[dding0919]

I was new to BES and was watching the toolkit for installation. BlackBerry. In its module 2 it applied "send as" permission 1) on the user object at domain level in AD 2) on Exchange server.

I thought "send as" is a permission to let you send email as someone else. If you did in one place why you have to do it again in another place? Appreatly, applying the permisison at different object gives different rights, at least to BES. So, does anyone know what difference it is when you apply "send as" on user object in AD than on Exhange server?

Thanks.

[matthewk24]

I have only ever done it in AD.

[juwaack68]

Moved to BES Admin Forum.

[hdawg]

Quote:

Originally Posted by dding0919

I was new to BES and was watching the toolkit for installation. BlackBerry. In its module 2 it applied "send as" permission 1) on the user object at domain level in AD 2) on Exchange server.

I thought "send as" is a permission to let you send email as someone else. If you did in one place why you have to do it again in another place? Appreatly, applying the permisison at different object gives different rights, at least to BES. So, does anyone know what difference it is when you apply "send as" on user object in AD than on Exhange server?

Thanks.

The reason you have to do this is because Microsoft changed how store.exe (Exchange Information Store process) interprets the "Send As" permission.

Until Microsoft changed this you would simply need to grant permissions within Exchange System Manager and that is all that would be needed. With certain patches applied to Exchange (I forget the slew of which ones change the "Send As" permission interpreted), you now have to not only apply the permissions within ESM, but also in AD.

Microsoft claims this was for security purposes and customers wanted this ... I can't see how / why this would be the case, but then I never looked into it.

Needless to say, BOTH are needed for proper functionality. (NOTE: this does not affect RECEIVE AS at all).

[blincoln]

Quote:

Originally Posted by hdawg

Microsoft claims this was for security purposes and customers wanted this ... I can't see how / why this would be the case, but then I never looked into it.

It's so that someone like me (my group supports Exchange, among other things) can have full access to someone's mailbox (in order to do troubleshooting), but not the ability to send a message as if I were them. If the flag that allows that is in Exchange, then I have the ability to grant it to myself. If it's in AD, then it's possible to prevent me from doing that.

Imagine the havoc that could ensue from a rogue engineer or administrator sending email that appeared to come from an executive at a major company. Yes, they would probably be caught sooner or later, but they could cause considerable damage before then. It's one of the reasons I question RIM's decision to design the BES in a way that depends on a service account being granted this permission to every user account the BES accesses.

[hdawg]

Quote:

Originally Posted by blincoln

It's so that someone like me (my group supports Exchange, among other things) can have full access to someone's mailbox (in order to do troubleshooting), but not the ability to send a message as if I were them. If the flag that allows that is in Exchange, then I have the ability to grant it to myself. If it's in AD, then it's possible to prevent me from doing that.

Imagine the havoc that could ensue from a rogue engineer or administrator sending email that appeared to come from an executive at a major company. Yes, they would probably be caught sooner or later, but they could cause considerable damage before then. It's one of the reasons I question RIM's decision to design the BES in a way that depends on a service account being granted this permission to every user account the BES accesses.

Fair enough ... I agree 100% with the methodology; I've just never interacted with anyone that considered this to be an issue ... especially with proper auditing enabled.

Thanks for the good read.

[blincoln]

Yeah, I've never seen anything in the news about it being exploited. I don't know if that's good luck on the part of major corporations, or that they kept quiet about it when it happened.
For what it's worth, Cisco's Unity product works the same way as the BES, so it's not as if RIM are the only ones who used that design.
The auditing part I think might be tricky because Exchange doesn't have a way (at least that I'm aware of) of letting you know that the real sender was different than the account a message was sent from. For example, I just sent an email from my BlackBerry to myself. I looked in the properties of the message in Outlook, I tracked the message in the Exchange System Manager, and I looked at the message in MFCMAPI. In every case, the sender was listed as me instead of the BESAdmin account, and I could not find any mention of BESAdmin in any of those locations. I am not an Exchange specialist, so maybe there is another way that I'm missing.