Guarding You Exchange Organization Against Rogue System Administrators

Rogue System Administrator’s are in every organization.  How do you protect your exchange organization, from these administrators that went bad, but are still employed in your establishment?

The first thing that probably came to mind would be to fire the administrator, but in the eyes of other individuals, the administrator may appear to be a good person, with no grounds to be fired. This individual knows exactly how to “fly below the radar”, and not be noticed by upper management, but you know that they are there.  rogue system administrators

In fact, you see some of the errors that they have made in your exchange organization, because of them not having any training with exchange server. All this individual knows how to do is create mailboxes in exchange server, but when there is an issue with the server , they do not know how to resolve it.

A rogue administrator, like I said earlier, is an administrator that has gone bad.  In other words it is a person who behaves badly, but is still liked, in spite of their behaviour. Longman’s dictionary, also further defines this person as a man who is dishonest, and has a very bad character.

Any Administrator that has admin rights in an Active Directory environment, also has rights by default, to administrate any exchange server organization.  At least from the perspective of Exchange 2010.  If I remember correctly, in Exchange 2003 an exchange administrator had to be in a specific group, in order to manage the exchange 2003 organization.

Many system administrator that administrates active directory, does not even know that they have administrative rights, to manage an exchange 2010 organization, as long as they are in the system admins group, in active directory.  At least this is so, especially in the environment where I am presently employed.

Using RBAC, or role base access control in exchange 2010, can assist any administrator in setting up boundaries, to not allow these rogue system administrators, access to the exchange 2010 organization.

The Microsoft Exchange Blog, recently created a post on their website, that shows you how to setup boundaries in exchange 2013, and exchange 2010, to help with the issues of rogue system administrators access to exchange. Below is an insert from the Exchange Team Blog from the article.  Really good read.  You can access the link just below the quote to see the entire article.


Occasionally I am asked the following question – how can I protect the messaging environment from a rogue administrator? There are essentially two concerns being asked in this question:

  1. How do I protect the data from being deleted by a rogue administrator?
  2. How do I protect the data from being accessed and/or altered by a rogue administrator?

Sometimes this discussion leads to a discussion about only the chosen backup architecture. The reality is that whether you implement Exchange Native Data Protection or a third-party backup solution, a backup, by itself, does not protect you from rogue administrators; it only mitigates the damage they potentially cause. Any administrator that has the privileged access to the messaging data (whether it be live data and/or backup data), can compromise the system. Therefore, some operational changes must be implemented within the organization in order to reduce the attack surface of an administrator who has gone rogue.

Read the entire Article at the Exchange Team Blog

Implementing RBAC in exchange 2010 can reduce the attack surface in Exchange 2010 against and rogue administrator.

By Andrew Moss

Leave a Reply

Your email address will not be published. Required fields are marked *