S 4.163 Access rights to Exchange objects

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The access rights to Exchange objects must be defined on the basis of the security policy.

Configuration of the user authorisations for Exchange administration

As a matter of principle, administration should build upon the group and not upon the person principle. Authorisations should be granted to groups and not individual user accounts. This way, administration is facilitated significantly and becomes clearer and a possible source of errors is eliminated. In this way, the Exchange administrators should also be managed using group memberships. For this, their roles must be clearly defined.

Server-side user profiles

It is recommendable to use server-side user profiles for Microsoft Exchange. If a user has a server-side profile, the profile settings are adopted to the local configuration ("registry") of the workstation every time the user logs in to the domain. This way, computer-independent access to Exchange data can be achieved.

Adaptation of the default NTFS authorisations

The default NTFS authorisations for the Exchange directory require adaptation so that only authorised administrators and system accounts are allowed to access sensitive data in this directory (e. g. databases and transaction logs).

If the use of Outlook Web Access (OWA) is planned, the authenticated users group must be granted reading and execution rights.

The following Microsoft Technet documents contain further notes on how the requirements from this safeguard can be implemented specifically, for example for version 2010:

Review questions:

© Federal Office for Information Security. All rights reserved.