• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Exchange: domain admins can send emails *from* any account.

L

loic2003

Diamond Member
I know any domain admin could just go ahead and undo any changes, but at the minute all anyone has to do is go into the views option in outlook and enable the 'from' field. From then on, he can send an email from any account, which just isn't good.

Is there a way to prevent domain admins being able to send from any account in exchange by default?

TIA
 
you don't trust your domain admins? you got bigger problems than them sending emails from other accounts
good luck on that
 
Originally posted by: FoBoT
you don't trust your domain admins? you got bigger problems than them sending emails from other accounts
good luck on that
Click to expand...

I work for a finance company that is regularly scrutinised by a third party set of auditors who would frown upon this being possible.

Once I even had to demonstrate to them how I go about ejecting the backup tape, putting in the bag and giving it the messenger. They sat with me and went through the last month's worth of backups to check everything is above above board...

Compliance would also be p!ssed that, if I wanted, I could send an email from the CEO telling someone they're fired, or whatever...
 
oh, you want a Sarbanes-Oxley answer
maybe put "Sarbanes-Oxley question" in your topic summary
 
that is so illegal.. drop an anonymous note to your compliance.. LOL..

you can't prevent him if he changes the permission from the forest root..
 
Originally posted by: FoBoT
oh, you want a Sarbanes-Oxley answer
maybe put "Sarbanes-Oxley question" in your topic summary
Click to expand...

the solution would be to change all your passwords 17 times a day, using no less than 84 random ASCII characters, and cannot be your last 800 passwords.
 
Originally posted by: franguinho
yeah its kinda tricky.... an admin can just give himself access again
Click to expand...

Yep.

You could not use domain admin accounts and only give admins the rights they specifically need, but that is going to be a huge PITA.
 
Originally posted by: Pepsi90919
Originally posted by: FoBoT
oh, you want a Sarbanes-Oxley answer
maybe put "Sarbanes-Oxley question" in your topic summary
Click to expand...

the solution would be to change all your passwords 17 times a day, using no less than 84 random ASCII characters, and cannot be your last 800 passwords.
Click to expand...

You can offer them this solution.

Rename the admin account and give it a randomly generated password which no one knows. This removes the possibility of anyone misusing the admin account. Take an image of the installation before doing this to roll back to if there's ever a problem.
 
You would have to remove the send as permission from the mailstore in exchange system manager. However as domain admin he or she can simply add it back. IFIRC the administrators group is blocked by default from doing that type of activity and requires removing permission inheritance and setting permissions manually to override( easy to spot) so you could try adding them to the administrators group.
 
Originally posted by: loic2003
Originally posted by: FoBoT
you don't trust your domain admins? you got bigger problems than them sending emails from other accounts
good luck on that
Click to expand...

I work for a finance company that is regularly scrutinised by a third party set of auditors who would frown upon this being possible.

Once I even had to demonstrate to them how I go about ejecting the backup tape, putting in the bag and giving it the messenger. They sat with me and went through the last month's worth of backups to check everything is above above board...

Compliance would also be p!ssed that, if I wanted, I could send an email from the CEO telling someone they're fired, or whatever...
Click to expand...

It's a given in any IT environment that an administrator is going to have special privileges (access to sensitive information, privileges that allow him/her to circumvent other controls, etc.). I can't be certain, but it would seem to me that as long as admin activities are monitored and reviewed regularly and there are strict limits on who has access to admin functions, auditors' needs should be satisfied.
 
so what. are you sure the audit people even have this as a write up or is it something you just found and are just freaking about it? Domain admins have to be the most trusted people in the company. I am a Sys admin for a large company and i have the passwords and access to every system we have. be it payroll, ALL sql databases, ALL progress databases, marketing tools, finance programs and records. If i wanted to i could do enough damage to this company to pretty much put it out of business and so could any other admin with a company.

so in my opinion the email thing you are talking about is not a issue.
 
Originally posted by: loic2003
Originally posted by: FoBoT
you don't trust your domain admins? you got bigger problems than them sending emails from other accounts
good luck on that
Click to expand...

I work for a finance company that is regularly scrutinised by a third party set of auditors who would frown upon this being possible.

Once I even had to demonstrate to them how I go about ejecting the backup tape, putting in the bag and giving it the messenger. They sat with me and went through the last month's worth of backups to check everything is above above board...

Compliance would also be p!ssed that, if I wanted, I could send an email from the CEO telling someone they're fired, or whatever...
Click to expand...

Um well Domain admins can do pretty much anything they want.. thats why those are controlled positions... people in those positions can change anything in AD they want anyway so again why is this a problem there is accountability unless you gave domain admin to a bunch of people...... depending on how big your company is there should not be but a couple people with unlimited domain admin access..

 
Originally posted by: Citrix
so what. are you sure the audit people even have this as a write up or is it something you just found and are just freaking about it? Domain admins have to be the most trusted people in the company. I am a Sys admin for a large company and i have the passwords and access to every system we have. be it payroll, ALL sql databases, ALL progress databases, marketing tools, finance programs and records. If i wanted to i could do enough damage to this company to pretty much put it out of business and so could any other admin with a company.

so in my opinion the email thing you are talking about is not a issue.
Click to expand...

Correct. I'm a sysadmin for a large company, and I could easily put over two thousand locations in a position where they would have to be manually reloaded, with new drives. If a friend of mine in purchasing teamed up with me we could put them out of business for several months.

Somebody has to be in a position of control over these things. If the company doesn't want you there, they need to find someone they DO trust to hold that position.

Admins hold positions of power and responsibility, that's why when one of us gets fired it's with no warning, in the middle of the week and we're escorted out of the building.

🙂

 
oh do you know how to use telnet? you do know that you can spoof any email domain and send it through telnet right?
 
Originally posted by: Citrix
oh do you know how to use telnet? you do know that you can spoof any email domain and send it through telnet right?
Click to expand...

yeah i've seen this in my battle to reduce spam coming in...

Anyhoo, thanks for the replies, guys. You pretty much confirm what I was thinking: it's 'just one of thsoe things' that sys admins are able to do. It is a position of trust and reponsibility for just this reason.

Thanks again, chaps. :thumbsup::beer:
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top