Home All Groups Group Topic Archive Search About

Restricting Security to Mailbox

microsoft.public.exchange.misc
Author
17 Mar 2006 7:46 PM
ppmtchris
Hello,

I have an Exchange 2003 server on a Windows network - all Outlook clients
are 2003. My problem is the following:

One of the domain administrators in this office is suspected of accessing
email without consent. Is there a way to restrict access to this mailbox for
the mailbox owner only? - (lock the Domain Admin out)

Thank you for any help at all.
-Chris

Author
17 Mar 2006 8:05 PM
Mark Arnold [MVP]
On Fri, 17 Mar 2006 11:46:36 -0800, ppmtchris
<ppmtch***@discussions.microsoft.com> wrote:

>Hello,
>
>I have an Exchange 2003 server on a Windows network - all Outlook clients
>are 2003. My problem is the following:
>
>One of the domain administrators in this office is suspected of accessing
>email without consent. Is there a way to restrict access to this mailbox for
>the mailbox owner only? - (lock the Domain Admin out)
>
>Thank you for any help at all.
>-Chris

By default the administrators don't have access. You can't lock them
out because they have rights to sieze the permissions and climb into
the mailbox. They can also just change the password on the account and
read the mail that way. The user just thinks they've put the wrong
password in and call for a reset.

You need to employ trustworthy operators and do logging and auditing
to check what's going on.

Trust, but Verify (Ronnie Reagan, I think)
Author
19 Mar 2006 3:15 AM
ppmtchris
Thanks, Mark.
I understand the physical aspects of security...
I'm kind of caught in the middle of this one - I trust my NetAdmin, but I
can understand why the Pres of the company is suspicious in this case.

What audit or logging options should I employ? - that probably should have
been my first question.

Thanks.
--Chris


Show quote
"Mark Arnold [MVP]" wrote:

> On Fri, 17 Mar 2006 11:46:36 -0800, ppmtchris
> <ppmtch***@discussions.microsoft.com> wrote:
>
> >Hello,
> >
> >I have an Exchange 2003 server on a Windows network - all Outlook clients
> >are 2003. My problem is the following:
> >
> >One of the domain administrators in this office is suspected of accessing
> >email without consent. Is there a way to restrict access to this mailbox for
> >the mailbox owner only? - (lock the Domain Admin out)
> >
> >Thank you for any help at all.
> >-Chris
>
> By default the administrators don't have access. You can't lock them
> out because they have rights to sieze the permissions and climb into
> the mailbox. They can also just change the password on the account and
> read the mail that way. The user just thinks they've put the wrong
> password in and call for a reset.
>
> You need to employ trustworthy operators and do logging and auditing
> to check what's going on.
>
> Trust, but Verify (Ronnie Reagan, I think)
>
Author
19 Mar 2006 8:19 AM
Mark Arnold [MVP]
On Sat, 18 Mar 2006 19:15:27 -0800, ppmtchris
<ppmtch***@discussions.microsoft.com> wrote:

>Thanks, Mark.
>I understand the physical aspects of security...
>I'm kind of caught in the middle of this one - I trust my NetAdmin, but I
>can understand why the Pres of the company is suspicious in this case.
>
>What audit or logging options should I employ? - that probably should have
>been my first question.
>
>Thanks.
>--Chris
>

Audit logons in Windows; see who's logging on and when.
Increase logging on the server. Look at logons to the IS as you can
track what a particular person is connecting to using his own account
of if someone has a password and is using an unusual user/workstation
combination.

AddThis Social Bookmark Button

Post Other interesting topics
Limiting the number of recipients of a message
Exchange 2003 / 2000 Help
RUS doesnt work
Spam Mail folder
RUS service created for domain without any Exchange servers