Sunday, September 8, 2013

Exchange Service Account Permissions and itrezzo Contact Management

By Vern Weitzman

A Powerful Service Account for Exchange
Occasionally when we get a new customer that researches our installation prerequisites, members of the enterprise security team may throw up a red flag. Not surprisingly, they want to know exactly why the itrezzo platform requires full access to user mailboxes. As both a software vendor and a system administrator, I agree that this is a reasonable concern.
Microsoft Exchange Server Permissions for Contact Management Application

In this posting, I will explain a few justifications why a contact management application requires these permissions.

Permission to make people reachable

To automate contact management, components of the itrezzo platform need to impersonate users and access their Exchange Server mailboxes. The specific activity of the platform is to open a mailbox, locate the contacts folder and enumerate specific subfolders. The next step is to find contacts that must be updated, deleted, or missing. Field level changes are made to existing contacts, new contacts are added as required. If the customer enables the option, obsolete contacts are also removed. When configured, the memo notes folder is also opened and additional sticky notes are added.

If you have ever setup a BlackBerry Enterprise Server, these permissions are familiar. Frequently our customers will use the BES service account (while still using a unique mailbox for the itrezzo service account mailbox).

It is possible to grant the itrezzo service account permissions on one mailbox at a time. For example, during a pilot, five users are identified and the itrezzo service account is explicitly given permissions to those mailboxes.  However, this strategy does not scale well into production. During a normal day, several new smartphones might be added and inevitably some mailbox permissions are forgotten. The cost of user inconvenience and expending additional help desk resources should be considered. In some cases, the help desk doesn't even know that new ActiveSync devices were added as users may simply activate their smartphone Exchange mail account using Autodiscover.

What specific permissions are required?

Depending on the Exchange Server version, the method of assigning permissions can vary. We support customers running four versions of Exchange Server; 2003, 2007, 2010 and 2013. There is also Office 365 which is now running Exchange 2013 behind the scenes. This is a summary of the permissions for each version of Exchange.

Exchange 2003

On Exchange Server 2003, an AD group is frequently granted permissions at the top level container for the organization. With another simple addition to Exchange server objects, this AD group would have view only admin access along with Send As and Receive As at the top level of the domain. The end user mailboxes would then inherit the permissions from each successive parent container.  While this is a historical footnote to most readers, this permissions method made it extremely easy for any AD administrator to help themselves to Exchange Server rights with the capability to spy on any users mailbox.  

Please contact itrezzo technical Support if you need help configuring service account permissions on Exchange 2003.

Exchange 2007

These are the powershell commands to grant a sample account called svc-itrezzo the needed permissions:

  • Add-ExchangeAdministrator "svc-itrezzo" –role ViewOnlyAdmin
  • Get-MailboxServer | Add-ADPermission  -User "svc-itrezzo" -accessRights Extendedright -extendedRights Send-As, Receive-As, ms-exch-store-admin

Exchange 2010

These are the powershell commands to grant the example svc-itrezzo the needed permissions:

  • Add-RoleGroupMember "View-Only Organization Management" -Member "svc-itrezzo"
  • Get-MailboxDatabase | Add-ADPermission -User “svc-itrezzo” -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

Exchange 2013

These are the powershell commands to grant the example svc-itrezzo needed permissions. There are two methods; Delegation and Impersonation.

The Exchange 2013 Delegation / Full-Access permissions for cloud or local:
  • Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User -AccessRights fullaccess -InheritanceType all -AutoMapping:$false

The Exchange 2013 Impersonation Role for cloud or local can be done with following command as suggested by MIcrosoft:
  • New-ManagementRoleAssignment –Name "Impersonation-itrezzo" –Role "ApplicationImpersonation" –User

Optional Permissions

A popular feature of the itrezzoAgent server is the BES-AutoDL and ActiveSync-AutoDL capability. The Distribution List for BES AutoDL creation need limited permission to an Active Directory OU.  

AutoActiveSync performs an LDAP query on the domain to enumerate smartphone users. This feature is only available for Exchange 2010/2013 and requires that the svc-itrezzo account is a member of the Organization Management Role. 

Once the DL is created, it may be necessary for the Exchange System Administrator to mail enable to group.

Application Reporting, Auditing and Access Control

As with any enterprise application, IT professionals expect tools that will help them support their users.  The itrezzo Contact Management platform has a few ways to assist.

  • Each mailbox access is restricted by the list of enabled users specified by the itrezzo system administrator. This insures that only the designated mailboxes will be opened. Enablement can be done manually, or tied to an AD Distribution group.

  • All mailbox access is logged. Typically a single mailbox is opened for a fee seconds to a few minutes.

  • The ECO Platform Administrator has a user statistics container which can be used to view the status of updates for all Enterprise users. The Sysadmin can also view the history of changes to contacts that are preserved upon each mailbox access.

Permissions Separate from Exchange

As stated elsewhere in this document, we advise against granting the svc-itrezzo account  Domain Admin permissions. That means that on each of the application servers for itrezzo (usually virtual machines running Windows 2008), the svc-itrezzo domain must account be added to the local administrators group.

Permissions that should be omitted

The itrezzo service account should not be added to the domain administrators group as this is not required and may actually revoke other permissions related to mailbox access.

Final comments

For the sake of full understanding, this special access is granted to an on premise service account. Typically the service account password is entered at installation time and only the customers technical staff has this password. Even if your Exchange Server is hosted in the cloud, employees of itrezzo won't have access to this account.

Overall permissions are necessary based upon the business requirement. The application only opens designated mailboxes.  In addition to Windows and Exchange Server logs, the application generates additional logging and statistics to insure compliance.

At present, the itrezzo Unified Contact Management is a trusted application in numerous DOD and federal government installations. Over one hundred financial services companies, law firms and other companies have also approved the Exchange Server access requirements and use the software in production today.

No comments:

Post a Comment