General Questions

  • Article

 

Are there areas in Exchange 2000 Server where I should tighten security?

If some Exchange Administrators are not trustworthy and have the ability to directly logon to the Exchange server console, you should implement the EDSLock script, which is discussed in Microsoft Knowledge Base article 313807, "XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group." This action will prevent these administrators from elevating their permissions and logging on to non-local mailboxes.

Be careful when you deploy Exchange 2000 Server on servers that are running Active Directory® directory service. Administrators who have console access to domain controllers have the ability to elevate their permissions in Active Directory. For this reason and others, it is recommended that you deploy Exchange 2000 Server on member servers. For more information about restricting permissions, see Design Considerations for Delegation of Administration in Active Directory.

Be aware that prior to Service Pack 2 (SP2) for Exchange 2000 Server, accounts belonging to the local "Administrators" group on a server running Exchange 2000 Server had the automatic permission to Send As any user in the organization.

What permissions do I need to upgrade a server running Exchange Server 5.5 to Exchange 2000 Server?

The server running Exchange Server version 5.5 must be installed on a computer running Microsoft Windows® 2000 Server in an Active Directory domain. You need to log on to Active Directory as a user who has the following permissions:

  • Exchange Server 5.5

    • Admin role on the Exchange Server 5.5 organization naming context

    • Admin role on the Exchange Server 5.5 site naming context

    • Admin role on the Exchange Server 5.5 configuration naming context

  • Active Directory

    • Either Exchange Full Administrator (as defined during ForestPrep) or delegated Exchange Full Administrator role at the Organization level

    • Member of the local Administrators group on the target upgrade server

If I choose to join an existing Exchange Server 5.5 organization during ForestPrep, what permissions do I need to join the Exchange Server 5.5 organization?

You need the following permissions:

  • Admin role on the Exchange Server 5.5 site naming context (for the site that you are joining)

  • Admin role on the Exchange Server 5.5 configuration naming context (for the site that you are joining)

Additionally, you will need to know the service account name and password for the site that relates to the server that you specify. If the Exchange Server 5.5 service account is in a Windows NT 4.0 domain, you must create a two-way trust from the forest root domain to the domain that contains the Exchange Server 5.5 service account.

What permissions do I need to install service packs for Exchange 2000 Server?

Service packs for Exchange need to be installed after Exchange 2000 Server. There is not an integrated setup of Exchange that includes service packs. You need to have the following permissions to apply service packs:

  • Exchange Administrator role on the administration group where the server running Exchange 2000 Server exists

  • Member of the local Administrators group on the target server running Exchange 2000 Server

There are two exceptions. First, when you are upgrading an Exchange 2000 Server cluster or Key Management Service to Service Pack 2, you need to have the following permissions:

  • Either Exchange Full Administrator (as defined during ForestPrep) or delegated Exchange Full Administrator role at the organization level

  • Member of the local Administrators group on the target server(s)

The second exception is if you are installing Service Pack 3 (SP3) for Exchange 2000 Server. Because SP3 for Exchange 2000 Server Setup modifies rights on a protocol object in the Exchange configuration container, you need one of the following permissions:

  • Exchange Full Administrator role at the Organization level, or

  • Exchange Full Administrator role on the administration group where the server running Exchange 2000 Server exists

For more information about deploying SP3 for Exchange 2000 Server, see Microsoft Knowledge Base article 326293, "White Paper: Microsoft Exchange 2000 Server Service Pack 3 Deployment Guide."

What happens if I add my own user account to the 'Exchange Domain Servers' group?

If at least one computer running Exchange 2000 Server is installed in the same domain, you would have significant permissions over the organization and all mailboxes. Indeed, it is possible to use your account to logon to any mailbox in the organization. Interestingly, if your account is also a Domain Admin or Enterprise Admin, you will be denied access (by default) to other users mailboxes, as an explicit deny access control entry is placed on each Exchange database for users in these groups.

If your domain had simply been prepared (through DomainPrep) and a server running Exchange Server 2003 had not been installed in the domain, you would not acquire permissions to open other users mailboxes, and you would not gain any permissions to the Exchange organization.

To increase the security of your organization, consider one of the following approaches:

  • Use the EDSlock script to prevent members of the 'Exchange Domain Servers' group (from any domain) from accessing non-local resources. For more information about this approach, see Microsoft Knowledge Base Article 313807, "XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group."

  • Install all servers running Exchange 2000 Server in a separate domain in the forest, away from user accounts and normal domain administrators.

Additionally, you may want to place 'deny' access control entries (ACEs) on the two special groups so that other administrators cannot change their membership.

What happens if I add my own user account to the 'Exchange Enterprise Servers' group?

If at least one computer running Exchange 2000 Server had been installed in the same domain, you would have significant permissions over the organization and all mailboxes. Indeed, with Exchange 2000 Server, it is possible to use your account to logon to any mailbox in the organization. Interestingly, if your account is also a Domain Admin or Enterprise Admin, you will be denied access (by default) to other users mailboxes, as an explicit deny access control entry is placed on each Exchange database for users in these groups.

If your domain had simply been prepared (through DomainPrep) and a server running Exchange 2000 Server had not been installed in the domain, you would not acquire permissions to open other users mailboxes, and you would not gain any permissions to the Exchange organization.

Regardless, the Exchange services will automatically remove your account from the 'Exchange Enterprise Servers' group on next restart.