Using Role Based Access Control to Securely Manage Exchange Online

modern_times-021

 

Exchange employs a permissions and access control model called Role Based Access Control (or RBAC).

The RBAC security model uses a hierarchy of access, organized into parent objects called ‘Management Role Groups’ and child objects called ‘roles’. Management Role Groups are composed of roles (for example, the Compliance Management role group contains the roles Data Loss Prevention and Information Rights Management – among others – which fall under the umbrella of compliance).
It’s important to note that users can be granted a mixture of rights that fit their job roles (for example, John Smith, who works in legal, can be assigned the ‘Legal Hold’ role from the Compliance Management role group and the ‘Retention Management’ role from the Records Management role group).

RBAC-diagram-from-TechNet

The above illustration is an overview of how permissions can be apportioned within Exchange.

Note how for example, administrators (as a category) can be granted rights in several role groups whose component roles – and therefore, role assignments – cross a variety of action areas.

Exchange’s management role groups are as follows:
Compliance Management (manage compliance settings)
Discovery Management (perform mailbox searches)
Help Desk (view and manage recipient configuration)
Hygiene Management (manage Exchange anti-spam features and grant permissions for antivirus products to integrate with Exchange)
Organization Management (manage Exchange objects – system super user)
Recipient Management (create, manage and remove recipient objects)
Records Management (configure retention policy tags, transport rules, etc.)
UM Management (Members of this management role group can manage Unified Messaging organization, server, and recipient configuration)
View-Only Organization Management (view recipient configuration and system properties)

Let’s detail each group’s components.

 

Compliance Management Role Group

This role group will allow a specified user, responsible for compliance, to properly configure and manage compliance settings within Exchange in accordance with a defined policy.”

Roles:

Data Loss Prevention (intercepting the transmission of sensitive data types such as credit card, Social Security numbers, etc.)

Information Rights Management (members of this role can configure email encryption settings and related tasks)

Mailbox Import Export (members of this role can export items from and import item into mailboxes)

Retention Management (members of this role can configure mail retention policies)

View-Only Audit Logs (members of this role can search audit logs)

View-Only Configuration (members of this role can view all non-recipient Exchange configuration settings)

View-only Recipient (members of this role can view the configuration of recipients – i.e., mailboxes, mail users, mail contacts and distribution lists)

Discovery Management Role Group

Members of this management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.”

Roles:

Legal Hold
Mailbox Search

 

Hygiene Management

Members of this management role group can manage Exchange anti-spam features and grant permissions for antivirus products to integrate with Exchange.”

Roles:

Transport Hygiene
View-Only Configuration
View-Only Recipients

Help Desk Role Group

Members of this management role group can view and manage the configuration for individual recipients and view recipients in an Exchange organization. Members of this role group can only manage the configuration each user can manage on his or her own mailbox.  Additional permissions can be added by assigning additional management roles to this role group.”

Roles:

Reset Password
User Options
View-Only Recipients

 

Organization Management

(note how this management role group forms a set of which the other groups are essentially subsets)…

Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization.”

Roles:

Audit Logs
Data Loss Prevention
Distribution Groups
Federated Sharing
Information Rights Management
Journaling
Legal Hold
Mail Enabled Public Folders
Mail Recipient Creation
Mail Recipients
Mail Tips
Message Tracking
Migration
Move Mailboxes
Org Custom Apps
Org Marketplace Apps
Organization Client Access
Organization Configuration
Organization Transport Settings
Public Folders
Recipient Policies
Remote and Accepted Domains
Reset Password
Retention Management
Role Management
Security Group Creation and Membership
Team Mailboxes
Transport Hygiene
Transport Rules
UM Mailboxes
UM Prompts
Unified Messaging
User Options
View-Only Audit Logs
View-Only Configuration
View-Only Recipients

 

Recipient Management

Members of this management role group have rights to create, manage, and remove Exchange recipient objects in the Exchange organization. “

Roles :

Distribution Groups
Mail Enabled Public Folders
Mail Recipient Creation
Mail Recipients
Message Tracking
Migration
Move Mailboxes
Public Folders
Recipient Policies
Reset Password
Team Mailboxes

 

Records Management

Members of this management role group can configure compliance features such as retention policy tags, message classifications, transport rules, and more.
Roles:

Audit Logs
Journaling
Message Tracking
Retention Management
Transport Rules

 

View-Only Organization Management

Members of this management role group can view recipient and configuration objects and their properties in the Exchange organization.

Roles:

View-Only Configuration
View-Only Recipients

chaplin-modern-times2

 Scenarios

Consider the following example, in which there are four categories of users who interact with Exchange Online:

1.) Administrators – full access (create policies, create recipient objects, create groups and distribution lists, modify critical system settings, delete system and recipient objects, interact with Microsoft engineering at the system level as peer)

2.) Administrators – specialized access (view system configuration, view recipient properties, run system reports, possess super user privileges in one or more management role group but not all)

3.) Help Desk (full access to help desk level activities such as create recipient mailbox, modify mailbox properties, release false positive SPAM from quarantine, view and modify distribution lists and related end-user supportive tasks)

4.) End-users (request modifications, request object creations such as distribution lists, report errors

Within these four main categories, it’s possible to create specific security groupings.

Administrators – full access will have super user privileges within all management role groups:

Compliance Management (manage compliance settings)
Discovery Management (perform mailbox searches)
Help Desk (view and manage recipient configuration)
Organization Management (manage Exchange objects – system super user)
Recipient Management (create, manage and remove recipient objects)
Records Management (configure retention policy tags, transport rules, etc.)
View-Only Organization Management (view recipient configuration and system properties)
Administrators – specialized access will have super user privileges within management role groups that are relevant to their job function. For example, a technical liaison working for Legal would need to possess the ability to place mailboxes on legal hold, search mailbox contents and perform other activities related to gathering information about and from user mailboxes.

So, Administrator – specialized access legal would be granted assignments from following role groups:

Compliance Management
Discovery Management

From the Compliance Management role group, the Administrator – specialized access, legal would obtain the mailbox-import-export role and from Discovery Management, legal hold and mailbox search.

Help Desk – self-explanatory. Help Desk personnel will be granted role assignments from the Help Desk Management Role group. These roles are limited to a subset of the querying and recipient object manipulation capabilities of the more robust admin roles.

The default Help desk roles are:

Reset Password
User Options
View-Only Recipients

Note that it’s possible to add roles from other management role groups to individual Help Desk personnel (for example, Help Desk managers or more senior level Help Desk team members)
End-users – End users are recipients of the policies and configuration changes made by administrators and help desk personnel. End-users are also a source of feedback information about overall system health and performance

As you can see, it’s possible to use the building blocks Role Based Access Control provides to assemble a very granular permissions model for a variety of job assignments which require interaction with Exchange.

 

Useful Powershell Commands for Managing Roles

Here are some very helpful commands for handling RBAC issues I learned at Mike Pfeiffer’s blog.

changing_husbands092

Can this user modify this object?

This can be really helpful when you are troubleshooting permissions. If you need to verify that a member of your staff has write access to an object, use the following command syntax:”

Get-ManagementRoleAssignment -WritableRecipient administrator -GetEffectiveUsers | ?{$_.EffectiveUserName -eq “Mike Pfeiffer”}

Full at this link

See also this Technet blog link which provides background and design detail.

Excerpt:

RBAC and the principle of least privilege

The principle of least privilege is an important design consideration in enhancing the protection of data and functionality from unintentional and/or malicious behavior.

Exchange Server 2010 aids such implementation of roles by using role-based access control (RBAC). However, in my professional experience, I have noticed that many deployments are not actually thought out to utilize the full potential of what RBAC has to offer. Most often, I see deployments where built-in RBAC roles are utilized and rarely customized to match the actual job roles of administrators. This mostly results in having too much access for the role.

[…]

full here