Exchange Best Practices for untrusted mailbox users

Exchange Best Practices for untrusted mailbox users

There are many scenarios where a mailbox and its access can become "untrusted".  Preventative solutions abound, but this article will focus on the following worst case scenarios for the quickest way to shut down access with the least amount of impact and administrative effort.
  1. A mobile device or computer with saved access to a mailbox is stolen
  2. An employee is suddenly terminated
  3. One or more users with access to a group mailbox are abruptly untrusted but the remaining group members still need access
  4. Criminal investigation or other legal process requires access to mailbox but no access from the original mailbox owner
  5. Mailbox credentials have been compromised

Disabling a mailbox user's Active Directory account is not enough.  For example, here's some of the considerations when dealing with an untrusted mailbox:

  • Outlook or MAPI connections can remain connected to Exchange for up to 2 hours even after the AD account has been disabled.  For performance reasons, active connections to store or RPCClientAccess are cached in this manner.
  • Outlook Web Access, Exchange Web Services, and Activesync also have caches.  Activesync devices with their long heartbeat intervals and token cache can still allow access up to 24 hours after an AD account has been disabled.

Solution:

1.  Disable the mailbox - to prevent re-access of the mailbox by the user
(example of specific steps)

2.  Set a Send Prohibit Quota to quickly prevent sending off any messages.
example:  Set-Mailbox alias -IssueWarningQuota 0 -ProhibitSendQuota 0
this works with Office 365

3.  Move the mailbox to terminate all active logons to the mailbox, including the user's current logon
(example of move mailbox command that would terminate active logons even for Exchange 2010)

4.  Office 365 mailboxes or other hosted/cloud solutions may not allow moving the mailbox quickly, so disabling protocols at the CASMailbox level will accomplish a similar solution.
(example of disabling services with CASmailbox commands)

Reference:
EAS devices sync after account disable or password change
Removed Mobile Device Still Has Access To Exchange Mailbox via Exchange ActiveSync

This article is a stub. Add content to complete this article.

Sort by: Published Date | Most Recent | Most Useful
Comments
  • What about disabling EAS for the mailbox (Mailbox Features tab)...would that cut-off access via ActiveSync device immediately or would the token cache still apply?

  • Disabling EAS for the mailbox helps but the token cache still applies.  Only disabling the protocol [in this case EAS] and then moving the mailbox OR recycling the MSExchangeSyncAppPool on all Internet facing CAS would achieve the immediate results.  

    support.microsoft.com/default.aspx

Page 1 of 1 (2 items)