, is an major security issue.

From a political perspective, though, don't come in guns blazin' to point out what the previous admin did incorrectly. There may have been a reason that this type of access was enabled. You'll look like a jackass for pursuing this without knowing the full context.

For example, I manage ~38 Exchange mail systems across a variety of clients. In some environments, non-technical principals or department heads request mailbox access to their users. I don't think any environment gives the presumption of email privacy on company systems. More advanced sites leverage journaling to accomplish the same. So get the full story before you make this a crusade...

edited Nov 09 '14 at 16:59

answered Nov 09 '14 at 16:52

ewwhite

194,921
91
434
799

I hate to see configurations like this myself, but very much *"get the full story before you make this a crusade."* It's worth noting that a normal install doesn't default to this, so this has to be a conscious change post-install, not someone ticking the wrong box in a setup wizard. – Rob Moir Nov 09 '14 at 19:36
The full story is the guy had no I.T background and is a Civil Engineer. He really did not know what he was doing, but the mail server did work. Again we are a small company, who finally decided to hire a I.T Admin(me who was a Network Admin), but one of the few things I have no experience is to set up a Exchange Server. I'll just read and learn. To be honest the above did not help me. I'm sure you are right about your answer(thus the vote up), however like I said things are pretty "messed up". I'm going to make two test mailboxes and go from their. Thanks for the help! – Benjamin Jones Nov 10 '14 at 01:24
1

Well, do you have any Active Directory experience? Some of the same security rules apply. Take an entry level user and look at the groups they belong to. Cross-reference them with the dialog posted in my answer. – ewwhite Nov 10 '14 at 01:28
Yes I do, with the Active Directory. Ya I think Im figuring it out. Thanks – Benjamin Jones Nov 10 '14 at 02:03
Figure it out due to your answer. The security principal I removed was different, but thanks! – Benjamin Jones Nov 10 '14 at 02:16

Microsoft Exchange Server Permission Insight

1 Answers1