Pages

2006/05/04

Permission Changes Surprise Mobile Device Administrators

Subscribe to Windows IT Pro: http://list.windowsitpro.com/t?ctl=29306:610453

====================

Don't miss out! Make sure your copy of Exchange and Outlook UPDATE isn't mistakenly blocked by antispam software. Add Exchange_and_Outlook_UPDATE@list.windowsitpro.com to your list of allowed senders and contacts.

====================

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Exchange & Outlook UPDATE.

C2C - Archive One http://list.windowsitpro.com/t?ctl=29300:610453

Hewlett-Packard http://list.windowsitpro.com/t?ctl=292FF:610453

iLumin http://list.windowsitpro.com/t?ctl=29301:610453

====================

1. Commentary - Permission Changes Surprise Mobile Device Administrators - Calling All Windows IT Pro Innovators!

2. Peer to Peer - Featured Forum: Office Tips - Outlook Tip: Understanding Office 2003 SP2's Signature Settings

3. New and Improved - Protect Against Data Loss and Corruption

==== Sponsor: C2C - Archive One ====

Leading industry analyst Butler Group (a Datamonitor company) rate Archive One Policy as one of the top archiving solutions in a recent independent technology audit. In an increasingly crowded arena of e-mail management products, Butler has highlighted the following distinguishing factors of Archive One: 1) Transparency of use to end-users 2) Efficiencies provided by SIS plus 3) The control provided by the automated application policies 4) The use of a repository model 5) C2C's undoubted expertise in the operation of Microsoft Exchange Designed to offer a low TCO and enable organizations to take back control of corporate information, at a corporate level - can you afford not to read the full audit? Click here to obtain your FREE copy: http://list.windowsitpro.com/t?ctl=29300:610453

====================

Editor's note: Share Your Exchange Discoveries and Get $100 Share your Exchange Server and Outlook discoveries, comments, or problems and solutions for use in the Exchange & Outlook Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rxadmin@windowsitpro.com. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.

====================

==== 1. Commentary: Permission Changes Surprise Mobile Device Administrators ==== by Paul Robichaux, Exchange Editor, exadmin@windowsitpro.com

Security is a tricky thing; there's always pressure to balance improved security against user convenience. You also need to consider factors such as backward-compatibility and the Principle of Least Astonishment (which says that software should always be written so that its behavior is as unsurprising as possible).

The difficulty of trading off security against functionality has recently been highlighted by a change Microsoft made to the way mailbox permissions are applied in Exchange Server 2003 and Exchange 2000 Server. This change has resulted in some puzzled administrators, some broken BlackBerry Enterprise Server (BES) for Exchange deployments, and a lot of complicated technical explanations. Let's see if we can get to the bottom of what's really going on.

The first thing to understand is that the Full Mailbox Access permission has historically granted holders the right to use the Send As and Receive As permissions. If Alice has Full Mailbox Access on Bob's mailbox, you would expect that she could read Bob's mail; you might not expect that she could send mail that appears to come from Bob (and that appears in Bob's Sent Items folder), but that's the way the permission has worked since the release of Exchange 2000.

This permissions assignment came about because the two permissions involved are divided between the Exchange database and Active Directory (AD). Full Mailbox Access is an Exchange permission; Send As is an AD permission. In the original Exchange 2003/2000 behavior, Exchange didn't perform a separate authorization check for the Send As permission if the requestor already had Full Mailbox Access. This is a reasonable optimization, as well as a convenience for administrators who want both permissions granted together. However, it made life more difficult for organizations that separate Exchange permission assignment from AD management.

Combining the permissions in this way led to two undesirable side effects. Most obviously, it allows for spoofing, because an intruder could use a service account to send mail from any of the mailboxes for which it has Full Mailbox Access privileges. Also, there's no way for a recipient to tell the difference between a message sent by the mailbox owner and one sent by a delegate who has Full Mailbox Access.

To remedy these problems, Microsoft released a hotfix for store.exe, which was first included in store.exe version 7650.23 for Exchange 2003 Service Pack 2 (SP2), plus earlier versions for Exchange 2003 SP1 and Exchange 2000 SP3. The hotfix changes Exchange's behavior so that it explicitly checks for the "Send As" permission before allowing delegate access. This seems simple enough, and for many Exchange sites, it is.

However, organizations that were using BES or Good Technology's GoodLink packages quickly found that the fix affected their installations--BES, GoodLink, and some other third-party (and custom) applications depend on having both permissions granted. Users who had Full Mailbox Access permissions granted to the BES or GoodLink service account, without also having Send As permissions granted, quickly found that they could no longer send mail.

In Microsoft's defense, the company published the article "Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003" (http://list.windowsitpro.com/t?ctl=29309:610453 ) when the hotfix was released. The article clearly explained the problem and what to do about it. However, apparently not everyone got the word; I was surprised to see a new post on the Exchange team blog last week describing the fix in more detail. The Microsoft article was also updated with a more in-depth explanation of what changed; best of all, it now contains a script that you can run to identify users who have Full Mailbox Access but not Send As permissions. The script outputs a tab-delimited file listing accounts, which you can edit and then feed back to the script to apply Send As permissions to the accounts that you actually want to have it.

Do you need to do anything? It depends. If you're using BES or GoodLink software, you'll definitely know when you need to make this change; as soon as you apply a store.exe hotfix more recent than 7650.23 (or the equivalent for your version of Exchange), this behavior will kick in. You should run the script before then to avoid any interruptions in service. If you're not using either of these programs, you should probably still use the script to see whether you have any lurking permissions that you don't know about. It's not uncommon for an administrator who inherits an Exchange organization to be unpleasantly surprised by the permissions granted by his predecessor.

-----

Calling All Windows IT Pro Innovators! Have you developed a solution that uses Windows technology to solve a business problem in an innovative way? Enter your solution in the 2006 Windows IT Pro Innovators Contest! Grand-prize winners will receive airfare and a conference pass to Windows and Exchange Connections in Las Vegas, November 6-9, 2006, plus more great prizes and a feature article about the winning solutions in the December 2006 issue of Windows IT Pro. Contest runs through August 1, 2006. To enter, click here: http://list.windowsitpro.com/t?ctl=29308:610453

====================

==== Sponsor: Hewlett-Packard ====

Expert Ben Smith describes the benefits of using server virtualization to make computers more efficient. Download the exclusive podcast today! http://list.windowsitpro.com/t?ctl=292FF:610453

====================

==== Events and Resources ==== ( A complete Web and live events directory brought to you by Windows IT Pro: http://list.windowsitpro.com/t?ctl=2930A:610453 )

Learn the essentials about how consolidation and selected technology updates build an infrastructure that can handle change effectively. http://list.windowsitpro.com/t?ctl=292FC:610453

Use virtual server technology to consolidate your production environment using only a fraction of the server hardware in the data center. Live Event: Thursday, May 18 http://list.windowsitpro.com/t?ctl=292FB:610453

Design effective policies to protect your company's assets and data. Don't accidentally damage what you mean to protect! View this on-demand seminar today. http://list.windowsitpro.com/t?ctl=292FE:610453

Learn to differentiate alternative solutions to disaster recovery for your Windows-based applications and ensure seamless recovery of your key systems--whether a disaster strikes just one server or the whole site. Live event: Thursday, May 11 http://list.windowsitpro.com/t?ctl=29307:610453

Increase administration efficiency, build flexible yet inexpensive file-server environments, and maximize potential through consolidation of your SQL Server environment. Make the most of your resources today! http://list.windowsitpro.com/t?ctl=29302:610453

==== Featured White Papers ====

Learn how to address challenges such as making email truly available 24x7x365, securing against viruses, comprehensively backing up email data, and more. http://list.windowsitpro.com/t?ctl=292F9:610453

~~~~ Hot Spot ~~~~ Gain control of your messaging data with step-by-step instructions for complying with the law, ensuring your systems are working properly and ultimately making your job easier. http://list.windowsitpro.com/t?ctl=29301:610453

==== 2. Peer to Peer ====

Instant Poll: What are your vacation plans for this summer? Go to the Windows IT Pro home page and select a) Taking 1 week, b) Taking 2 weeks, c) Taking 3 weeks, d) Not taking any time off, or e) Taking my work to the beach. http://list.windowsitpro.com/t?ctl=2930C:610453

Featured Forum: Office Tips As an IT professional, do you feel you spend too much of your time answering user questions about Microsoft Office applications? If you would like to improve your users' productivity with Microsoft Word, Excel, Outlook, PowerPoint, and Access, the new Office Tips forum is for you. You can ask Microsoft Office-related questions and swap tips with your fellow IT pros. Check it out at the following URL: http://list.windowsitpro.com/t?ctl=292FD:610453 Outlook Tip: Understanding Office 2003 SP2's Signature Settings by Sue Mosher, exadmin@turtleflock.com

Q: The behavior of the Group Policy setting "Disable signature for replies and forwards" has changed in Microsoft Office 2003 Service Pack 2 (SP2)--it now disables all controls related to signatures. Is there a way to keep the options for creating new signatures and setting the default signature for new messages? Find the answer (and links to more great tips) at http://list.windowsitpro.com/t?ctl=292FA:610453

==== Announcements ==== (from Windows IT Pro and its partners)

Windows IT Pro Master CD--SAVE 50%! Subscribe today and get portable, high-speed access to the entire Windows IT Pro article database on CD: a searchable library that includes every Windows IT Pro issue ever published. The newest issue also includes BONUS Windows IT Tips. Order now and save: http://list.windowsitpro.com/t?ctl=29303:610453

May Exclusive--Save $100 off the Exchange & Outlook Newsletter For a limited time, order the Exchange & Outlook Administrator newsletter and SAVE up to $100! You'll get 12 helpful issues loaded with solutions you won't find anywhere else and FREE access to the entire Exchange & Outlook online article database. Subscribe now: http://list.windowsitpro.com/t?ctl=29305:610453

==== 3. New and Improved ==== by Blake Eno, products@windowsitpro.com

Protect Against Data Loss and Corruption MessageOne announced Email Management Services (EMS) Email Recovery, a solution that protects against data loss and corruption. EMS Email Recovery features message-by-message synchronization and recovery to protect against data-level corruption. The product lets you quickly restore any message or group of messages without having to rebuild an entire server. EMS Email Recovery also protects your email with strong- key encryption, secure transport, and full integration with Windows Authentication. For more information, contact MessageOne at 512-652- 4500 or 888-367-0777. http://list.windowsitpro.com/t?ctl=2930D:610453

Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot@windowsitpro.com.

===================

~~~~ Contact Us ~~~~

About the newsletter -- letters@windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=2930B:610453 About product news -- products@windowsitpro.com About your subscription -- exchangeandoutlookupdate@windowsitpro.com About sponsoring UPDATE -- salesopps@windowsitpro.com

====================

This email newsletter is brought to you by Exchange & Outlook Administrator, the leading publication for IT professionals managing, securing, optimizing, and migrating Exchange and Outlook. Subscribe today! http://list.windowsitpro.com/t?ctl=29304:610453

Manage Your Account You are subscribed as news-and-stuff@arconati.us

You are receiving this email message because you subscribed to this newsletter on our Web site. To unsubscribe, click the unsubscribe link: http://list.windowsitpro.com/u?id=28351AE7DCFB1F6C807AF0A29138E407

View the Windows IT Pro Privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro a division of Penton Media Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All Rights Reserved.

No comments:

Post a Comment

Keep a civil tongue.