none
Backup-less implementation - What about security ?

    Question

  • Hi

    i am migrating to exchange 2010 in a Dag (2 copies each local Raid1 disks on different servers + one lagged copy also on Raid1)

    If I want to go 'backup-less' for this implementation, I need to confirm the following points:

    Solution is ok 'technically' (I think it's the minimal recommended number of copies)

    Regulatory compliance does not require the client to have backups

    My question is about security: since exchange admins have all rights on the whole environment, what steps could be taken to stop a rogue admin to just crash everything without possibility to restore from backups? Are there recommended best practices to avoid such kind of 'disaster' by splitting permissions, etc ?

    thanks in advance


    bruno

    Wednesday, April 11, 2012 10:21 AM

Answers

  • Understanding Role Based Access Control

    http://technet.microsoft.com/en-us/library/dd298183.aspx

    ---

    You can assign the permission to the admins only the task he is going to do

    Like he can create mailboxes and distribution groups alone

    and he cannot remove that mailbox too.

    ---

    Backup less

    Split the databases more - Recovery is much easier

    --

    Have large room for drives which holds the log files

    where backup won't purge the log files in our case

    --

    We can clear in manually once 2 months or so . Depends on your mail flow 


    Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

    • Marked as answer by brpo Thursday, April 12, 2012 7:34 AM
    Thursday, April 12, 2012 1:53 AM
  • am going to post a blog on regards how to use RBAC for a helpdesk

    Just have look at my website after like 5 days or so

    Thanks

    www.careexchange.in


    Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

    • Marked as answer by Terence Yu Friday, May 04, 2012 6:33 AM
    Thursday, April 12, 2012 3:16 PM

All replies

  • Understanding Role Based Access Control

    http://technet.microsoft.com/en-us/library/dd298183.aspx

    ---

    You can assign the permission to the admins only the task he is going to do

    Like he can create mailboxes and distribution groups alone

    and he cannot remove that mailbox too.

    ---

    Backup less

    Split the databases more - Recovery is much easier

    --

    Have large room for drives which holds the log files

    where backup won't purge the log files in our case

    --

    We can clear in manually once 2 months or so . Depends on your mail flow 


    Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

    • Marked as answer by brpo Thursday, April 12, 2012 7:34 AM
    Thursday, April 12, 2012 1:53 AM
  • thanks for your comments

    I guess I should remove some rights from the admin account and give them to a special account that would be used only for RBAC and recovery.

    brgds

    bruno


    bruno

    Thursday, April 12, 2012 7:35 AM
  • am going to post a blog on regards how to use RBAC for a helpdesk

    Just have look at my website after like 5 days or so

    Thanks

    www.careexchange.in


    Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

    • Marked as answer by Terence Yu Friday, May 04, 2012 6:33 AM
    Thursday, April 12, 2012 3:16 PM