Thanks for your email Ben, The Exchange Domain Server groups does have certain elevated permissions as you mention such as full rights over public folders, information store, metabase etc. However it does not have Full Admin rights to the entire Exchange Org as the Exchange Services group does.
If you run a multiple domain forest and delegate Exchange Admin by AG the security is easily broken by an account being placed into the Exchange Services Group of one domain. This account then has full admin rights for the entire Exchange Org, every AG, server and all the global objects and RPs etc ! Audting is one method, but I would prefer to be proactive and block the security flaw. Regards, Martin. --- Ben Winzenz <[EMAIL PROTECTED]> wrote: > How about using Group Policy to restrict the Group > Membership? > > BTW - this same "flaw" exists in another group as > well. There is a > group created during Domainprep called Exchange > Domain Servers. If you > add your user account to that group, you will have > full access to the > entire Exchange Org (including full mailbox access > to all mailboxes). > > I don't necessarily agree that it is a security > flaw, but that is my > opinion. You are entitled to yours. You ought to > be auditing group > membership so that you will know if someone adds > their account to that > group. > > > Ben Winzenz > Microsoft Exchange MVP > Network Engineer > Gardner & White > Ph (317) 843-3418 > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of M > Wilkins > Sent: Tuesday, March 23, 2004 8:21 AM > To: Exchange Discussions > Subject: ADC security flaw > > I wonder if anybody could help with a security flaw > there seems to be > with the ADC software for Exchange 2000 (not tested > on 2003). > > When you install the ADC software a global security > group is created in > the local domain called Exchange Services, the > account used in the ADC > is placed into this group. > > The Exchange Services group has full admin rights > over the entire > Exchange Org, you cannot see this via the delegate > wizard but if you > examine the security at the top level of the > Exchange Org or use ADSI > you can see the group (or groups if you have ADCs in > multiple domains) > having full admin rights. > > If you run a larger size Exchange Org with multiple > domains where > different departments/companys manage their own > AGs/domains but say the > main routing and the various Exchange Org wide > management are done > centrally there exists a flaw..... > > A user can be placed into the Exchange Services > group that exists in a > sub domain and they gain the elevated permisssion of > Exchange Full Admin > rights to the entire Org. If you run multiple > domains under different > management then they can place users into this group > and bypass the > Exchange AG security. > > Any ideas how to mitigate this risk ? > > Thanks in advance, > Martin. > > _________________________________________________________________ > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; > lang=english > To unsubscribe: > mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us > at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been > contacted with. > > > > > _________________________________________________________________ > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english > To unsubscribe: > mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us > at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been > contacted with. > __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
