BlackBerry Forums Support Community
              

Closed Thread
 
Thread Tools
Old 02-14-2012, 04:45 AM   #1
smooc
New Member
 
Join Date: Feb 2012
Model: 8700
PIN: N/A
Carrier: KPN
Posts: 5
Default Separating the BESADMIN user from the user that Installs the BES

Please Login to Remove!

A bit of background:

We have a two service providers. One is handling our Exchange environmoment the other the BES environment. We require both to be fully accountable for data leakage prevention by contract.

The BES server accesses the Exchange environment by the BESADMIN user that is configured as a ViewOnlyAdmin on the exchange environment. This is of course also the user under which the BES environment is installed and executed. If someone has access to the BES server one basically has access to all mailboxes due to this configuration.

The question is: would we be able to separate the user that installs the application and the one that the service is running as. So as to have something like "besinstall" & "besadmin" users. WITHOUT giving the password for the "besadmin" account to the "besinstall"-user.

Is there another way?

Thanks alot in advance!
Offline  
Old 02-14-2012, 07:20 AM   #2
fadmin
BlackBerry Extraordinaire
 
Join Date: Mar 2007
Model: Z10
OS: 10.1.0.19
Carrier: Fido
Posts: 1,068
Default Re: Separating the BESADMIN user from the user that Installs the BES

No.
Offline  
Old 02-14-2012, 07:27 AM   #3
nobody7290
BlackBerry Extraordinaire
 
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,381
Default Re: Separating the BESADMIN user from the user that Installs the BES

in BES V5, If you use a separate login for the "admin" of the BES console (authentication via the BES database), someone is able to manage the BES, add/configure users, etc. etc. using the web-based BES console.
However if there is a problem with the installation or the need to upgrade the existing installation the besadmin password is needed.
Offline  
Old 02-14-2012, 10:57 AM   #4
freakinvibe
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: Class
PIN: N/A
Carrier: Swisscom
Posts: 1,616
Default Re: Separating the BESADMIN user from the user that Installs the BES

Quote:
If someone has access to the BES server one basically has access to all mailboxes due to this configuration.
That's not absolutely true. We never use BESAdmin for BES administration, we use our normal AD user IDs for it. That makes auditing much easier.

You just have to give the users that need it the role of "Enterprise Administrators" on the BES.

For upgrades, as nobody7290 says, you will still need the BESAdmin accounts.
Offline  
Old 02-15-2012, 08:37 AM   #5
fadmin
BlackBerry Extraordinaire
 
Join Date: Mar 2007
Model: Z10
OS: 10.1.0.19
Carrier: Fido
Posts: 1,068
Default Re: Separating the BESADMIN user from the user that Installs the BES

I think what OP meant is that whoever has BESAdmin credentials can open and view any bb user mailbox, which is correct.
Offline  
Old 02-15-2012, 08:47 AM   #6
freakinvibe
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: Class
PIN: N/A
Carrier: Swisscom
Posts: 1,616
Default Re: Separating the BESADMIN user from the user that Installs the BES

That is correct, but what I was referring to was that you can reduce the number of people who have the BESAdmin credentials to a very low number if you don't use the account for administration.
Offline  
Old 02-15-2012, 08:55 AM   #7
fadmin
BlackBerry Extraordinaire
 
Join Date: Mar 2007
Model: Z10
OS: 10.1.0.19
Carrier: Fido
Posts: 1,068
Default Re: Separating the BESADMIN user from the user that Installs the BES

Problem is that email and BES are hosted by two different companies. What you suggest is best in-house practice but in OP case that may not be possible.
Offline  
Old 02-15-2012, 09:35 AM   #8
smooc
New Member
 
Join Date: Feb 2012
Model: 8700
PIN: N/A
Carrier: KPN
Posts: 5
Default Re: Separating the BESADMIN user from the user that Installs the BES

I don't fully understand what you are saying here Do you suggest to use a generic AD account with Enterprise Administrators role within BES?

Aren't the Enterprise Admins able to grant themselves access to mailboxes?

Last edited by smooc; 02-15-2012 at 09:38 AM..
Offline  
Old 02-15-2012, 09:37 AM   #9
smooc
New Member
 
Join Date: Feb 2012
Model: 8700
PIN: N/A
Carrier: KPN
Posts: 5
Default Re: Separating the BESADMIN user from the user that Installs the BES

@fadmin: you are correct with the separation between the providers. And indeed one should not have access to the other one.
Offline  
Old 02-15-2012, 10:07 AM   #10
fadmin
BlackBerry Extraordinaire
 
Join Date: Mar 2007
Model: Z10
OS: 10.1.0.19
Carrier: Fido
Posts: 1,068
Default Re: Separating the BESADMIN user from the user that Installs the BES

Unfortunately there is nothing much you can do about it unless you find one outsource company that does both. Having services outsourced by third party by definition is not secure and whoever choose to do so should be fully aware of the pros and cons. At the end by doing outsourcing you lose some and you gain some.
Offline  
Old 02-15-2012, 10:43 AM   #11
fadmin
BlackBerry Extraordinaire
 
Join Date: Mar 2007
Model: Z10
OS: 10.1.0.19
Carrier: Fido
Posts: 1,068
Default Re: Separating the BESADMIN user from the user that Installs the BES

Quote:
Originally Posted by smooc View Post
I don't fully understand what you are saying here Do you suggest to use a generic AD account with Enterprise Administrators role within BES?

Aren't the Enterprise Admins able to grant themselves access to mailboxes?
Not sure was this meant for me or freakinvibe. In any case what freakinvibe meant is you can use any AD account and assign BES role to it, among others Enterprise administrator role (BES app role only has nothing to do with exchange), which is different from AD security group enterprise admin.
Offline  
Old 02-15-2012, 10:47 AM   #12
smooc
New Member
 
Join Date: Feb 2012
Model: 8700
PIN: N/A
Carrier: KPN
Posts: 5
Default Re: Separating the BESADMIN user from the user that Installs the BES

Quote:
Originally Posted by fadmin View Post
Not sure was this meant for me or freakinvibe. In any case what freakinvibe meant is you can use any AD account and assign BES role to it, among others Enterprise administrator role (BES app role only has nothing to do with exchange), which is different from AD security group enterprise admin.
I understand that, however I cannot guarantee that the one Blackberry Enterprise Administrator (the BES app role) cannot access the emailbox of someone that persons is not supposed too. Ie: the bes admin could give someone else access to an emailbox (on purpose, by accident) that one not supposed to access. Right?
Offline  
Old 02-15-2012, 11:04 AM   #13
freakinvibe
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: Class
PIN: N/A
Carrier: Swisscom
Posts: 1,616
Default Re: Separating the BESADMIN user from the user that Installs the BES

Quote:
Blackberry Enterprise Administrator (the BES app role) cannot access the emailbox of someone that persons is not supposed too
The Blackberry Enterprise Administrator (the BES app role) has absolutely no rights on Exchanange and AD. So a Blackberry Enterprise Administrator (the BES app role) cannot look into anybody's e-mail.

The BES roles allow users to do things within the BES Admin Web Interface, but nothing outside.

You could, of course start an Enterprise Activation of a specific user to a spare BB device and then read the e-mails.

Last edited by freakinvibe; 02-15-2012 at 11:06 AM..
Offline  
Old 02-15-2012, 11:11 AM   #14
smooc
New Member
 
Join Date: Feb 2012
Model: 8700
PIN: N/A
Carrier: KPN
Posts: 5
Default Re: Separating the BESADMIN user from the user that Installs the BES

Quote:
Originally Posted by freakinvibe View Post
The Blackberry Enterprise Administrator (the BES app role) has absolutely no rights on Exchanange and AD. So a Blackberry Enterprise Administrator (the BES app role) cannot look at anybody's e-mail.

The BES roles allow users to do things within the BES Admin Web Interface, but nothing outside.
To be honest now I'm a bit lost:

Enterprise Administrator

(rim_db_admin_enterprise)

This role can perform all tasks relating to BlackBerry smartphone users, services, servers, and global application data. A BlackBerry Enterprise Administrator can also control services within the BlackBerry Enterprise Server, and can view and edit licenses and encryption keys.

So I can assign a blackberry user an arbitrary mailbox (the one his/hers blackberry is connecting to on the exchange site)?

Eg. If you are on my exchange server and person X asks for authorization to connect to YOUR mailbox, I would be able to give this to him or am I not? What would stop me from doing that? There is no separate authentication happening from user's end to access to mailbox apart from accessing the BB itself. I do not authenticate separately against exchange as a user. Correct?

(Thanks by the way for answering and clarifying all this!)
Offline  
Old 02-15-2012, 11:46 AM   #15
nobody7290
BlackBerry Extraordinaire
 
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,381
Default Re: Separating the BESADMIN user from the user that Installs the BES

If use an BES administrator which is authenticated by the BES server as I suggested, this login ist not related to any account in AD. Still you can manage the BES server with the web-based console (there is no other console in BES V5.x) and do all blackberry related tasks.

And he is able to choose a random user, give him a blackberry and, give this user access to any mailbox. But unless he gives himself the blackberry I will not be able to read an email.

However with this login, you are unable to connect to the server using rdp protocol and your are unable to login on the Windows console.

Last edited by nobody7290; 02-15-2012 at 11:48 AM..
Offline  
Old 02-15-2012, 11:55 AM   #16
fadmin
BlackBerry Extraordinaire
 
Join Date: Mar 2007
Model: Z10
OS: 10.1.0.19
Carrier: Fido
Posts: 1,068
Default Re: Separating the BESADMIN user from the user that Installs the BES

Blackberry Roles manage BESMGMT database tables hosted on SQL server. So they are more or less sql permissions.

Last edited by fadmin; 02-15-2012 at 12:01 PM..
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads for: Separating the BESADMIN user from the user that Installs the BES
Thread Thread Starter Forum Replies Last Post
Bes 4.1.7 Mr2 Mikey_AGBoston BES Admin Corner 5 04-29-2010 02:37 PM
MIGRATION PROBLEM: BES with besadmin user and box in 5.5/NT => Ex 2k3/AD 2k3 domain cristalin BES Admin Corner 1 01-20-2010 02:44 PM
Howto Tranfer Phone to New User terces BES Admin Corner 29 10-28-2008 12:49 PM
Another Activating Initializing on BB Professional patrickd26 BES Admin Corner 4 05-06-2008 05:12 AM


Schneider Electric Inverter ATV 320 5.5kW ATV320U55N4B New picture

Schneider Electric Inverter ATV 320 5.5kW ATV320U55N4B New

$798.00



Lenze AC Tech ESV152N02YXB559 Inverter picture

Lenze AC Tech ESV152N02YXB559 Inverter

$329.99



Lenze AC Tech ESV251N02SXB Inverter picture

Lenze AC Tech ESV251N02SXB Inverter

$249.99



New Schneider Inverter ATV930D11N4 Frequency Converter picture

New Schneider Inverter ATV930D11N4 Frequency Converter

$1050.00



VEVOR 7.5KW 10HP Variable Frequency Drive Inverter Convert 1 To 3 Phase VFD 220V picture

VEVOR 7.5KW 10HP Variable Frequency Drive Inverter Convert 1 To 3 Phase VFD 220V

$159.99



PLC55 Inverter Air Plasma Cutter 55Amp IGBT 110V/220V Cutting Machine picture

PLC55 Inverter Air Plasma Cutter 55Amp IGBT 110V/220V Cutting Machine

$138.99







Copyright © 2004-2016 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.