|
|
|
03-30-2009, 03:29 PM
|
#1
|
New Member
Join Date: Dec 2005
Location: Kaneohe, Hawaii
Model: 7250
OS: Win XP
Carrier: Verizon
Posts: 3
|
BES Send As issues – how are you addressing it?
Please Login to Remove!
Hi all,
I have a question regarding the BES on MS Exchange and “Send As’ permissions.
We are in the process of piloting a BB BES and seeing if it will be a viable solution for our organization.
I have run into a problem in regards to “Send As” permissions. All of our IS staff are domain admins, (we are a small shop) and as many of you know if you give “Send As” to a profile that is listed as a domain Admin, Exchange will delete it within the hour, (good ole MS trying to do our thinking for us). So we can get e-mail on our BB’s but can’t send.
Now our Network administrator doesn’t administer our Exchange server, but rather brings in a consultant to handle it. So I did some research and found a variety of different solutions to work around this issue which I then passed along to him. He then passed them along to our consultant, (he works in military IS) and consults on the side.
His response to all the suggested solutions was Oh No!! You can’t do any of these your network won’t be secure. His recommendation was that we create separate user accounts for IS staff for performing domain admin tasks and then use their current account for the berries and remove domain admin privileges.
I realize that this is a doable solution, but I looking for something that is a little more elegant for our IS staff without adding a secondary layer of complexity to their jobs.
I also am a little reluctant to give to much weight to his advice as he also told our network admin that we should move our BES into the DMZ!!
So I wanted to poll some of you who are running Exchange and BES with users who need to be Domain Admins to see how you are addressing this issue. Also, I realize that security is always important, but I would also be curious as to what level of security you feel is necessary in your environment (on a scale of 1-10 I would put the criticality of our data at a 8 due to privacy laws), I think we all recognize that in this world there is a need for security and then for some organizations there is a need for SECURITY!!
Your thoughts are appreciated.
Thanks
Gordon
|
Offline
|
|
03-30-2009, 03:37 PM
|
#2
|
BlackBerry God
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
|
Quote:
Originally Posted by owensct
His response to all the suggested solutions was Oh No!! You canxxx8217;t do any of these your network wonxxx8217;t be secure. His recommendation was that we create separate user accounts for IS staff for performing domain admin tasks and then use their current account for the berries and remove domain admin privileges.
|
This is EXACTLY what you should do.
It's called the Principle of Least Privilege, and it's basic admin stuff. Best practices for sure.
You would be wise to follow that advice.
|
Offline
|
|
03-30-2009, 03:41 PM
|
#3
|
BlackBerry Elite
Join Date: Jan 2008
Location: Massachusetts
Model: DT60
OS: 123456789
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 7,325
|
Also
BES in DMZ knot supported, but you can place the BES router there if you love firewall rules and headaches. (I have seen many that gave up on it after trying )
__________________
I had to fall
To lose it all
But in the end
It doesn't even matter
Rocking the Motion with out lotion.
Last edited by knottyrope; 03-30-2009 at 03:44 PM..
|
Offline
|
|
03-30-2009, 03:44 PM
|
#4
|
CrackBerry Addict
Join Date: Jan 2008
Model: 9700
PIN: N/A
Carrier: Rogers
Posts: 709
|
Quote:
Originally Posted by penguin3107
This is EXACTLY what you should do.
It's called the Principle of Least Privilege, and it's basic admin stuff. Best practices for sure.
You would be wise to follow that advice.
|
I would agree.
We don't follow this though - we're bad, we know it. On the other hand, after visiting a satellite office and seeing a guy with post it notes taped to his laptop with every password he uses, makes me feel like we're not the weakest link.
I do not logon to Servers, don't even have access to do so, but managing exchange is a bit different since you rely on a client (Outlook) for much of the managing and archiving of data of others.
|
Offline
|
|
03-30-2009, 03:48 PM
|
#5
|
Thumbs Must Hurt
Join Date: Mar 2009
Model: 8330
PIN: N/A
Carrier: VZW
Posts: 122
|
The consultant's recommendation is the right one, in regards to the most secure solution!
The way around it is run both scripts in MS KB 907434. Then grant the Send As permission to the user objects in question.
|
Offline
|
|
03-30-2009, 04:18 PM
|
#6
|
Feeling Blue, Bigly ;->
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
|
Have to agree with the Penguin Mantra as always. Even for a small shop, domain admin should be domain admin and users are users. Having two accounts isn't a hassle, I have never worked anywhere serious where I haven't had two accounts. It's good protection for your staff also, as at the moment they can be accused of doing anything as they have the power. Restrict access to an elevated priviledge account then audit it like h3ll, keeps those SOX boys at bay too .
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
|
Offline
|
|
03-30-2009, 06:01 PM
|
#7
|
Knows Where the Search Button Is
Join Date: Mar 2009
Model: yes
PIN: N/A
Carrier: yes
Posts: 35
|
I know it's not what you want to hear - but the BEST solution is to split into normal user accounts with mailboxes and secondary domain admin accounts.
Having said that, I have previously used a single account for everything. While it was easier at the time, I was always scared of coworkers making careless mistakes and/or getting malware/viruses on their desktops/laptops
|
Offline
|
|
03-30-2009, 06:55 PM
|
#8
|
CrackBerry Addict
Join Date: Jan 2008
Model: 9700
PIN: N/A
Carrier: Rogers
Posts: 709
|
Quote:
Originally Posted by Harry Azol
I know it's not what you want to hear - but the BEST solution is to split into normal user accounts with mailboxes and secondary domain admin accounts.
Having said that, I have previously used a single account for everything. While it was easier at the time, I was always scared of coworkers making careless mistakes and/or getting malware/viruses on their desktops/laptops
|
This is the other thing I avoid too - not logging on to any other computer other than my own with privileges. When I have to login somewhere else, I'll use a generic account.
|
Offline
|
|
03-30-2009, 10:23 PM
|
#9
|
New Member
Join Date: Dec 2005
Location: Kaneohe, Hawaii
Model: 7250
OS: Win XP
Carrier: Verizon
Posts: 3
|
Two accounts it is
Thanks for all the excellant feedback.
Looks like the winner is seperate accounts for domain admin and BES/E-mail user.
Gordon
|
Offline
|
|
03-31-2009, 11:11 AM
|
#10
|
Thumbs Must Hurt
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
|
It more than just domain admins as I understand it
The "user" account cant be a member of any of these groups
* Enterprise Admins
* Schema Admins
* Domain Admins
* Administrators
* Domain Controllers
* Cert Publishers
* Backup Operators
* Replicator Server Operators
* Account Operators
* Print Operators
Which means for most admins that one account has rights and the other account has NONE.
|
Offline
|
|
03-31-2009, 11:12 AM
|
#11
|
BlackBerry God
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
|
Quote:
Originally Posted by silver_2000
Which means for most admins that one account has rights and the other account has NONE.
|
That's exactly how it should be.
|
Offline
|
|
03-31-2009, 12:16 PM
|
#12
|
Thumbs Must Hurt
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
|
Quote:
Originally Posted by penguin3107
That's exactly how it should be.
|
So other than check email what is the user account used for ?
|
Offline
|
|
03-31-2009, 12:22 PM
|
#13
|
Feeling Blue, Bigly ;->
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
|
Quote:
Originally Posted by silver_2000
So other than check email what is the user account used for ?
|
What else does a std user need? Std users authenticate against standard secured resources, like mailboxes, fileshares and printers and have no reason to be in those protected groups. If Fred in finance runs backups, he gets domain\bu-fred for that and does everything else as domain\fred. As we said earlier, that automatically makes auditing and reporting a lot easier. With the coming of SOX and tighter controls, the days of a couple of guys with god-like accounts are fading fast in the corporate world.
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
|
Offline
|
|
03-31-2009, 12:29 PM
|
#14
|
Thumbs Must Hurt
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
|
Quote:
Originally Posted by stuwhite
What else does a std user need? Std users authenticate against standard secured resources, like mailboxes, fileshares and printers and have no reason to be in those protected groups. If Fred in finance runs backups, he gets domain\bu-fred for that and does everything else as domain\fred. As we said earlier, that automatically makes auditing and reporting a lot easier. With the coming of SOX and tighter controls, the days of a couple of guys with god-like accounts are fading fast in the corporate world.
|
Your work flow is not the same as the next guys.
No one in finance is a member of any of those privileged groups. Thats not how our organization is run.
Since most applications and older versions of windows dont support run as
Anyone doing any real server work will be logged in as the privileged account most of the time.
Since 130% of their day is spent using the privileges the ONLY thing most infrastructure guys would do with the regular account is check email.
SOX has been around for years. Your SOX controls are your SOX controls. They dont apply universally.
Rather than slap my wrist and repeat the mantra, why not give practical examples of how a Server Admin in your organization works with these requirements.
Last edited by silver_2000; 03-31-2009 at 12:35 PM..
|
Offline
|
|
03-31-2009, 12:42 PM
|
#15
|
Feeling Blue, Bigly ;->
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
|
Quote:
Originally Posted by silver_2000
Your work flow is not the same as the next guys.
|
Where did I say it was? We are all talking about best practise here, read the thread.
Quote:
Originally Posted by silver_2000
No one in finance is a member of any of those privileged groups.
|
It's called an example mate. If my workflow is different from yours, how can you say that?
Quote:
Originally Posted by silver_2000
Since most applications and older versions of windows dont support run as
Anyone doing any real work will be logged in as the privileged account most of the time.
|
That's a very sweeping statement to make, many many apps support runas. I use my priviliged account for sysadmin stuff, I am logged on to email and std user stuff as std user. This has been the way in many companies over many years.
Quote:
Originally Posted by silver_2000
Since 130% of their day is spent using the privileges the ONLY thing most infrastructure guys would do with the regular account is check email.
|
Another sweeping statement and not true in my experience.
Quote:
Originally Posted by silver_2000
SOX has been around for years.
|
I know, thanks. I have been qualified in SOX since it was brought in.
Quote:
Originally Posted by silver_2000
Your SOX controls are your SOX controls. They dont apply universally.
|
Again, I never said they did. I am merely enforcing the point that things like SOX (which applies to a large amount of people on this forum) increase the need for easier auditing and montioring, which the dual account provides.
If you read my comments properly before repsonding to them, you may save yourself some time.
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
|
Offline
|
|
03-31-2009, 02:37 PM
|
#16
|
Thumbs Must Hurt
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
|
Quote:
Originally Posted by stuwhite
Where did I say it was? We are all talking about best practise here, read the thread.
It's called an example mate. If my workflow is different from yours, how can you say that?
That's a very sweeping statement to make, many many apps support runas. I use my priviliged account for sysadmin stuff, I am logged on to email and std user stuff as std user. This has been the way in many companies over many years.
Another sweeping statement and not true in my experience.
I know, thanks. I have been qualified in SOX since it was brought in.
Again, I never said they did. I am merely enforcing the point that things like SOX (which applies to a large amount of people on this forum) increase the need for easier auditing and montioring, which the dual account provides.
If you read my comments properly before repsonding to them, you may save yourself some time.
|
I read them - twice - the lack of context, tone and body language allowed me to read them as I did. I read what you typed - but it clearly wasnt what you meant.
I wasn't asking for your version of best practices - I was asking for examples. Most companies view best practices as a goal, its reached in some cases and not in others, based on business need and workflow.
You still haven't provided an example of how you manage to be logged in as a mail user and are able to do things that require privileges without using 2 machines, using run as, or logging out and logging in all day.
Im clearly asking the wrong questions in the wrong thread.
Your last line amazes me. Very helpful thank you
|
Offline
|
|
03-31-2009, 02:58 PM
|
#17
|
Feeling Blue, Bigly ;->
Join Date: Jan 2007
Location: U to the K
Model: 9000
PIN: 3, it's the magic number
Carrier: Most of them, it's a Global Village man!
Posts: 1,273
|
Quote:
Originally Posted by silver_2000
Im clearly asking the wrong questions in the wrong thread. Your last line amazes me. Very helpful thank you
|
You comment about the lack of context, tone and body language then use sarcasm. Doesn't really allow for clarity on a forum does it? There are plenty of threads about the priviledged groups and this thread wasn't one of those. You hijacked it and we continued discussing it out of courtesy. If a search of the forum doesn't answer your questions, feel free to post a new thread where you can better control the context of the responses.
__________________
I was a BES and Exchange admin once.
Then my world turned Blue.
|
Offline
|
|
03-31-2009, 03:24 PM
|
#18
|
BlackBerry Elite
Join Date: Jan 2008
Location: Massachusetts
Model: DT60
OS: 123456789
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 7,325
|
Quote:
You still haven't provided an example of how you manage to be logged in as a mail user and are able to do things that require privileges without using 2 machines, using run as, or logging out and logging in all day.
|
Huh, 2 machines? RDP works nice.
__________________
I had to fall
To lose it all
But in the end
It doesn't even matter
Rocking the Motion with out lotion.
|
Offline
|
|
03-31-2009, 10:52 PM
|
#19
|
Knows Where the Search Button Is
Join Date: Mar 2009
Model: yes
PIN: N/A
Carrier: yes
Posts: 35
|
Quote:
Originally Posted by knottyrope
Huh, 2 machines? RDP works nice.
|
exactly. plus runas for RSAT/other local consoles
|
Offline
|
|
04-01-2009, 02:44 AM
|
#20
|
BlackBerry Extraordinaire
Join Date: Aug 2008
Location: Basel
Model: Class
PIN: N/A
Carrier: Swisscom
Posts: 1,616
|
Let me join the debate. Best practice in our shop:
Standard user account (mail, internet surfing, access to needed fileshares)
Sysadmin user account (domain admin, no mail, no internet).
Two machines for all sysadmins, one always logged in as user, the other alsways logged in as sysadmin.
BES administration through RDP with special BES account that is not domain admin.
That works perfect for us and we don't feel that switching machines for sysadmin tasks is a hassle.
|
Offline
|
|
|
|