Administrator can access all mailboxes - how can I stop it?

exchange windows-server-2012 windows exchange-2013

36,694

Solution 1

This is probably a result of DOMAIN\Administrator being a member of the Organization Management group. From the description of that group:

Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group shouldn't be deleted.

Or from Technet:

Administrators who are members of the Organization Management role group have administrative access to the entire Exchange 2013 organization and can perform almost any task against any Exchange 2013 object, with some exceptions. By default, members of this role group can't perform mailbox searches and management of unscoped top-level management roles.

This is basically the group in Exchange that is like the Domain Admins group in Active Directory - members have administrative privileges in Exchange, which includes the ability to log into any mailbox (by default). You could, of course, remove DOMAIN\Administrator from that group, but anyone with modify privileges on that group (like domain admins) can trivially add that user, or any other, back into it.

In the unlikely event that the DOMAIN\Administrator user is explicitly defined as having permissions to each mailbox, you could use a PowerShell script to remove it, but you'd have the same problem - that user, and anyone with modify privileges on the Organization Management group can trivially add that user, or any other, back into it.

Bottom line, administrators have (or can easily give themselves) permissions to do whatever they want. It's the nature of an administrative account, and there's really no getting around it.

Solution 2

Organization Management does not actually give permission to access mailboxes using OWA. In fact, by default, this group is explicly denied access to all mailboxes, for the same reasons that you want to do so. I suspect that the account was granted rights to every single mailbox individually.

You can check for it using a command such as:

Get-Mailbox | Get-MailboxPermission -User DOMAIN\Administrator | where {-not $.IsInherited} Get-Mailbox | Get-ADPermission | where {-not $.IsInherited}

To remove them, you would just add Remove-MailboxPermission or Remove-ADPermission to the end. (Do this at your own risk ... This is all off the top of my head, which is why I am not including the full commands. There are probably some mailboxes you would want to exclude, such as the Administrator's own mailbox.)

This is why service accounts for Blackberry Enterprise Servers must not be put into Organization Management. Instead, they have specific instructions to grant access to all mailboxes.

I haven't looked into this specifically for Exchange 2013, but none of the other answers claim to be new for Exchange 2013, so I suspect they are just mistaken.

Solution 3

It appears from your message that you may be an administrator. If so, you have the rights because at times you will need them. Accept, but don't abuse the privilege granted you. A trustworthy administrator will only use the rights when required to do your duties. Those duties may include scanning emails for specific content, tracing email sources, and other activities which require access to other user's email.

If you are making someone an administrator, consider the following.

Anyone with administrative rights more or less has the keys to the kingdom. If you can't trust them, don't make them administrators. They should be in a position to undo pretty well anything you do to remove access.

I would expect that most solutions would be best implemented by the administrator. The mail server would need to be able to decrypt the mailboxes. This would give the administrator access to the mailboxes.

Encrypting the mail messages at both ends could be done. However, this would severely limit who you can exchange email with. It is likely that you would want the administrator to be able to install and debug the encryption software.

The administrator is likely to be in a position to access the mail by packet capture as well. This is more difficult, but not extremely difficult.

A trustworthy administrator will not abuse their authority. Where they do need to access mail folders, they will limit their access as much as possible.

36,694

user4166144

Updated on September 18, 2022

Comments

user4166144 over 1 year

At our organisation the DOMAIN\Administrator account can access all mailboxes i.e. log in to Outlook Web Access as DOMAIN\Administrator and then open another mailbox and that users mailbox appears.

I have no idea why this was done, I'm suspicious but that's not my problem, I don't want to be responsible for such so want to remove this permission.

Is it possible to search through all mailboxes and remove any access that DOMAIN\Administrator has (whether that be Full Access, Send As or Send on Behalf)?

We're running 4 Windows Server 2012 servers with Microsoft Exchange 2013.
- ceejayoz over 9 years
  
  technet.microsoft.com/en-us/library/bb676551(v=exchg.141).as‌px
- Lightness Races in Orbit over 9 years
  
  What are you trying to hide from the administrator? They are likely responsible for managing all emails in your organisation and for you to be so desperate to hide your correspondence from him or her is highly suspicious. Use your own personal email if you want private communication.
- Simón over 9 years
  
  Be careful though, as your company's administrator, your ISP's administrator may also be able to read your email. Some Google engineers may also have access to read everything on your Gmail account too... and so on. If you really need such a level of "privacy", you may be better setting up your own MTA (SMTP server). Then again, if your mom is on the sudoers list, she may also be able to read your email.
- Admin over 8 years
  
  Protecting against Rogue Administrators From <blogs.technet.com/b/exchange/archive/2014/09/12/…>
- vartaxe over 8 years
  
  what about adding administrator in the security settings in outlook and disable everything?
Jörg W Mittag over 9 years

Yep. Note that even if you remove all permissions, the admin could just pull the drive out of the server and access the mailboxes that way. Or, if your servers are hosted off-site (or in the cloud), then an admin that you don't even know could do the same. Or the cleaning lady. Some people you just have to trust. If your admins are criminals, you need to fix your hiring process, not your mailbox permissions.
reirab over 9 years

+1 In general, this answer is absolutely correct. However, there is one possible way to prevent administrators from reading the e-mail inboxes of other users: encrypt the contents of the inboxes. The problem of administrators being able to send mail as a given user can also be solved by digitally signing e-mails. These are the solutions that are used pretty much universally in organizations where this level of security is needed.
reirab over 9 years

Proper use of cryptography is the only answer that will actually prevent people with administrative rights on or physical access to the server (or simply a packet sniffer) from reading your e-mail inbox. Furthermore, anyone can spoof a sender address on any e-mail if digital signatures are not relied upon. SMTP and POP3 themselves provide almost no security whatsoever.
HopelessN00b over 9 years

@reirab Not that encryption is a panacea, either. A domain admin (or someone with physical access) is going to have the acess needed to dump any crypto key from memory, even if it requires knowledge and effort.
reirab over 9 years

Not if the certificate is encrypted with the user's password, as it should be. And it shouldn't be stored on the server in the first place.
HopelessN00b over 9 years

@reirab Which only adds one more thing to pull from RAM (or extract from the domain controller), and one that's simpler than extracting a crypto key from RAM, even.
reirab over 9 years

Yeah, you could extract it from the RAM of the user's computer, but it never should be on any other system in the first place. Of course, you could just install a key logger on the user's computer and grab their password that way. But at most of the organizations that use full e-mail encryption schemes, doing either of those things is probably going to get you a visit from unfriendly guys in suits. :)
Sobrique over 9 years

The Evil Sysadmin threat is one that's extremely hard to mitigate. You've a bunch of guys with the skills and roles necessary to subvert almost any countermeasures... because they're probably the person who put them in the first place. The answer is generally to ensure that you've got decent sysadmins that you trust first and foremost. If you don't, then you have serious problems regardless of what extra layers you slap in.
HopelessN00b over 9 years

@Sobrique Not that I'm especially impressed with either organization's technical skill level, but neither the NSA nor the US Army could stop a disgruntled SA from running off with extremely sensitive data. Even the biggest, best organizations in the world pale in comparison to the resources, secrecy and security of either organization, and should accordingly expect even worse results defending against insider threats.
austinian over 9 years

In addition to encryption as suggested, good auditing practices can be put in place to at least make it harder for an Evil Sysadmin to pull a stunt without leaving a trail
HopelessN00b over 9 years

@user4166144 That varies a bit, but I suspect that in your case, DOMAIN\Administrator is a member of Organization Management, which has full access permissions to all your mailboxes. Someone else suspects that DOMAIN\Administrator has been explicitly granted access on each mailbox, and Organization Management does not have access to all your mailboxes. I'm kind of curious as to which it is, but it doesn't really make a difference if the permissions were there by default, or if someone added them after the fact - the result is the same.
HopelessN00b over 9 years

Actually, these Exchange "defaults" vary quite a bit depending on things like whether Exchange is a brand-new install, or migrated from a previous version (and what settings any previous versions had).
user4166144 over 9 years

@HopelessN00b DOMAIN\Administrator is a member of Organization Management on these servers. Is this default or not? I want to remove it but will it break anything? That's why I'm asking if it is so on a fresh install or not.
HopelessN00b over 9 years

@user4166144 like I said to one of the other answers below, "default" settings on Exchange are pretty variable, so don't worry about what her it's "default" or not. Removing the default Administrator user from that group should not break anything, unless someone's done something stupid like created scheduled tasks for Exchange with that user... and even then, you could always add the user back into the group. The only thing that should change would be that the default administrative user won't be able to perform administrative actions in Exchange.
joeqwerty about 8 years

Members of the Organization Management role are not granted Full Access Permissions on any mailboxes and by default cannot open any user mailbox, except their own if a mailbox was created for that particular user. So the Administrator user account cannot by default open any user mailbox except their own.