Exchange: domain admins can send emails *from* any account.

[loic2003]

I know any domain admin could just go ahead and undo any changes, but at the minute all anyone has to do is go into the views option in outlook and enable the 'from' field. From then on, he can send an email from any account, which just isn't good.

Is there a way to prevent domain admins being able to send from any account in exchange by default?

TIA

 

[FoBoT]

you don't trust your domain admins? you got bigger problems than them sending emails from other accounts
good luck on that

 

[loic2003]

Originally posted by: FoBoT
you don't trust your domain admins? you got bigger problems than them sending emails from other accounts
good luck on that

I work for a finance company that is regularly scrutinised by a third party set of auditors who would frown upon this being possible.

Once I even had to demonstrate to them how I go about ejecting the backup tape, putting in the bag and giving it the messenger. They sat with me and went through the last month's worth of backups to check everything is above above board...

Compliance would also be p!ssed that, if I wanted, I could send an email from the CEO telling someone they're fired, or whatever...

 

[FoBoT]

oh, you want a Sarbanes-Oxley answer
maybe put "Sarbanes-Oxley question" in your topic summary

 

[SuperNaruto]

that is so illegal.. drop an anonymous note to your compliance.. LOL..

you can't prevent him if he changes the permission from the forest root..

 

[Alex]

yeah its kinda tricky.... an admin can just give himself access again

 

[Pepsi90919]

Originally posted by: FoBoT
oh, you want a Sarbanes-Oxley answer
maybe put "Sarbanes-Oxley question" in your topic summary

the solution would be to change all your passwords 17 times a day, using no less than 84 random ASCII characters, and cannot be your last 800 passwords.

 

[iamwiz82]

Originally posted by: franguinho
yeah its kinda tricky.... an admin can just give himself access again

Yep.

You could not use domain admin accounts and only give admins the rights they specifically need, but that is going to be a huge PITA.

 

[djheater]

Originally posted by: Pepsi90919

Originally posted by: FoBoT
oh, you want a Sarbanes-Oxley answer
maybe put "Sarbanes-Oxley question" in your topic summary

the solution would be to change all your passwords 17 times a day, using no less than 84 random ASCII characters, and cannot be your last 800 passwords.

You can offer them this solution.

Rename the admin account and give it a randomly generated password which no one knows. This removes the possibility of anyone misusing the admin account. Take an image of the installation before doing this to roll back to if there's ever a problem.

 

[Skunk]

You would have to remove the send as permission from the mailstore in exchange system manager. However as domain admin he or she can simply add it back. IFIRC the administrators group is blocked by default from doing that type of activity and requires removing permission inheritance and setting permissions manually to override( easy to spot) so you could try adding them to the administrators group.

 

[MrChad]

Originally posted by: loic2003

Originally posted by: FoBoT
you don't trust your domain admins? you got bigger problems than them sending emails from other accounts
good luck on that

I work for a finance company that is regularly scrutinised by a third party set of auditors who would frown upon this being possible.

Once I even had to demonstrate to them how I go about ejecting the backup tape, putting in the bag and giving it the messenger. They sat with me and went through the last month's worth of backups to check everything is above above board...

Compliance would also be p!ssed that, if I wanted, I could send an email from the CEO telling someone they're fired, or whatever...

It's a given in any IT environment that an administrator is going to have special privileges (access to sensitive information, privileges that allow him/her to circumvent other controls, etc.). I can't be certain, but it would seem to me that as long as admin activities are monitored and reviewed regularly and there are strict limits on who has access to admin functions, auditors' needs should be satisfied.

 

[OutHouse]

so what. are you sure the audit people even have this as a write up or is it something you just found and are just freaking about it? Domain admins have to be the most trusted people in the company. I am a Sys admin for a large company and i have the passwords and access to every system we have. be it payroll, ALL sql databases, ALL progress databases, marketing tools, finance programs and records. If i wanted to i could do enough damage to this company to pretty much put it out of business and so could any other admin with a company.

so in my opinion the email thing you are talking about is not a issue.

 

[CVSiN]

Originally posted by: loic2003

Originally posted by: FoBoT
you don't trust your domain admins? you got bigger problems than them sending emails from other accounts
good luck on that

I work for a finance company that is regularly scrutinised by a third party set of auditors who would frown upon this being possible.

Once I even had to demonstrate to them how I go about ejecting the backup tape, putting in the bag and giving it the messenger. They sat with me and went through the last month's worth of backups to check everything is above above board...

Compliance would also be p!ssed that, if I wanted, I could send an email from the CEO telling someone they're fired, or whatever...

Um well Domain admins can do pretty much anything they want.. thats why those are controlled positions... people in those positions can change anything in AD they want anyway so again why is this a problem there is accountability unless you gave domain admin to a bunch of people...... depending on how big your company is there should not be but a couple people with unlimited domain admin access..

 

[djheater]

Originally posted by: Citrix
so what. are you sure the audit people even have this as a write up or is it something you just found and are just freaking about it? Domain admins have to be the most trusted people in the company. I am a Sys admin for a large company and i have the passwords and access to every system we have. be it payroll, ALL sql databases, ALL progress databases, marketing tools, finance programs and records. If i wanted to i could do enough damage to this company to pretty much put it out of business and so could any other admin with a company.

so in my opinion the email thing you are talking about is not a issue.

Correct. I'm a sysadmin for a large company, and I could easily put over two thousand locations in a position where they would have to be manually reloaded, with new drives. If a friend of mine in purchasing teamed up with me we could put them out of business for several months.

Somebody has to be in a position of control over these things. If the company doesn't want you there, they need to find someone they DO trust to hold that position.

Admins hold positions of power and responsibility, that's why when one of us gets fired it's with no warning, in the middle of the week and we're escorted out of the building.

 

[OutHouse]

oh do you know how to use telnet? you do know that you can spoof any email domain and send it through telnet right?

 

[loic2003]

Originally posted by: Citrix
oh do you know how to use telnet? you do know that you can spoof any email domain and send it through telnet right?

yeah i've seen this in my battle to reduce spam coming in...

Anyhoo, thanks for the replies, guys. You pretty much confirm what I was thinking: it's 'just one of thsoe things' that sys admins are able to do. It is a position of trust and reponsibility for just this reason.

Thanks again, chaps. :thumbsup::beer: