Manage Learn to apply best practices and optimize your operations.

Exchange Server administration policy: Managing privileged user access

Randall Gamby explains the important particulars involved with setting up and securely supervising an enterprise Exchange Server administration policy.

We have seen instances where Exchange administrators abuse their privileges and read other mailbox accounts, or their accounts have been compromised externally and are being illegitimately accessed. How can we best safeguard against this, and provide management assurance that validates our control?

Most IT people address a problem like this by looking at technology, but as a former mail administrator, I can recommend that the best action is to start with accountability training. 

It may be tempting to read a flurry of the CEO’s emails as they pass through the system, but reading any user's mailbox content without a legitimate, documented reason is unethical. It’s important to have a meeting between security personnel and the exchange server administration team to reiterate that viewing messages in the mail queue, except for troubleshooting purposes or specific business issues with management approval, will not be tolerated since this violates the organizational policies around privacy and protection that most companies uphold. If administrators seem reluctant to follow this guidance, it is possible to audit their activities. 

In addition, all administrators should be trained on how to protect their privileged user access credentials as well as when it is and is not appropriate to remotely access the enterprise exchange server. For example, public areas, hotel kiosk computers, and similarly sensitive locations should be banned from any unprivileged user access.  They should, as privileged users, also be changing their passwords at frequent intervals, typically at most every 30 days, and using complex passwords that are potentially alphanumeric with special characters and 8-15 characters long. Better yet would be to implement two-factor authentication with hard or soft tokens to greatly reduce the risk that accounts will be compromised.

If after these steps it seems as though protection remains insufficient, it’s necessary to provide a technology control. In this case, an enterprise monitoring system is the most appropriate technology. Security professionals can enable syslog on a system and tie in network access system logs.  This will allow for use of the monitoring dashboard to provide insight into the exchange activities or, if there’s one available, roll the data into a corporate SIEM tool

This was last published in December 2011

Dig Deeper on Email and Messaging Threats-Information Security Threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.