Exchange Deployment Planning Services Exchange 2010 Management Tools and RBAC

The Exchange 2010 Management Tools and RBAC has the following goals:  Review of Exchange Server 2010 Management toolset functionalities  Overview of Exchange Server 2010 access control  Overview Exchange Server 2010 RBAC fundamentals

Ideal audience for this workshop  Messaging SME  Network SME  Security SME Exchange 2010 Management Tools and RBAC

During this session focus on the following :  How will we leverage this functionality in our organization?  What management requirements do we have around our messaging solution?

Agenda Microsoft ® Exchange management history and challenges Exchange 2010 Management GUIs −EMC −ECP RBAC Remote PowerShell Auditing

Exchange Management History and Challenges The annual cost of helpdesk support staff for systems with 7,500 mailboxes is approximately $20/mailbox. This cost goes up the smaller the organization. (“ Support Staff Requirements and Costs: A Survey of 136 Organizations”, Ferris Research, June 2008).

Exchange Management History Exchange Server 2003 Exchange System Manager and Active Directory Users and Computers required to access all mail related attributes Management tools rely on permissions granted on recipient or configuration objects in Active Directory Management groups assigned on Organization/AG Level 3 Management Groups available − Exchange Full Administrator − Exchange Administrator − Exchange View-Only Administrator

Exchange Management History Exchange Server 2007 Exchange Server 2007 introduced new tools for richer management − EMS − Exchange Management Console and Management shell introduced richer Management capabilities Management Tools rely on permissions granted on recipient or configuration objects in AD 5 Management Groups available − Exchange Organization Administrator − Exchange Recipient Administrator − Exchange View Only Administrator − Exchange Public Folder Administrator − Exchange Server Administrator

Challenges Current management role implementation is limited Access control management is complex Permissions are focused on objects and not tasks Excessive privileges required for some Exchange operations Object access auditing and delegated permissions reporting is difficult There is no support for self-service management

Exchange 2010 Management What's New? New EMC features ECP − New and simplified web based management console − Targeted for end users, hosted tenants, and specialists RBAC − New authorization model − Easy to delegate and customize − All Exchange management clients (EMS, EMC, ECP) use RBAC Remote PowerShell − Manage Exchange remotely using PowerShell v2.0 − Note: No more local PowerShell, it's all remote in Exchange 2010 Auditing and Logging

Exchange 2010 Management Supported OS Platforms All of Exchange 2010 is 64-bit only Supported platforms for installing Exchange management tools − Vista x64 Service Pack 2 − Windows 2008 x64 SP2 − Windows 7 x64 Client and Windows 2008 R2 x64 Remote PowerShell management − Does not require Exchange management tools on client − Supported client OS platforms − Vista (x86 or x64) − Windows 2008 SP2 (x86 or x64) − Windows 2008 R2 (x86 or x64) − Windows 7 (x86 or x64) − Windows 2003 (x86 or x64) − Windows XP (x86 or x64)

Management GUIs EMC Primarily for on-premise IT pros Requires client side installation ECP Primarily for Tenant Administrators Specialists (helpdesk, discovery, etc) End Users (message tracking, DGs, OWA options, etc Web Browser based administration

Exchange Management Console Built on Remote PowerShell Multiple Forest Support RBAC Aware UI Notable new features −Recipient Bulk Edit −PowerShell Command Logging −Links from ECP

Exchange Control Panel Architecture Overview High-level view −AJAX-based −Shares some code with OWA, but two separate applications −Deployed on CAS −ECP  ASP.Net  RBAC  PowerShell −Authentication −Windows Integrated, Basic, Forms Based −Browser support - Same as OWA Client Access Server

Exchange Control Panel Administrator logon RBAC Aware Checks user permissions to interface components Example: Management dropdown If you are an administrator, you will have access to the dropdown Client logon

Role Based Access Control

Role Based Access Control Advantages Simplified access control model based on defined management roles Customized roles can be created to meet specific needs of an organization Access can be scoped to specific objects in Domain and Configuration naming contexts Enforcement of access control is maintained organization wide through all management interfaces Granular control of tasks at cmdlet/parameter level Reporting available for determining level of access control that is in place

Role Based Access Control RBAC creates a new object called a role Assign users to a role Roles are mapped to application permissions

Basic RBAC Model Role Assignment “Glue” User/USG “Who” Scope “Where” Role “What”

RBAC Components The parts of RBAC that do all the work can be divided into two sections: −Definition and Creation −Directory objects that define RBAC configuration −Exchange Tools used to create the RBAC configuration −Enforcement −Exchange Administrative tools use RBAC to determine the access control granted to a user

Configuration Objects Management role Management role entries Management scope Management role assignment Role assignment policy Role group

Management Role A management role is a configuration object that defines which tasks are available for users who are assigned the role There are two types of management roles: −Built-in management roles are pre-defined roles provided by Exchange −Custom management roles - copies of built-in roles, can be customized to meet needs of an organization −Custom management roles are child objects of the built-in management roles and inherit all the attributes of the parent

Management Role Entries Management role entries are a list of Exchange tasks (cmdlets/parameters) When a management role is assigned, the assignee has access to all the tasks in the list Built-in roles are read-only and cannot be edited to remove role entries Custom management role can be edited to remove cmdlets and/or parameters that shouldn’t be available to role assignee −Entries that do not exist on a parent role cannot be added to a child role

Management Scopes Management scopes define the extent of control for a management role assignment When you assign a management role, a scope is used to determine what objects the assignee can access and act upon Management scopes apply to recipient or configuration objects Scopes can be defined using objects like Exchange servers, OUs, filterable properties on Exchange server, Recipient objects, etc. (SP1 adds database scope)

Management Scopes – Types Two types of Scopes: Implicit and Explicit −Implicit scopes are pre-defined on default management roles and apply to objects appropriate to the role −Range from broad (organization) to narrow (self) −Custom roles inherit the implicit scope from their parent role −Explicit scopes are administrator defined and can be: −A management scope configuration object defined in advance by the administrator −A custom scope defined at the time of role assignment If an explicit scope is not used during role assignment, the implicit scope of the management role is always used

Management Role Assignment A management role assignment is a configuration object that links a management role to an assignee Assignment can be made: −Directly to a specific user −Directly to a USG −Adding users or other USGs as members in effect extends the Role Assignment to the members −Indirectly to a mailbox user though a Role Assignment Policy

Exchange Administrative Tools All Exchange 2010 tools use Remote PowerShell: −EMS −EMC −ECP Using Remote PowerShell ensures all tasks pass through RBAC code

Managing RBAC RBAC managed using EMS: −*-ManagementRole −*-ManagementRoleEntry −*-ManagementScope −*-ManagementRoleAssignment −*-RoleAssignmentPolicy −*-RoleGroup −*-RoleGroupMember −Role groups and role assignment policies can be administered via ECP −Role group members can be added/removed −Roles assigned by role assignment policy can be enabled/disabled

Example 1 Removing Recipient Creation Right Simplest method Change effects all members Assignments can be additive or subtractive −Add/Remove-ManagementRoleAssignment

Example 2: Enable Users to Change Personal Contact Information Some limited customization supported through ECP Change effects entire user segment Assignments can be additive or subtractive −Add/remove-ManagementRoleAssignment −Only applies to end user roles

Management Task Security Context Tasks run under context of the Exchange server that is providing PowerShell session Exchange servers member of the Exchange Trusted Subsystem USG Exchange Trusted Subsystem USG has the permissions needed to carry out all Exchange tasks

RBAC Reporting Effective User Reporting Writable Object Reporting

Remote PowerShell

New management architecture for PowerShell in Exchange 2010 Allows RBAC model Restricted PSSession allows RBAC to hide cmdlets and parameters Client/Server separation Remote PowerShell is always used to connect “remotely” to localhost Enables firewall and cross-forest scenarios (standard protocol: http(s)) “No Binaries” scenarios Exchange management from a client machine which does not have Exchange Management Tools installed

Remote PowerShell How Does It Work? IIS WSMan + RBAC stack: Authorization PSv2 RBAC Server Runspace > New-Mailbox –Name Bob PSv2 Client Runspace Evan Evan: Role Assignment New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Cmdlets Available in Runspace: New-PSSession > New-PSSession –URI Remote Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Exchange Server IIS: Authentication Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name [Bob Mailbox Object in Pipeline]

Remote PowerShell 1. Client opens PowerShell (no Exchange Management Tools installed):

Remote PowerShell Client adds his Credentials to a variable (Client Side RunSpace)

Remote PowerShell Adding all information for Remote PowerShell Session (Endpoint, Credentials)

Remote PowerShell Client connects to endpoint and creates Server side runspace

Remote PowerShell Client now successfully runs get-mailbox

Auditing

Auditing Exchange 2010 allows auditing for any executed cmdlet −by any User or Administrator −via EMC, ECP, or Management Shell Managed via *-AdminAuditLogConfig −List of cmdlets/parameter usage to audit (default is ALL) −Mailbox to used to store logging information Additional points −“Get” cmdlets are not logged −Settings are global and stored in AD DS −Events are discoverable via Search

Auditing

End of Exchange 2007 Management Tools and RBAC module

For More Information Exchange Server Tech Center Planning services Microsoft IT Showcase Webcasts Microsoft TechNet

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.