Even in today's world of social media, traditional email remains a common means of professional communication. Therefore, email is an asset that must be protected.
Exchange Server administrators bear the burden of keeping corporate email safe. Protecting end users from outside threats and insider missteps is essential. If used correctly, group roles can play a critical part in protecting email and its sensitive content.
Apply and review role groups with caution
Exchange Server 2013 uses a permission scheme based on role-based access control, which correlates tasks by role and then assigns end users to appropriate roles to simplify management. Every end user in the same role can invoke the same suite of tasks.
By creating multiple roles, each with different or complementary task sets, end users are granted multiple roles to perform a more extensive array of tasks. Default role groups include unified message, recipient, records, server, compliance and other management areas. You can also create custom role groups to address unique business organizational needs.
One common security hole is the tendency to assign employees to more groups. This is often viewed as a way to make IT administrators' lives easier by eliminating pesky help desk requests. It's also supposed to reduce the day-to-day firefighting involved in managing roles in the ever-shifting landscape of who can do what.
Adopting a "least privilege" approach to role group assignment and ensuring that the fewest personnel are assigned to the fewest groups can improve Exchange 2013 security. A least-privilege posture often includes clear business policies or other mechanisms that define group inclusions, along with routine auditing processes that review role group assignments and remove inappropriate individuals who may have changed responsibilities or left the company.
This is part one in a series about Exchange 2013 security. Click here for part two, which covers data loss prevention.