locked
Revoke IT's ability to view the contents of top management's Exchange Mailboxes. RRS feed

  • Question

  • Hi all,

    My group manager has told me that the board of our <g class="gr_ gr_123 gr-alert gr_spell gr_run_anim gr_inline_cards ContextualSpelling multiReplace" data-gr-id="123" id="123">organisation</g> would like us to investigate the possibility of "locking down" our Exchange environment even more than it is now. They're hoping that IT can configure the environment in such a way that NOBODY except for a user can gain access to their Exchange Mailbox; in particular, this security would be applied to the mailboxes of top management staff only.

    My group manager told me that - back in the day - he was exposed to setups like this. IT had no way of accessing the contents of a user's mailbox unless they had a password, which only the user knew. It was up to the user to manage this password, because if they forgot it the contents of the Mailbox was practically lost. Sounds like something that is possible to me!

    To my knowledge, Microsoft doesn't offer any tools that allow for this, but I'm all ears! Has anybody had any experience with a setup like this? Open to investigating third-party tools if anybody knows of any.

    For reference, my organisation uses Exchange 2007, although we are moving to hosted Exchange with Office 365 later this year.

    - Dan.

    Thursday, February 16, 2017 12:39 AM

All replies

  • IT shouldn't have this capability to do this.  I routinely recommend that nobody should have the right to open everyone's mailbox, that they should grant themselves that right only when directed by a user, the user's manager or other legitimate authority.  So, the way you can fix that is to remove such rights if your IT people have them.

    What I think you really want is to prevent IT from granting themselves access from top management's mailboxes.  Well, to do that, you'll pretty much have to tell top management to go get mailboxes on a service that only they control.

    What you can do is enable mailbox administrative auditing (search for it) and maybe you can deploy some sort of monitoring system (like SCOM) that will throw alerts when someone makes a permissions change to a top management mailbox.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, February 16, 2017 1:32 AM
  • The challenge is IT CAN ALWAYS ACCESS YOU DATA.

    By default, in Exchange Organizations, members of administrative groups (such as Domain Admins, Enterprise Admins) are denied the permissions to open other users mailboxes.

    However, this default configuration can be overcome by removing the Deny ACL for Domain / Enterprise Admins at the org level (which will inherit down through administrative groups, servers, storage groups, and databases) or by granting explicit full access permissions at the mailbox object level.

    The best solution is to audit mailbox access by non-owner accounts and monitor ACL changes on the objects.

    Thursday, February 16, 2017 8:38 AM