BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 06-26-2008, 08:32 AM   #1 (permalink)
Knows Where the Search Button Is
 
Join Date: Nov 2005
Location: UK
Model: 7290
Carrier: Vodafone
Posts: 35
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default BES 4.1.5 - role based access vs domain admin access?

Please Login to Remove!

Hi All

Excuse my ignorenace as previously worked in a company where we had BES 4.0, and only a few people had BES access, me included.

In my new conpany I have joined, I have found out that everyone in IT has domain admin access to the BES? Its running 4.1.5 which I beleive has option to enable role based access.

Can anyone advise me on the argument I can use to remove domain admin access from the BES and request they look at role based?
Currently we have 200+ users and growing.

Thanks

Scott
Offline  
Old 06-26-2008, 10:18 AM   #2 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by slewis1972 View Post
Hi All

Excuse my ignorenace as previously worked in a company where we had BES 4.0, and only a few people had BES access, me included.

In my new conpany I have joined, I have found out that everyone in IT has domain admin access to the BES? Its running 4.1.5 which I beleive has option to enable role based access.

Can anyone advise me on the argument I can use to remove domain admin access from the BES and request they look at role based?
Currently we have 200+ users and growing.

Thanks

Scott
... because you should follow the principle of least privilege


Why do they need to be domain admins? Yes it gives you access to most everything within all applications / servers ... but what business needs says domain admin? Because they don't know other ways to set things up?
Offline  
Old 06-30-2008, 04:11 AM   #3 (permalink)
Knows Where the Search Button Is
 
Join Date: Nov 2005
Location: UK
Model: 7290
Carrier: Vodafone
Posts: 35
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I agree 100% with that, and based on that - what sort of damage can say a domain admin do on a BES with say email infrasturre (as we use it with exchange). Need to cover all the bases before i go in with my argument as most IT staff seem to have domain access. With the BES being pretty darn inportant, I need to get my facts correct as if I can alter the users access on this server, then this may get them to think about everyones access in general.

Scott
Offline  
Old 06-30-2008, 07:37 AM   #4 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by slewis1972 View Post
I agree 100% with that, and based on that - what sort of damage can say a domain admin do on a BES with say email infrasturre (as we use it with exchange). Need to cover all the bases before i go in with my argument as most IT staff seem to have domain access. With the BES being pretty darn inportant, I need to get my facts correct as if I can alter the users access on this server, then this may get them to think about everyones access in general.

Scott
A Domain Admin can shut down a BES, delete files from the BES, view logs ...

In theory this same Domain Admin could gain access to the SQL server with the BESMgmt database and have access to license data, they could corrupt the database ... pretty much ruin the entire BES environment.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.