it manager salary

Guarding You Exchange Organization Against Rogue System Administrators

Rogue System Administrator’s are in every organization.  How do you protect your exchange organization, from these administrators that went bad, but are still employed in your establishment?

The first thing that probably came to mind would be to fire the administrator, but in the eyes of other individuals, the administrator may appear to be a good person, with no grounds to be fired. This individual knows exactly how to “fly below the radar”, and not be noticed by upper management, but you know that they are there.  rogue system administrators

In fact, you see some of the errors that they have made in your exchange organization, because of them not having any training with exchange server. All this individual knows how to do is create mailboxes in exchange server, but when there is an issue with the server , they do not know how to resolve it.

A rogue administrator, like I said earlier, is an administrator that has gone bad.  In other words it is a person who behaves badly, but is still liked, in spite of their behaviour. Longman’s dictionary, also further defines this person as a man who is dishonest, and has a very bad character.

Any Administrator that has admin rights in an Active Directory environment, also has rights by default, to administrate any exchange server organization.  At least from the perspective of Exchange 2010.  If I remember correctly, in Exchange 2003 an exchange administrator had to be in a specific group, in order to manage the exchange 2003 organization.

Many system administrator that administrates active directory, does not even know that they have administrative rights, to manage an exchange 2010 organization, as long as they are in the system admins group, in active directory.  At least this is so, especially in the environment where I am presently employed.

Using RBAC, or role base access control in exchange 2010, can assist any administrator in setting up boundaries, to not allow these rogue system administrators, access to the exchange 2010 organization.

The Microsoft Exchange Blog, recently created a post on their website, that shows you how to setup boundaries in exchange 2013, and exchange 2010, to help with the issues of rogue system administrators access to exchange. Below is an insert from the Exchange Team Blog from the article.  Really good read.  You can access the link just below the quote to see the entire article.


Occasionally I am asked the following question – how can I protect the messaging environment from a rogue administrator? There are essentially two concerns being asked in this question:

  1. How do I protect the data from being deleted by a rogue administrator?
  2. How do I protect the data from being accessed and/or altered by a rogue administrator?

Sometimes this discussion leads to a discussion about only the chosen backup architecture. The reality is that whether you implement Exchange Native Data Protection or a third-party backup solution, a backup, by itself, does not protect you from rogue administrators; it only mitigates the damage they potentially cause. Any administrator that has the privileged access to the messaging data (whether it be live data and/or backup data), can compromise the system. Therefore, some operational changes must be implemented within the organization in order to reduce the attack surface of an administrator who has gone rogue.

Read the entire Article at the Exchange Team Blog

Implementing RBAC in exchange 2010 can reduce the attack surface in Exchange 2010 against and rogue administrator.

By Andrew Moss

exchange 2003 to 2010 migration

Exchange 2003 to 2010 Migration / How to Remove the Last Legacy Exchange Server From Your Environment

exchange 2003 to 2010 migrationMore than likely If you have partially completed your exchange 2003 to 2010 migration, then you are probably one of the many exchange administrators that still has legacy exchange servers installed, as a part of your organization. I know that I am not the only Administrator with this configuration.  There should be many others on the planet, just like me.

If you are like me, then you are one of those administrators that did not pay much attention to completely migrating exchange 2003 to 2010, because everything was running smooth with exchange 2003, and exchange 2010 as part of the same organization. Don’t be the last administrator on the planet to upgrade exchange 2003 to 2010, or to the latest exchange server version.

Exchange server 2003 has reached it’s end of support date since April 8, 2014, as per Microsoft Product Life-cycle website, and a blog post at the Microsoft Exchange Blog website.  If you still have exchange 2003 mixed with 2010 in your environment, then you should begin phasing out exchange 2003 servers out of your 2010 environment, in order to get assistance from Microsoft when you need it.

I am not saying that you may not get any assistance if the environment is mixed, but who knows.  Microsoft Support  may ask you to bring your environment up to date first, then offer you assistance afterwards.  Why wait until you need assistance. Now is the time to begin your transition to exchange 2010, or exchange 2013.

Every administrator will need some sort of assistance from Microsoft during the tenure of their career, even if you are a certified administrator.  I learned a long time ago that you will never know everything in relation to one system.  Everyone has a piece of the puzzle, and we are all much smarter together. As an Administrator you should strive to never be in a position, where you are unable to get assistance, when needed.

Even though Exchange server 2013 is the latest exchange product on the market, as of the creation of the article.  Exchange 2010 is still relevant. Mainstream support does not end until January 2015, and extended support has until January 2020.  Microsoft appears to always give at least a ten year span for any new created exchange product.  At least this is what I have seen.

Phasing out legacy Exchange 2003 servers from an Exchange server 2010 organization is an integral step in any exchange 2003 to 2010 migration  process. I would even go as far as to say that, if you do not do this step, you would not be able to introduce exchange server 2013 into your organization at all, until you organization has been converted to a pure exchange 2010 environment, with service pack 3 for exchange installed.

My Existing Exchange Environment and Issue

My present environment consists of  three exchange 2003 servers, with two exchange 2010 servers setup in a DAG, or Database Availability Group. My organization level is only on service pack one, or SP1 for short, with rollup update 6 installed. My exchange 2003 servers are running windows server 2003 with SP1, and my exchange 2010 servers are running windows server 2008 enterprise OS.

My main reason for attempting to move all legacy exchange 2003 servers our of our environment is firstly about compliance.  If Exchange 2003 is not supported any more, there is no need to keep it mixed with my Exchange 2010 servers.

Secondly, I want to begin the process of introducing an Exchange 2013 server into our existing organization.  To do this my environment must be a pure exchange 2010 and have install at least the latest service pack.  At the creation of this article SP3 is the latest service pack available for Exchange 2010.

At first I thought about calling Microsoft support to assist me with moving the legacy exchange servers out of the environment, but Microsoft support only assisted you if the system is already broken. As an administrator, every year I would purchase a Five Pack Support pack from Microsoft to assist me whenever I needed assistance, with issues that I was unable to resolve on my own. I did not wanted to waste a call to Microsoft until I actually needed assistance.

The Plan

My plan was to first remove all legacy 2003 exchange servers out of the environment first, so I can  be in compliance with Microsoft.  My long term plan was to implement a pure Exchange Server 2013 environment by first moving to a mixed environment, with exchange 2010 and exchange 2013. My goal was to also complete all of the necessary tasks seamlessly in the background, without any of my front end users being disrupted.

To remove the legacy 2003 servers out of the environment, I found a document that was created by Microsoft that really took all of the guess work out of the project. The name of the document, and the link to the document is below. If you are in a similar position you should get a copy of the document.

Remove the legacy exchange server from an exchange server 2010 organization.

The document includes links to other needed resources that will help you migrate from exchange 2003 to 2010 by showing you how to prepare to move all legacy servers, from your exchange 2010 environment.

The first part of the document shows you how to prepare the exchange 2003 organization to remove the first legacy exchange servers from the environment   The second part shows you how to remove the last exchange 2003 server from the environment.

If your environment is mixed like my environment, then you probably have already  completed step 1 of the document, without even seeing the document.  This step consisted of moving all exchange 2003 mailboxes to exchange 2010 servers.

My exchange 2003 servers are just sitting in our environment being the host for the public folders, and still acting as the servers that are responsible for generating the Offline Address Book.

This is by far one of the best documents on the market that you can use to move the first and the last legacy exchange 2003 servers, from your environment. Exchange 2003 to 2010 migration is easy, as long as you are using the correct document.

Visit Microsoft site here to get the the document on how to move the legacy exchange servers out of your environment.  Using the document will give you a smooth exchange 2003 to 2010 migration.

By Andrew Moss