Preventing administrators from opening user's mailboxes
Greetings, Aloha and Merhaba from Istanbul once again! We had a great event yesterday, great questions, and I met a lot of nice people. Thanks to everyone for making us feel welcome here in Istanbul. Now, on to the topic at hand!
Over the last few weeks, I have seen a number of posts to newsgroups and Web forums asking the same basic question: "How can I keep my administrators from seeing user's messages?"
I have replied to these rather tediously "Hire trustworthy administrators and set a policy that states 'mailbox surfing for recreational purposes is grounds for immediate firing.'" As my buddy Ben Schorr puts it, "this is an HR (human resources) problem. However, there is a bigger point to this on which I really should elaborate:
- Administrators (by default) do not have the "Receive As" permission. It is explicitly denied.
- Enterprise Admins, Domain Admins, and the Administrator user (if that was the account that installed Exchange to start with), have permissions to remove the explicit deny of Receive As permissions, but this must be changed.
- If you have problems with administrators looking at information they should not be looking at, you have a bigger problem.
- You can protect message content with technologies such as S/MIME or Digital Rights Management (DRM)
- An administrator of the PKI infrastructure or the DRM infrastructure may still have access to the key escrow and can recover a user's private keys to view messages or gain access to DRM protected material.
- If you are concerned about what the members of Domain Admins, Enterprise Admins, and Administrators are doing, it is clearly time for you to reduce the number of members in those groups and tighten restrictions on use of accounts with those permissions. If you have more than about 5 members in your Domain Admins group, that is too many. Practice the principle of least permissions. Permissions delegation is a glorious thing. :-)