I just performed a clean install of Windows Server 2003 with Exchange 2003 on a new test domain. I have been examining the ACE's on default and new user object that I am creating in the directory and I'm finding that the following groups have the "Send As" permission:
Administrators
Domain Admins
Enterprise Admins
Account Operators
As user accounts are created, these groups are given "Full" access to the object. The rights are not inherited.
It seems to me that this constitutes a security risk. I do not want users in any of those groups, especially Account Operators, to be able to "Send as". This allows anyone who is a member of these groups to masquerade as someone else through email. It would be better for me to specifically delegate this permission.
I've checked several domains and this permission structure seems to be ubiquitous.
Comments?
PSC
Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
Administrators
Domain Admins
Enterprise Admins
Account Operators
As user accounts are created, these groups are given "Full" access to the object. The rights are not inherited.
It seems to me that this constitutes a security risk. I do not want users in any of those groups, especially Account Operators, to be able to "Send as". This allows anyone who is a member of these groups to masquerade as someone else through email. It would be better for me to specifically delegate this permission.
I've checked several domains and this permission structure seems to be ubiquitous.
Comments?
PSC
Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
