Presentation is loading. Please wait.

Presentation is loading. Please wait.

Planning and Configuring Administrative Security and Auditing

Published byScot Beasley Modified over 6 years ago

Similar presentations

Presentation on theme: "Planning and Configuring Administrative Security and Auditing"— Presentation transcript:

1 Planning and Configuring Administrative Security and Auditing
20341B 10: Planning and Configuring Administrative Security and Auditing Presentation: 60 minutes Lab: 60 minutes After completing this module, students will be able to: Describe how to implement role-based access control (RBAC) permissions. Perform administrative tasks on your Exchange servers. Configure Exchange Server 2013 RBAC permissions and audit logging. Perform a secure deployment of Exchange Server 2013. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20341B_10.pptx. Important: We recommend that you use Office PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of Office PowerPoint, some features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Practice performing the labs. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who may get stuck in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover. Module 10 Planning and Configuring Administrative Security and Auditing

2 Configuring Audit Logging
20341B Module Overview 10: Planning and Configuring Administrative Security and Auditing Configuring Audit Logging

3 Lesson 1: Configuring Role-Based Access Control
10: Planning and Configuring Administrative Security and Auditing Configuring Active Directory Split Permissions

4 What Is Role-Based Access Control?
10: Planning and Configuring Administrative Security and Auditing RBAC defines all Exchange Server 2013 permissions, and is applied by all Exchange Server management tools RBAC defines which cmdlets the user can run : Who: Can modify objects What: Objects and attributes that can be modified Where: Scope or context of objects that can be modified RBAC options include: Management role groups Management role-assignment policies Direct policy assignment (avoid using) If some of the students have Exchange Server experience, highlight how RBAC differs from the way that Exchange Server assigned versions before Exchange Server Microsoft® Exchange Server enables you to use Active Directory® directory service groups to assign permissions at the organization or administrative group level. In Microsoft® Exchange Server 2007, you could assign permissions at the organization or individual server level. In both cases, Exchange Server did not provide options for configuring granular permissions, and offered limited options for configuring permissions. In Exchange Server 2013, you can configure very precise permissions, right down to enabling access to specific cmdlets and attributes. Another difference between how you could assign permissions in Exchange Server 2003 and Microsoft® Exchange Server 2007, versus in Exchange Server 2013, is that in the previous Exchange versions, you assigned permissions by modifying the access control lists on Active Directory objects. However, in Exchange Server 2013, you configure which cmdlets users can run. Question: What requirements does your organization have for assigning Exchange Server permissions? Does your organization use a centralized or decentralized administration model? What special permissions will you need to configure? Answer: Answers will vary. In most organizations, a central team of Exchange Server administrators will likely maintain full control of the Exchange Server environment, while another team may need permissions to create mailboxes. Other organizations may have complicated administrative scenarios in which different groups need many different permission levels.

5 What Are Management Role Groups?
20341B What Are Management Role Groups? 10: Planning and Configuring Administrative Security and Auditing Role Holder Role Group Assignment Management Configuration Read/Write Scope Recipient Entry “User Options” As you teach this content, explain that a management role is just a container that groups together the other RBAC components. The RBAC components define: Which tasks an administrator can perform. Who is granted permission to perform the tasks. Where the user can perform the task. Stress to the students that you can define each of these components at a high level or at a specific level. A management role entry can allow or deny access to all Exchange Server cmdlets, to a specific Exchange Server cmdlet, or even to a particular parameter on a cmdlet. Management role groups provide an easy way to assign permissions in Exchange Server. By using the default groups, or creating custom groups with specific permissions, you can manage all permissions by just assigning mailboxes to role groups. As you click to display the graphic on the slide, explain how you connect role holders with roles. “Maria” “Help Desk” “Ian” “Pat” “Get-Mailbox” WHO “View-only Recipients” WHERE WHAT Role Holder Role Group Role Assignment Management Role Role Entry Mailboxes or universal security groups or users or distribution groups or role groups Higher-level job function Binding layer Task-based permissions Cmdlet + parameters

6 Built-In Management Role Groups
10: Planning and Configuring Administrative Security and Auditing Management role groups include: Organization Management View-Only Organization Management Recipient Management Unified Messaging Management Discovery Management Records Management Server Management Help Desk Public Folder Management Delegated Setup Compliance Management (new in Exchange Server 2013) Hygiene Management (new in Exchange Server 2013) As with previous Exchange Server versions, Exchange Server 2013 contains a default set of groups that you can use to assign permissions in the Exchange organization. Mention that for most organizations, the default set of role groups provide all required flexibility. Only organizations with very specific permission- delegation requirements need to use custom management role groups and management roles. Avoid describing all of the built-in role groups in detail. Instead, highlight a few, and point out the table in the student notes that provides details about all the roles. Mention the two new role groups in Exchange Server 2013, Compliance Management and Hygiene Management.

7 Demonstration: Managing Permissions Using the Built-In Role Groups
10: Planning and Configuring Administrative Security and Auditing In this demonstration, you will see how to: Add role holders to a role group Verify the permissions assigned to the built-in role groups Stress that for most small and medium-sized organizations that do not have complicated permission assignment scenarios, the easiest way to manage Exchange Server permissions is to add users or security groups to the built-in Exchange Server security groups in AD DS or Active Directory. These groups are assigned the management role automatically. Ask the students which of the built-in role groups they are using, if they already run Exchange Server Exchange Server or 2013 or plan to use it in their organization. Answers will vary. Small or medium-sized organizations in which one set of administrators is the only group that performs any recipient management or Exchange Server management tasks may use only the Organization Management role group. Organizations with decentralized administrative processes are much more likely to use other management roles to delegate permissions. After completing the demonstration, leave the virtual machines running for the next demonstration. Preparation Steps Ensure that the 20341B-LON-DC1, 20341B-LON-MBX1, and 20341B-LON-CAS1 virtual machines are running. Start each machine and sign in to it before starting the next virtual machine. Sign in to 20341B-LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. Sign in to 20341B-LON-CAS1 as Adatum\Tony using the password Pa$$w0rd. Important: Ensure that you start your virtual machines at least ten minutes prior to conducting the demonstration. Demonstration Steps On LON-DC1, in the taskbar, click Server Manager, click Tools, and then click Active Directory Users and Computers. Expand Adatum.com, click Microsoft Exchange Security Groups, and then on right pane, double- click Recipient Management. In the Recipient Management Properties dialog box, click the Members tab. (More notes on the next slide)

8 Process for Configuring Custom Role Groups
20341B Process for Configuring Custom Role Groups 10: Planning and Configuring Administrative Security and Auditing Identify the role groups and the role group members Identify the management roles to assign the group Identify the management scope Create the role group using the Exchange Administration Center or the Exchange Management Shell Mention that this topic provides a process overview about creating new custom management roles. The following demonstration will provide more details about how to perform the steps. As you describe this process, consider using an example scenario in which users might want to use a custom role. Following is an example: They may be configuring a role group that enables human resources (HR) administrators to configure the organization and personal settings for each user. You will need to create the appropriate group, and identify which users will be group members. Because this group will work with recipients, you will need to identify the management roles that relate to recipient management. In this scenario, you might not need to limit the scope for the role group. If they need to be able to manage recipients in the entire organization, do not limit the scope. If you want to limit which recipients you want the HR administrators to manage, you could limit the scope to specific recipients. Run the cmdlet to create the role group.

9 Demonstration: Configuring Custom Role Groups
20341B Demonstration: Configuring Custom Role Groups 10: Planning and Configuring Administrative Security and Auditing In this demonstration, you will see how to create a custom role group Discuss the scenarios in which organizations might choose to create a new custom role group. The slide and notes below describe one possible scenario for doing this. Encourage the students to provide other suggestions, and then describe the components required to implement the custom role group. Question: Will you implement custom management roles in your organization? If so, how will you configure the management roles? Answers: Answers will vary. Most organizations probably do not need custom management roles. Large organizations that have complicated administrative processes may require several custom management roles. When the demonstration is complete, please leave the virtual machines running for the next demonstration. Preparation Steps Ensure that the 20341B-LON-DC1, 20341B-LON-MBX1, and 20341B-LON-CAS1 virtual machines are still running. Sign in to 20341B-LON-CAS1 and 20341B-LON-MBX1 as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps On LON-CAS1, sign in as Adatum\administrator. Open Internet Explorer, and then connect to Sign in as Adatum\Administrator using the password Pa$$w0rd. In the EAC, in the feature pane, click permissions. On tabs, click admin roles, and then click New. In the new role group dialog box, fill in the following information, and then click save: Name: MarketingAdmins Write scope: click Organizational Unit, and then type adatum.com/Marketing Roles: add Mail Recipients and Mail Recipient Creation. Members: Add Brad Sutton (More notes on the next slide)

10 What Are Management Role Assignment Policies?
20341B What Are Management Role Assignment Policies? 10: Planning and Configuring Administrative Security and Auditing Management role-assignment policies assign permissions to users to manage their mailboxes or distribution groups Component Explanation Mailbox Each mailbox is assigned one role-assignment policy Management role assignment policy Object for associating management roles with mailboxes Management role Container for grouping other RBAC components Management role assignment Associates management roles with management role assignment policies Management role entry Defines which Exchange cmdlets the user can run on their mailboxes or groups Highlight the similarities between management role assignment policies and role groups. In both cases, group management roles assign all of the permissions, and each role contains a set of management role entries. The primary difference between management role assignment policies and role groups is that you can use role assignment policies to configure permissions for the objects that users own. Because of this, you cannot configure a scope for management role assignment policies. Question: How will you configure role assignment policies in your organization? Answer: Answers will vary, but for most organizations, the default configuration should suffice. Organizations normally change the default configuration only when there is a specific requirement to change how users interact with their mailboxes.

11 What Are Exchange Server Split Permissions?
20341B What Are Exchange Server Split Permissions? 10: Planning and Configuring Administrative Security and Auditing Split permissions separate creation of security principals in AD DS, such as users and security groups, from the subsequent configuration of those objects through Exchange Server 2013 tools With Exchange Server split permissions you can: Separate the ability to create or delete security principals from Exchange administration Choose between two models: RBAC split permissions Active Directory split permissions Available since Exchange Server 2010 SP1 Explain split permissions. Emphasize that this feature is not appropriate for all organizations, but only for those that actually split administration of the Exchange Server infrastructure and AD DS infrastructure, and have different IT teams for these services. Explain the differences between RBAC split permissions and Active Directory split permissions, and note that Microsoft recommends using RBAC split permissions. Also identify the scenarios in which RBAC and Active Directory split permissions are appropriate. Be sure to tell the students that Exchange Server 2013, by default, does not use any of these permissions models. Like Exchange Server 2003 and Exchange Server 2007, it uses the shared-permissions model by default.

12 Configuring RBAC Split Permissions
10: Planning and Configuring Administrative Security and Auditing You must manually configure RBAC split permissions as follows: Verify that Active Directory split permissions have not been enabled Create a new role group for AD DS administrators Create regular and delegating role assignments for the new role group for appropriate roles Remove regular and delegating management role assignments between the Mail Recipient Creation role, and both the Organization Management and Recipient Management role groups Remove the regular and delegating role assignments between the Security Group Creation and Membership role and the Organization Management role group RBAC split permission results: Only members of the new role group that you create can create security principals, such as mailboxes Explain that the RBAC split-permissions model is not configured automatically. If you want to use it, you must configure it manually with the Exchange Management Shell. Explain the configuration process on a high level, and tell the students that they will perform the procedure in the lab. Emphasize that, besides creating a new role group, you also must remove permissions to create AD DS security principals from existing built-in groups. Mention that steps 2 and 3 are optional and are required only if you want specific special groups of Exchange Server administrators to be able to still create security principals.

13 Configuring Active Directory Split Permissions
20341B Configuring Active Directory Split Permissions 10: Planning and Configuring Administrative Security and Auditing Active Directory split permissions is configured automatically during Setup, or when you run the following command: setup.com /PrepareAD /ActiveDirectorySplitPermissions:true Active Directory split-permissions results: Cannot create security principals with Exchange Server management tools Cannot manage distribution group members with Exchange Server management tools Exchange Trusted Subsystem and Exchange servers cannot create security principals Exchange servers and Exchange management tools can only modify Exchange attributes of existing Active Directory security principals Tell the students that they can configure Active Directory split permissions during Exchange Server setup, or later, by executing setup.com with the /PrepareAD parameter. Be sure that the students fully understand the consequences of deploying Active Directory split permissions.

14 Lesson 2: Configuring Audit Logging
20341B Lesson 2: Configuring Audit Logging 10: Planning and Configuring Administrative Security and Auditing Demonstration: Configuring Audit Logging Explain the importance of logging, and tell the students that Exchange Server 2013 provides tools and technologies for logging administrative tasks and user mailboxes activity.

15 What Is Administrator Audit Logging?
20341B What Is Administrator Audit Logging? 10: Planning and Configuring Administrative Security and Auditing Administrator audit logging enables you to track changes made to the Exchange environment by administrators Administrator audit logging: Is enabled by default in Exchange Server 2013 Is configured by default with the Set-AdminAuditLogConfigLogs for all cmdlets and parameters except for Test-, Get-, and Search- Supports searches using the Exchange Management Shell and the Exchange Administration Center Perform detailed log searches with the Search- AdminAuditLog and New-AdminAuditLogSearch cmdlets Define administrator audit logging. Explain why it is important to have audit logging available. Mention that administrator audit logging is enabled by default in Exchange Server 2013, you do not need to configure anything. Explain why the Test-,Get-, and Search- cmdlets are not logged automatically. Also explain that you can use the EAC for simple log searches, and the Exchange Management Shell for detailed log searches. Refer to the student handbook to explain the parameters that are available for configuring administrator audit logging.

16 What Is Mailbox Audit Logging?
10: Planning and Configuring Administrative Security and Auditing Mailbox audit logging is used to track mailbox access by mailbox owners, delegates, and administrators Mailbox audit logging: Must be enabled on a per-mailbox basis using the Set-Mailbox cmdlet Does not automatically log owner access unless specified to do so Supports non-owner access reports through the Exchange Administration Center Perform detailed log searches with the Search- MailboxAuditLog and New-MailboxAuditLogSearch cmdlets Start this topic by asking the students about scenarios in which they might need to or have the right to access other mailboxes. Also discuss potential misuse of this process, and then define mailbox audit logging. Be sure to explain the differences between administrator audit logging and mailbox audit logging. Also discuss owner-access logging.

17 Demonstration: Configuring Audit Logging
20341B Demonstration: Configuring Audit Logging 10: Planning and Configuring Administrative Security and Auditing In this demonstration, you will see how to enable audit logging and search audit logs Revert all virtual machines. Preparation Steps Ensure that the 20341B-LON-DC1, 20341B-LON-MBX1, and 20341B-LON-CAS1 virtual machines are running. Sign in to all virtual machines as Adatum\Administrator using the password Pa$$w0rd. Demonstration Steps On LON-CAS1, click to the Start screen and then open the Exchange Management Shell. In the Exchange Management Shell window, type Get-AdminAuditLogConfig, and then press Enter. In the results list, ensure that AdminAuditLogEnabled has the value True. Note that TestCmdletLoggingEnabled is false, and that all cmdlets are being logged with all parameters. Note the parameters values for TestCmdletLoggingEnabled, AdminAuditLogCmdlets, and AdminAuditLogParameters. Open Internet Explorer and type and press Enter. In the EAC, sign in as Adatum\Administrator with the password Pa$$w0rd. In the EAC, in the feature pane, click recipients. In the list view, double-click Anil Elson. In the User Mailbox window, in the left pane, click mailbox delegation. In the right pane, under Send As, click Add. In the Select Send-As window, click Allie Bellew, click add, and then click ok. In the User Mailbox window, click Save. Switch to the Exchange Management Shell, type the following command, and then press Enter. Search-AdminAuditLog -Cmdlets Add-ADPermission. Review the results, and ensure that the change made to Anil’s mailbox is logged. Also mention that you can run Search-AdminAuditLog without any parameters to list all log entries. (More notes on the next slide)

18 Lab: Configuring Administrative Security and Auditing
10: Planning and Configuring Administrative Security and Auditing Exercise 3: Configuring RBAC Split Permissions on Exchange Server 2013 Exercise 1: Configuring Exchange Server Permissions A. Datum Corporation has completed the Exchange Server 2013 deployment, and is working on integrating Exchange Server and recipient management with its current management practices. To meet the management requirements, you need to ensure that: Members of the IT administrators group can administer individual Exchange Server 2013 servers, but cannot modify any of the Exchange organization settings. Tony Smith is a member of the IT group. Members of the HelpDeskAdmins group must be able to manage mail recipients throughout the entire organization. They should not be able to manage distribution groups, and should not be able to create new mailboxes. Members of the SupportDesk group should be able to manage mailboxes and distribution groups for users in the organization. They also should be able to create new mailboxes. Exercise 2: Configuring Audit Logging You now need to configure audit logging on the shared mailbox. This mailbox is used by the IT group to send out information to everyone in the organization. Exercise 3: Configuring RBAC Split Permissions on Exchange Server 2013 You want to separate those who can create security principals in the AD DS domain partition from those who administer the Exchange organization data in the AD DS configuration partition. Only the HRAdmins group should be allowed to create objects in AD DS domain partition. You decide to implement the RBAC split permissions model on your organization. Logon Information Virtual Machines B-LON-DC1 20341B-LON-CAS1 20341B-LON-MBX1 User name Adatum\Administrator Password Pa$$w0rd Estimated Time: 60 minutes

19 20341B Lab Scenario 10: Planning and Configuring Administrative Security and Auditing A. Datum Corporation has deployed Exchange Server The company security officer has provided you a set of requirements to ensure that the Exchange Server 2013 deployment is as secure as possible. The requirement’s specific concerns include: Exchange Server administrators should have minimal permissions. This means that whenever possible, you should delegate Exchange Server management permissions. Any configuration changes made to the Exchange Server environment should be audited. The audit logs must be available for inspection by company auditors. The organization must have the option of auditing all non-owner access to user mailboxes. The audit logs must be available for inspection by company auditors. AD DS object creation should be done by only the HRAdmins group. Nobody else should create AD DS objects such as user accounts in Exchange.

20 20341B Lab Review 10: Planning and Configuring Administrative Security and Auditing Your compliance office requires permission to configure and manage compliance settings in your Exchange organization. You want to make sure that the compliance officer has the least amount of permissions necessary for doing his or her job. What built-in management role group would you use? Question You have a shared mailbox that requires logging any activity in which other users send on behalf of this mailbox. What do you need to do? Answer You need to enable mailbox audit logging for that specific mailbox. Your compliance office requires permission to configure and manage compliance settings in your Exchange organization. You want to make sure that the compliance officer has the least amount of permissions necessary for doing his or her job. What built-in management role group would you use? You would use the Compliance Management role group.

21 Module Review and Takeaways
20341B Module Review and Takeaways 10: Planning and Configuring Administrative Security and Auditing Common Issues and Troubleshooting Tips Review Questions Question In which scenario should you implement AD split permissions in your Exchange Server 2013 organization? Answer You should implement AD split permissions in your Exchange Server 2013 organization if you want to split creation of AD DS security principals and mailbox objects from Exchange Server management tools. You need to enable members of the Human Resources department to configure user mailboxes for the entire organization. What should you do? In most cases, you can accomplish this by simply adding the members of the Human Resources department to the Recipient Management role group in AD DS. If the Recipient Management role group has more permissions than necessary, you may need to create a custom role group. How can you identify whether someone was accessing another user’s mailbox? You can identify whether someone was accessing another user’s mailbox by enabling mailbox audit logging. Best Practice Supplement or modify the following best practices for your own work situations: When you configure permissions in the Exchange organization, make sure that the users have the minimal permissions required for them to perform their tasks. Add only highly trusted users to the Organization Management role group, because this group has full control of the entire organization. Do not enable RBAC or Active Directory split permissions if you do not have a usage scenario to support these permissions models. Enable administrative audit logging on shared mailboxes. Whenever possible, use the built-in role groups to assign permission in the Exchange organization. Creating custom role groups with customized permissions is more complicated, and it may lead to users having too many, or too few, permissions. (More notes on the next slide)

Download ppt "Planning and Configuring Administrative Security and Auditing"

Similar presentations

Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Managing User Settings with Group Policy

Managing User Settings with Group Policy
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.

Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Deploying and Managing Windows Server 2012

Deploying and Managing Windows Server 2012
Implementing Secure Shared File Access

Implementing Secure Shared File Access
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Securing Microsoft® Exchange Server 2010

Securing Microsoft® Exchange Server 2010

Similar presentations

Ads by Google