How about using Group Policy to restrict the Group Membership? BTW - this same "flaw" exists in another group as well. There is a group created during Domainprep called Exchange Domain Servers. If you add your user account to that group, you will have full access to the entire Exchange Org (including full mailbox access to all mailboxes).
I don't necessarily agree that it is a security flaw, but that is my opinion. You are entitled to yours. You ought to be auditing group membership so that you will know if someone adds their account to that group. Ben Winzenz Microsoft Exchange MVP Network Engineer Gardner & White Ph (317) 843-3418 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M Wilkins Sent: Tuesday, March 23, 2004 8:21 AM To: Exchange Discussions Subject: ADC security flaw I wonder if anybody could help with a security flaw there seems to be with the ADC software for Exchange 2000 (not tested on 2003). When you install the ADC software a global security group is created in the local domain called Exchange Services, the account used in the ADC is placed into this group. The Exchange Services group has full admin rights over the entire Exchange Org, you cannot see this via the delegate wizard but if you examine the security at the top level of the Exchange Org or use ADSI you can see the group (or groups if you have ADCs in multiple domains) having full admin rights. If you run a larger size Exchange Org with multiple domains where different departments/companys manage their own AGs/domains but say the main routing and the various Exchange Org wide management are done centrally there exists a flaw..... A user can be placed into the Exchange Services group that exists in a sub domain and they gain the elevated permisssion of Exchange Full Admin rights to the entire Org. If you run multiple domains under different management then they can place users into this group and bypass the Exchange AG security. Any ideas how to mitigate this risk ? Thanks in advance, Martin. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
