[owensct]

Hi all,

I have a question regarding the BES on MS Exchange and “Send As’ permissions.

We are in the process of piloting a BB BES and seeing if it will be a viable solution for our organization.

I have run into a problem in regards to “Send As” permissions. All of our IS staff are domain admins, (we are a small shop) and as many of you know if you give “Send As” to a profile that is listed as a domain Admin, Exchange will delete it within the hour, (good ole MS trying to do our thinking for us). So we can get e-mail on our BB’s but can’t send.

Now our Network administrator doesn’t administer our Exchange server, but rather brings in a consultant to handle it. So I did some research and found a variety of different solutions to work around this issue which I then passed along to him. He then passed them along to our consultant, (he works in military IS) and consults on the side.

His response to all the suggested solutions was Oh No!! You can’t do any of these your network won’t be secure. His recommendation was that we create separate user accounts for IS staff for performing domain admin tasks and then use their current account for the berries and remove domain admin privileges.

I realize that this is a doable solution, but I looking for something that is a little more elegant for our IS staff without adding a secondary layer of complexity to their jobs.

I also am a little reluctant to give to much weight to his advice as he also told our network admin that we should move our BES into the DMZ!!

So I wanted to poll some of you who are running Exchange and BES with users who need to be Domain Admins to see how you are addressing this issue. Also, I realize that security is always important, but I would also be curious as to what level of security you feel is necessary in your environment (on a scale of 1-10 I would put the criticality of our data at a 8 due to privacy laws), I think we all recognize that in this world there is a need for security and then for some organizations there is a need for SECURITY!!

Your thoughts are appreciated.

Thanks

Gordon

[penguin3107]

Quote:

Originally Posted by owensct

His response to all the suggested solutions was Oh No!! You canxxx8217;t do any of these your network wonxxx8217;t be secure. His recommendation was that we create separate user accounts for IS staff for performing domain admin tasks and then use their current account for the berries and remove domain admin privileges.

This is EXACTLY what you should do.
It's called the Principle of Least Privilege, and it's basic admin stuff. Best practices for sure.

You would be wise to follow that advice.

[knottyrope]

Also
BES in DMZ knot supported, but you can place the BES router there if you love firewall rules and headaches. (I have seen many that gave up on it after trying)

[TargetIT]

Quote:

Originally Posted by penguin3107

This is EXACTLY what you should do.
It's called the Principle of Least Privilege, and it's basic admin stuff. Best practices for sure.

You would be wise to follow that advice.

I would agree.

We don't follow this though - we're bad, we know it. On the other hand, after visiting a satellite office and seeing a guy with post it notes taped to his laptop with every password he uses, makes me feel like we're not the weakest link.

I do not logon to Servers, don't even have access to do so, but managing exchange is a bit different since you rely on a client (Outlook) for much of the managing and archiving of data of others.

[-EOS-]

The consultant's recommendation is the right one, in regards to the most secure solution!

The way around it is run both scripts in MS KB 907434. Then grant the Send As permission to the user objects in question.

[stuwhite]

Have to agree with the Penguin Mantra as always. Even for a small shop, domain admin should be domain admin and users are users. Having two accounts isn't a hassle, I have never worked anywhere serious where I haven't had two accounts. It's good protection for your staff also, as at the moment they can be accused of doing anything as they have the power. Restrict access to an elevated priviledge account then audit it like h3ll, keeps those SOX boys at bay too .

[Harry Azol]

I know it's not what you want to hear - but the BEST solution is to split into normal user accounts with mailboxes and secondary domain admin accounts.

Having said that, I have previously used a single account for everything. While it was easier at the time, I was always scared of coworkers making careless mistakes and/or getting malware/viruses on their desktops/laptops

[TargetIT]

Quote:

Originally Posted by Harry Azol

I know it's not what you want to hear - but the BEST solution is to split into normal user accounts with mailboxes and secondary domain admin accounts.

Having said that, I have previously used a single account for everything. While it was easier at the time, I was always scared of coworkers making careless mistakes and/or getting malware/viruses on their desktops/laptops

This is the other thing I avoid too - not logging on to any other computer other than my own with privileges. When I have to login somewhere else, I'll use a generic account.

[owensct]

Thanks for all the excellant feedback.

Looks like the winner is seperate accounts for domain admin and BES/E-mail user.

Gordon

[silver_2000]

It more than just domain admins as I understand it

The "user" account cant be a member of any of these groups

* Enterprise Admins
* Schema Admins
* Domain Admins
* Administrators
* Domain Controllers
* Cert Publishers
* Backup Operators
* Replicator Server Operators
* Account Operators
* Print Operators

Which means for most admins that one account has rights and the other account has NONE.

[penguin3107]

Quote:

Originally Posted by silver_2000

Which means for most admins that one account has rights and the other account has NONE.

That's exactly how it should be.

[silver_2000]

Quote:

Originally Posted by penguin3107

That's exactly how it should be.

So other than check email what is the user account used for ?

[stuwhite]

Quote:

Originally Posted by silver_2000

So other than check email what is the user account used for ?

What else does a std user need? Std users authenticate against standard secured resources, like mailboxes, fileshares and printers and have no reason to be in those protected groups. If Fred in finance runs backups, he gets domain\bu-fred for that and does everything else as domain\fred. As we said earlier, that automatically makes auditing and reporting a lot easier. With the coming of SOX and tighter controls, the days of a couple of guys with god-like accounts are fading fast in the corporate world.

[silver_2000]

Quote:

Originally Posted by stuwhite

What else does a std user need? Std users authenticate against standard secured resources, like mailboxes, fileshares and printers and have no reason to be in those protected groups. If Fred in finance runs backups, he gets domain\bu-fred for that and does everything else as domain\fred. As we said earlier, that automatically makes auditing and reporting a lot easier. With the coming of SOX and tighter controls, the days of a couple of guys with god-like accounts are fading fast in the corporate world.

Your work flow is not the same as the next guys.

No one in finance is a member of any of those privileged groups. Thats not how our organization is run.

Since most applications and older versions of windows dont support run as
Anyone doing any real server work will be logged in as the privileged account most of the time.

Since 130% of their day is spent using the privileges the ONLY thing most infrastructure guys would do with the regular account is check email.

SOX has been around for years. Your SOX controls are your SOX controls. They dont apply universally.

Rather than slap my wrist and repeat the mantra, why not give practical examples of how a Server Admin in your organization works with these requirements.

[stuwhite]

Quote:

Originally Posted by silver_2000

Your work flow is not the same as the next guys.

Where did I say it was? We are all talking about best practise here, read the thread.

Quote:

Originally Posted by silver_2000

No one in finance is a member of any of those privileged groups.

It's called an example mate. If my workflow is different from yours, how can you say that?

Quote:

Originally Posted by silver_2000

Since most applications and older versions of windows dont support run as
Anyone doing any real work will be logged in as the privileged account most of the time.

That's a very sweeping statement to make, many many apps support runas. I use my priviliged account for sysadmin stuff, I am logged on to email and std user stuff as std user. This has been the way in many companies over many years.

Quote:

Originally Posted by silver_2000

Since 130% of their day is spent using the privileges the ONLY thing most infrastructure guys would do with the regular account is check email.

Another sweeping statement and not true in my experience.

Quote:

Originally Posted by silver_2000

SOX has been around for years.

I know, thanks. I have been qualified in SOX since it was brought in.

Quote:

Originally Posted by silver_2000

Your SOX controls are your SOX controls. They dont apply universally.

Again, I never said they did. I am merely enforcing the point that things like SOX (which applies to a large amount of people on this forum) increase the need for easier auditing and montioring, which the dual account provides.

If you read my comments properly before repsonding to them, you may save yourself some time.

[silver_2000]

Quote:

Originally Posted by stuwhite

Where did I say it was? We are all talking about best practise here, read the thread.


It's called an example mate. If my workflow is different from yours, how can you say that?


That's a very sweeping statement to make, many many apps support runas. I use my priviliged account for sysadmin stuff, I am logged on to email and std user stuff as std user. This has been the way in many companies over many years.


Another sweeping statement and not true in my experience.


I know, thanks. I have been qualified in SOX since it was brought in.


Again, I never said they did. I am merely enforcing the point that things like SOX (which applies to a large amount of people on this forum) increase the need for easier auditing and montioring, which the dual account provides.

If you read my comments properly before repsonding to them, you may save yourself some time.

I read them - twice - the lack of context, tone and body language allowed me to read them as I did. I read what you typed - but it clearly wasnt what you meant.

I wasn't asking for your version of best practices - I was asking for examples. Most companies view best practices as a goal, its reached in some cases and not in others, based on business need and workflow.

You still haven't provided an example of how you manage to be logged in as a mail user and are able to do things that require privileges without using 2 machines, using run as, or logging out and logging in all day.

Im clearly asking the wrong questions in the wrong thread.
Your last line amazes me. Very helpful thank you

[stuwhite]

Quote:

Originally Posted by silver_2000

Im clearly asking the wrong questions in the wrong thread. Your last line amazes me. Very helpful thank you

You comment about the lack of context, tone and body language then use sarcasm. Doesn't really allow for clarity on a forum does it? There are plenty of threads about the priviledged groups and this thread wasn't one of those. You hijacked it and we continued discussing it out of courtesy. If a search of the forum doesn't answer your questions, feel free to post a new thread where you can better control the context of the responses.

[knottyrope]

Quote:

You still haven't provided an example of how you manage to be logged in as a mail user and are able to do things that require privileges without using 2 machines, using run as, or logging out and logging in all day.

Huh, 2 machines? RDP works nice.

[Harry Azol]

Quote:

Originally Posted by knottyrope

Huh, 2 machines? RDP works nice.

exactly. plus runas for RSAT/other local consoles

[freakinvibe]

Let me join the debate. Best practice in our shop:

Standard user account (mail, internet surfing, access to needed fileshares)

Sysadmin user account (domain admin, no mail, no internet).

Two machines for all sysadmins, one always logged in as user, the other alsways logged in as sysadmin.

BES administration through RDP with special BES account that is not domain admin.

That works perfect for us and we don't feel that switching machines for sysadmin tasks is a hassle.