BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 03-30-2009, 04:29 PM   #1 (permalink)
New Member
 
Join Date: Dec 2005
Location: Kaneohe, Hawaii
Model: 7250
OS: Win XP
Carrier: Verizon
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default BES Send As issues – how are you addressing it?

Please Login to Remove!

Hi all,

I have a question regarding the BES on MS Exchange and “Send As’ permissions.

We are in the process of piloting a BB BES and seeing if it will be a viable solution for our organization.

I have run into a problem in regards to “Send As” permissions. All of our IS staff are domain admins, (we are a small shop) and as many of you know if you give “Send As” to a profile that is listed as a domain Admin, Exchange will delete it within the hour, (good ole MS trying to do our thinking for us). So we can get e-mail on our BB’s but can’t send.

Now our Network administrator doesn’t administer our Exchange server, but rather brings in a consultant to handle it. So I did some research and found a variety of different solutions to work around this issue which I then passed along to him. He then passed them along to our consultant, (he works in military IS) and consults on the side.

His response to all the suggested solutions was Oh No!! You can’t do any of these your network won’t be secure. His recommendation was that we create separate user accounts for IS staff for performing domain admin tasks and then use their current account for the berries and remove domain admin privileges.

I realize that this is a doable solution, but I looking for something that is a little more elegant for our IS staff without adding a secondary layer of complexity to their jobs.

I also am a little reluctant to give to much weight to his advice as he also told our network admin that we should move our BES into the DMZ!!

So I wanted to poll some of you who are running Exchange and BES with users who need to be Domain Admins to see how you are addressing this issue. Also, I realize that security is always important, but I would also be curious as to what level of security you feel is necessary in your environment (on a scale of 1-10 I would put the criticality of our data at a 8 due to privacy laws), I think we all recognize that in this world there is a need for security and then for some organizations there is a need for SECURITY!!

Your thoughts are appreciated.

Thanks

Gordon
Offline  
Old 03-30-2009, 04:37 PM   #2 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

Quote:
Originally Posted by owensct View Post
His response to all the suggested solutions was Oh No!! You canxxx8217;t do any of these your network wonxxx8217;t be secure. His recommendation was that we create separate user accounts for IS staff for performing domain admin tasks and then use their current account for the berries and remove domain admin privileges.
This is EXACTLY what you should do.
It's called the Principle of Least Privilege, and it's basic admin stuff. Best practices for sure.

You would be wise to follow that advice.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 03-30-2009, 04:41 PM   #3 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Passp
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,817
Post Thanks: 287
Thanked 305 Times in 287 Posts
Default






Also
BES in DMZ knot supported, but you can place the BES router there if you love firewall rules and headaches. (I have seen many that gave up on it after trying)
__________________
unlock you phone here http://cellunlocker.net/blackberry-unlock.php
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Passport, Z30, Z10 and Q10

Last edited by knottyrope : 03-30-2009 at 04:44 PM.
Offline  
Old 03-30-2009, 04:44 PM   #4 (permalink)
CrackBerry Addict
 
Join Date: Jan 2008
Model: 9700
PIN: N/A
Carrier: Rogers
Posts: 709
Post Thanks: 0
Thanked 8 Times in 8 Posts
Default

Quote:
Originally Posted by penguin3107 View Post
This is EXACTLY what you should do.
It's called the Principle of Least Privilege, and it's basic admin stuff. Best practices for sure.

You would be wise to follow that advice.
I would agree.

We don't follow this though - we're bad, we know it. On the other hand, after visiting a satellite office and seeing a guy with post it notes taped to his laptop with every password he uses, makes me feel like we're not the weakest link.

I do not logon to Servers, don't even have access to do so, but managing exchange is a bit different since you rely on a client (Outlook) for much of the managing and archiving of data of others.
Offline  
Old 03-30-2009, 04:48 PM   #5 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2009
Model: 8330
PIN: N/A
Carrier: VZW
Posts: 122
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

The consultant's recommendation is the right one, in regards to the most secure solution!

The way around it is run both scripts in MS KB 907434. Then grant the Send As permission to the user objects in question.
Offline  
Old 03-30-2009, 05:18 PM   #6 (permalink)
Feeling Blue, Bigly ;->
 
stuwhite's Avatar
 
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Have to agree with the Penguin Mantra as always. Even for a small shop, domain admin should be domain admin and users are users. Having two accounts isn't a hassle, I have never worked anywhere serious where I haven't had two accounts. It's good protection for your staff also, as at the moment they can be accused of doing anything as they have the power. Restrict access to an elevated priviledge account then audit it like h3ll, keeps those SOX boys at bay too .
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
Offline  
Old 03-30-2009, 07:01 PM   #7 (permalink)
Knows Where the Search Button Is
 
Join Date: Mar 2009
Model: yes
PIN: N/A
Carrier: yes
Posts: 35
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I know it's not what you want to hear - but the BEST solution is to split into normal user accounts with mailboxes and secondary domain admin accounts.

Having said that, I have previously used a single account for everything. While it was easier at the time, I was always scared of coworkers making careless mistakes and/or getting malware/viruses on their desktops/laptops
Offline  
Old 03-30-2009, 07:55 PM   #8 (permalink)
CrackBerry Addict
 
Join Date: Jan 2008
Model: 9700
PIN: N/A
Carrier: Rogers
Posts: 709
Post Thanks: 0
Thanked 8 Times in 8 Posts
Default

Quote:
Originally Posted by Harry Azol View Post
I know it's not what you want to hear - but the BEST solution is to split into normal user accounts with mailboxes and secondary domain admin accounts.

Having said that, I have previously used a single account for everything. While it was easier at the time, I was always scared of coworkers making careless mistakes and/or getting malware/viruses on their desktops/laptops
This is the other thing I avoid too - not logging on to any other computer other than my own with privileges. When I have to login somewhere else, I'll use a generic account.
Offline  
Old 03-30-2009, 11:23 PM   #9 (permalink)
New Member
 
Join Date: Dec 2005
Location: Kaneohe, Hawaii
Model: 7250
OS: Win XP
Carrier: Verizon
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Two accounts it is

Thanks for all the excellant feedback.

Looks like the winner is seperate accounts for domain admin and BES/E-mail user.

Gordon
Offline  
Old 03-31-2009, 12:11 PM   #10 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

It more than just domain admins as I understand it

The "user" account cant be a member of any of these groups

* Enterprise Admins
* Schema Admins
* Domain Admins
* Administrators
* Domain Controllers
* Cert Publishers
* Backup Operators
* Replicator Server Operators
* Account Operators
* Print Operators

Which means for most admins that one account has rights and the other account has NONE.
Offline  
Old 03-31-2009, 12:12 PM   #11 (permalink)
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Post Thanks: 1
Thanked 237 Times in 219 Posts
Default

Quote:
Originally Posted by silver_2000 View Post
Which means for most admins that one account has rights and the other account has NONE.
That's exactly how it should be.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 03-31-2009, 01:16 PM   #12 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by penguin3107 View Post
That's exactly how it should be.
So other than check email what is the user account used for ?
Offline  
Old 03-31-2009, 01:22 PM   #13 (permalink)
Feeling Blue, Bigly ;->
 
stuwhite's Avatar
 
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by silver_2000 View Post
So other than check email what is the user account used for ?
What else does a std user need? Std users authenticate against standard secured resources, like mailboxes, fileshares and printers and have no reason to be in those protected groups. If Fred in finance runs backups, he gets domain\bu-fred for that and does everything else as domain\fred. As we said earlier, that automatically makes auditing and reporting a lot easier. With the coming of SOX and tighter controls, the days of a couple of guys with god-like accounts are fading fast in the corporate world.
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
Offline  
Old 03-31-2009, 01:29 PM   #14 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by stuwhite View Post
What else does a std user need? Std users authenticate against standard secured resources, like mailboxes, fileshares and printers and have no reason to be in those protected groups. If Fred in finance runs backups, he gets domain\bu-fred for that and does everything else as domain\fred. As we said earlier, that automatically makes auditing and reporting a lot easier. With the coming of SOX and tighter controls, the days of a couple of guys with god-like accounts are fading fast in the corporate world.
Your work flow is not the same as the next guys.

No one in finance is a member of any of those privileged groups. Thats not how our organization is run.

Since most applications and older versions of windows dont support run as
Anyone doing any real server work will be logged in as the privileged account most of the time.

Since 130% of their day is spent using the privileges the ONLY thing most infrastructure guys would do with the regular account is check email.

SOX has been around for years. Your SOX controls are your SOX controls. They dont apply universally.

Rather than slap my wrist and repeat the mantra, why not give practical examples of how a Server Admin in your organization works with these requirements.

Last edited by silver_2000 : 03-31-2009 at 01:35 PM.
Offline  
Old 03-31-2009, 01:42 PM   #15 (permalink)
Feeling Blue, Bigly ;->
 
stuwhite's Avatar
 
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by silver_2000 View Post
Your work flow is not the same as the next guys.
Where did I say it was? We are all talking about best practise here, read the thread.

Quote:
Originally Posted by silver_2000 View Post
No one in finance is a member of any of those privileged groups.
It's called an example mate. If my workflow is different from yours, how can you say that?

Quote:
Originally Posted by silver_2000 View Post
Since most applications and older versions of windows dont support run as
Anyone doing any real work will be logged in as the privileged account most of the time.
That's a very sweeping statement to make, many many apps support runas. I use my priviliged account for sysadmin stuff, I am logged on to email and std user stuff as std user. This has been the way in many companies over many years.

Quote:
Originally Posted by silver_2000 View Post
Since 130% of their day is spent using the privileges the ONLY thing most infrastructure guys would do with the regular account is check email.
Another sweeping statement and not true in my experience.

Quote:
Originally Posted by silver_2000 View Post
SOX has been around for years.
I know, thanks. I have been qualified in SOX since it was brought in.

Quote:
Originally Posted by silver_2000 View Post
Your SOX controls are your SOX controls. They dont apply universally.
Again, I never said they did. I am merely enforcing the point that things like SOX (which applies to a large amount of people on this forum) increase the need for easier auditing and montioring, which the dual account provides.

If you read my comments properly before repsonding to them, you may save yourself some time.
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
Offline  
Old 03-31-2009, 03:37 PM   #16 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by stuwhite View Post
Where did I say it was? We are all talking about best practise here, read the thread.


It's called an example mate. If my workflow is different from yours, how can you say that?


That's a very sweeping statement to make, many many apps support runas. I use my priviliged account for sysadmin stuff, I am logged on to email and std user stuff as std user. This has been the way in many companies over many years.


Another sweeping statement and not true in my experience.


I know, thanks. I have been qualified in SOX since it was brought in.


Again, I never said they did. I am merely enforcing the point that things like SOX (which applies to a large amount of people on this forum) increase the need for easier auditing and montioring, which the dual account provides.

If you read my comments properly before repsonding to them, you may save yourself some time.
I read them - twice - the lack of context, tone and body language allowed me to read them as I did. I read what you typed - but it clearly wasnt what you meant.

I wasn't asking for your version of best practices - I was asking for examples. Most companies view best practices as a goal, its reached in some cases and not in others, based on business need and workflow.

You still haven't provided an example of how you manage to be logged in as a mail user and are able to do things that require privileges without using 2 machines, using run as, or logging out and logging in all day.

Im clearly asking the wrong questions in the wrong thread.
Your last line amazes me. Very helpful thank you
Offline  
Old 03-31-2009, 03:58 PM   #17 (permalink)
Feeling Blue, Bigly ;->
 
stuwhite's Avatar
 
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by silver_2000 View Post
Im clearly asking the wrong questions in the wrong thread. Your last line amazes me. Very helpful thank you
You comment about the lack of context, tone and body language then use sarcasm. Doesn't really allow for clarity on a forum does it? There are plenty of threads about the priviledged groups and this thread wasn't one of those. You hijacked it and we continued discussing it out of courtesy. If a search of the forum doesn't answer your questions, feel free to post a new thread where you can better control the context of the responses.
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
Offline  
Old 03-31-2009, 04:24 PM   #18 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Passp
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,817
Post Thanks: 287
Thanked 305 Times in 287 Posts
Default

Quote:
You still haven't provided an example of how you manage to be logged in as a mail user and are able to do things that require privileges without using 2 machines, using run as, or logging out and logging in all day.
Huh, 2 machines? RDP works nice.
__________________
unlock you phone here http://cellunlocker.net/blackberry-unlock.php
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Passport, Z30, Z10 and Q10
Offline  
Old 03-31-2009, 11:52 PM   #19 (permalink)
Knows Where the Search Button Is
 
Join Date: Mar 2009
Model: yes
PIN: N/A
Carrier: yes
Posts: 35
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by knottyrope View Post
Huh, 2 machines? RDP works nice.
exactly. plus runas for RSAT/other local consoles
Offline  
Old 04-01-2009, 03:44 AM   #20 (permalink)
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: 9780
PIN: N/A
Carrier: Swisscom
Posts: 1,579
Post Thanks: 5
Thanked 119 Times in 116 Posts
Default

Let me join the debate. Best practice in our shop:

Standard user account (mail, internet surfing, access to needed fileshares)

Sysadmin user account (domain admin, no mail, no internet).

Two machines for all sysadmins, one always logged in as user, the other alsways logged in as sysadmin.

BES administration through RDP with special BES account that is not domain admin.

That works perfect for us and we don't feel that switching machines for sysadmin tasks is a hassle.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.