Security – Securing Exchange Mailboxes from Nosy Admins

exchangeexchange-2010privacySecurity

This is admittedly a duplicate of this question:
Secure Exchange mailboxes

In short, how can Microsoft Exchange 2010 be configured such that email is only visible to the owner of that mailbox, and perhaps the owner/CEO of the organization?

The answers to the linked question dealt with admin trust and the Microsoft "model" for Exchange, that is, it is assumed that admins will have all the power.

But let's assume that simply isn't an option: as someone who is new to Exchange, and Microsoft products in general, I have been tasked with setting up Exchange in such a way. No one, except the owner of the company, should be able to see anyone's email but his own. We realize that this will limit what the "admin" can do (e.g. fix mailbox corruption), but that is acceptable.

Furthermore, as a follow-up to the general theme of the answers to the duplicate question I linked: is it really true, in large organizations that use Microsoft Exchange, that the Enterprise Admins can potentially read anyone's email? For example, at Microsoft itself, there is someone (possibly many people) who can potentially read Steve Balmer's email? Or read sensitive HR documents about peoples' compensation, or maybe an employee asking about something like EAP (employee assistance program)? Or emails with the legal team, or conversations with the SEC, or perhaps an upcoming acquisition?

Best Answer

Yes, the MS model is very much centered around delegated trust. There are going to be super-users, and it is up to the Organization to manage who can see what, where. Engineering a system like you're looking for using Exchange will require some out-of-Exchange business practices.

  • Domain/Enterprise Admin accounts are not used. Such accounts are only broken out for very specific, and well logged, circumstances. These are the God users who can read and see everything.
    • Such actions are performed under the fly-with-a-friend rule. Anyone using such accounts will do so only with someone else there to watch.
    • Security EventLogs are tracked and admin-account usage cross-checked with approved usage. This critical audit step will help catch mis-use of elevated credentials.
  • Admin users are delegated the rights they need, and no others. This is hard, as Domain Admin is so easy. But Admin users, such as ourselves, do not run with God rights. During setup, our accounts are delegated the rights we need to do what we do.
    • Sometimes one of those rights is: permitted to submit a request for elevated access under these specific circumstances.
  • The Exchange organization is broken in to trust zones with local admin users. The group dealing with SEC communications has their own Mail Admin, who may have extended rights in to the relevant user mailboxes. This person is inside the trust-boundary for this internal organization.
    • Yes, this does create a lot more Exchange admins. But that's what happens when centralization is not an option.

Yes, Microsoft really does expect an organization to hold users with elevated privileges to a higher standard of behavior. This is because so much of our routine work requires exposure to private data. If those takeover negotiations are subjected to Legal Hold, we need to get in there and set that up. If the CEO is having trouble getting their iPhone talking with Exchange, we'll be the ones figuring out why.

At my old job where I was such an Exchange admin, we had to sign several agreements relating to privacy policy, impersonation, and penalties for failing to comply with same.

Related Topic