Microsoft Exchange Server 2007 Security Basics
- 6/18/2008
Administrative Security
In previous versions of this book, this section talked extensively about the use of administrative groups as a way to achieve some semblance of administrative security for your Exchange organization. In Exchange Server 2007, however, Microsoft has mostly done away with administrative groups, leaving only a single administrative group named Exchange Administrative Group (FYDIBOHF23SPDLT) in which only Exchange Server 2007 servers reside. This administrative group is present only to support coexistence with legacy Exchange servers.
Why did the Exchange team eliminate administrative groups from the Exchange equation? With the complete overhaul of the management interface and its new “area of responsibility” focus, administrative groups simply aren’t necessary and can add to the overall complexity of managing Exchange. Figure 19-4 gives you a side-by-side look at the legacy Exchange System Manager and the Exchange Server 2007 Exchange Management console. With their absence in Exchange Server 2007, you need to use a way other than administrative groups to achieve administrative security. In this section, you learn two methods by which you can add users to act in various Exchange administrative capacities.
Figure 19-4 The Exchange Server 2003 Exchange System Manager is on the left and the Exchange Server 2007 Exchange Management Console is on the right.
The Built-in Exchange Administrative Groups
When you run the initial installation of Exchange Server 2007, six Active Directory universal security groups are created, each with specific rights to various parts of the Exchange organization. Five of the six groups, shown in Figure 19-5 inside Active Directory Users And Computers, pertain directly to management of the Exchange organization and are as follows:
Exchange View-Only Administrators. This role allows you to view configurations on all Exchange objects, but not to make any changes to those configurations.
Exchange Servers. This role provides the following rights:
Members of this group have all of the rights of Exchange View-Only Administrators.
Members of this group have access to server-based Exchange configuration information and to the Active Directory objects that are server-related.
Members of this group may perform server-based administration, but cannot perform operations at the global Exchange organization level.
Members of this group are also members of the local Administrators group on each server on which Exchange Server 2007 is installed.
Exchange Recipient Administrators. This role provides the following rights:
Members of this group have all of the rights of Exchange View-Only Administrators.
Members of the group are also allowed to configure any object related to recipients and public folders, including contacts, groups, public folder objects, Unified Messaging mailbox settings, Client Access mailbox settings, and any other recipient Exchange property found in Active Directory.
Exchange Public Folder Administrators. This role provides the following rights:
Members of this group have all of the rights of Exchange View-Only Administrators.
Members of this group are also allowed to manage public folders.
Exchange Organization Administrators. This role provides the following rights:
Members of this group have all of the rights of Exchange Recipient Administrators, plus more.
Members of this group also have all of the rights of Exchange Public Folder Administrators.
Users assigned to this group are allowed to view and administer all aspects of the Exchange organization, including servers, recipients, public folders, and organizational configuration.
Members of the role are considered the owners of all Exchange-related Active Directory objects.
During Exchange Server 2007 installation, this group is added to the membership of the server’s local Administrators group. If you install Exchange Server 2007 on a domain controller, which is not recommended, Exchange Organization Administrators have additional rights by virtue of the local Administrators group having more rights on a domain controller.
Figure 19-5 The Exchange Server 2007 built-in security groups
If you want to add a full Exchange administrator to your organization, all you have to do is add the appropriate user account to the Exchange Organization Administrators group. The same holds true for the other security groups.
The Add Exchange Administrator Wizard
Exchange Server 2007 also provides an easy way to add additional Exchange administrators with each administrator role having responsibility for only a specific part of the Exchange organization, such as a single server, a group of servers, or only able to manage recipients. You will find that this administrative delegation method is far more flexible and effective than administrative groups were in the past.
The best way to demonstrate how the Add Exchange Administrator operation works is to see it in action. To start the process, open the Exchange Management Console and select the Organization Configuration option, as shown in Figure 19-6.
Figure 19-6 The Organization Configuration window
Note that the work pane shown in Figure 19-6 shows you the groups that already have some level of permission to the Exchange organization. To add additional Exchange administrators, from the Action pane, choose Add Exchange Administrator. This selection displays a one-page wizard, shown in Figure 19-7.
Figure 19-7 The Add Exchange Administrator Wizard
There are three selections that you must make in order to complete this wizard. First, select the user or group to which you want to grant Exchange administrative rights. Next, select the role and scope that should apply to the new Exchange administrator. Finally, if you’ve selected the Exchange Server Administrator role, select at least one server to which this new user or group has access. Click Add, and from the Select Exchange Server window, choose the desired servers. Figure 19-8 shows what the screen looks like after you select the Exchange Server Administrator role and add a managed server.
Figure 19-8 Selecting the Exchange Server Administrator role
In reality, when you run the Add Exchange Administrator operation, the resulting command simply adds the selected users to one of the groups that you learned about in the section “The Built-in Exchange Administrative Groups.” The only role for which this does not hold true is for the Exchange Server Administrator role. When users or groups are assigned to this role, the user or group is assigned Full Control permission on the specified server object and all child objects.
Table 19-1 comes from Microsoft’s documentation on the role of roles in Exchange Server 2007 and provides a concise look at exactly what each administrative role accomplishes.
Table 19-1 Exchange Server Administrative Roles
Role |
Members |
Member of |
Exchange permissions |
Exchange Organization Administrators |
Administrator, or the account that was used to install the first Exchange 2007 server |
Exchange Recipient Administrator, Administrators local group of <Server Name> |
Full control of the Microsoft Exchange container in Active Directory |
Exchange Recipient Administrators |
Exchange Organization Administrators |
Exchange View-Only Administrators |
Full control of Exchange properties on Active Directory user object |
Exchange Server Administrators |
Exchange View-Only Administrators, Administrators local group of <Server Name> |
Full control of Exchange <Server Name> |
|
Exchange View-Only Administrators |
Exchange Recipient Administrators, Exchange Public Folder Administrators |
Exchange Recipient Administrators, Exchange Server Administrators |
Read access to the Microsoft Exchange container in Active Directory. Read access to all the Windows domains that have Exchange recipients. |
Exchange Public Folder Administrators |
Exchange Organization Administrators |
Exchange View-Only Administrators |
Ability to administratively manage public folders. |