Protecting Exchange mailbox databases against rogue administrators

Jürgen Hasslauer gave an interesting talk at The Experts Conference (TEC) in Barcelona covering the features included in Exchange 2013 to monitor and control access to sensitive data. The talk was based on his experience of assessing Exchange against the requirements of a German government customer that is migrating from Lotus Notes. As you’d expect from a government body that deals with confidential data (the possibility that Frau Merkel’s telephone number might be revealed was mentioned in passing – but who would want that?), the requirements are exhaustive and in-depth and the good news is that Exchange 2013 appears to be measuring up to the task.

Jürgen covered many topics, including mailbox and administrator auditing and the new query-based hold that can be placed on mailboxes. Up to five separate query holds can be active for a mailbox, each of which determines criteria for Exchange to use when assessing whether items should be retained to satisfy something like a legal discovery action. The query holds are composed using the Keyword Query Language (KQL) rather than Advanced Query Syntax (AQS) as used in Exchange 2010 discovery searches. If more than five query-based holds are placed on a mailbox, Exchange retains everything on the basis that it’s simpler to hold the lot than attempt to resolve six or more different queries. All good stuff!

But then the discussion turned to the security of mailbox databases. Or rather, the ease in which a mailbox database can be physically copied and then interrogated to uncover its secrets should a rogue administrator desire. Administrators take backups of mailbox databases all the time as a natural and required action to ensure that data can be restored should a catastrophic failure occur. Even in an era when Exchange can protect databases by maintaining several copies in a DAG, many companies still require physical backups to be taken, if only because they can then place the backup media in an offsite repository. Often this is done to satisfy an audit requirement.

The most recent Exchange versions back up databases using Windows Volume ShadowCopy Services (VSS) to disk. The disk copies can then be recopied to tape media if this is considered the most convenient choice for offsite storage. All in all, the backup system for mailbox databases works well and few problems are encountered in taking or restoring backups.

Security people consider how data can be exposed to unauthorized access. If a rogue administrator is able to take a copy of an Exchange mailbox database, they will be able to restore that database and mount it as a recovery database on a mailbox server. Outlook or other Exchange clients cannot access data in a recovery database as this kind of access is blocked. However, an administrator is able to extract information from a recovery database and move it into a mailbox that can be accessed by a client. Some protection can be gained if Active Directory Rights Management Services (ADRMS) is deployed and used to secure message content. S/MIME can also help. But either approach won’t secure information held in calendar or contact items or anything else that the user fails to protect. It is therefore entirely possible that a rogue administrator might be able to discover information that should remain secret by trawling through data exported from a recovery database.

Third party products are also available to make the task of a rogue administrator even easier. For example, the Veeam Explorer for Exchange proudly boasts that it “gives you instant visibility into your Exchange backups. You can browse, search and selectively export items (emails, notes, contacts, etc.) directly from Veeam backups of your Exchange virtual machines (VMs).” (emphasis by Veeam)

The potential of using a product that offers easy navigation through the data held in backup media is valuable in circumstances where information needs to be retrieved from a backup under well-controlled circumstances. The potential that such a utility holds out creates a completely different vista to a security professional – the prospect that a rogue administrator is provided with an easy-to-use GUI to browse mailboxes.

Technology offers good answers to many problems. In this case, technology exists to allow untrammeled access to Exchange mailbox databases. It’s unreasonable to expect that Exchange will offer complete protection against administrative access to databases as this would make the recovery process much more difficult than it is today. The wise approach is to recognize the danger that exists if an administrator turns rogue and then take precautions to ensure that staff are briefed on the danger, that everyone knows the consequences of accessing confidential data when they have no good reason to do so, that warning signs such as employee unhappiness or unexplained actions that might compromise data are picked up, and that sufficient management monitoring occurs to ensure that the correct operational balance is maintained between efficient operation and total data security.

Follow Tony @12Knocksinna


About Tony Redmond

Lead author for the Office 365 for IT Pros eBook and writer about all aspects of the Office 365 ecosystem.
This entry was posted in Exchange, Exchange 2010, Exchange 2013, Technology and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.