Active Mail Tools: Exchange Security Risk Auditor (ESRA)

How does it work?

ESRA audits and updates Mailbox and public folder permissions in Exchange. As staff move departments or roles, and system configurations change over time, errors or omissions can creep in to email permissions. Inappropriate access to mailboxes or public folders can lead to intentional or unintentional breaches of confidential information, or even the accidental deletion of public folders, wiping out a department’s work.

ESRA enforces access policy and rights and prevents security breaches by automating otherwise time-consuming and regularly required housekeeping tasks.

ESRA can be used by the Exchange Administrator or Security Officer.

Features

• List permissions associated to a user.

• Find deleted and anonymous users.

• Mass updates.

• Ability to deselect actions from mass update process.

• Ability to search by User.

• Ability to search by Permission.

• Ability to search by Location.

• Ability to search by users, distribution lists or folders across multiple servers.

• Search all or parts of the Information Store.

• Change permissions only on types of folders (e.g. calendars).

• Export output for further analysis.

• Simple and intuitive interface.

• Identify and remove ‘Zombies’

• Prepare for migration.

Benefits

• Exchange Security Risk Auditor (ESRA) provides an easy-to-use application for finding, auditing and changing folder and mailbox permissions.

• The objective of ESRA is to enhance the security of your Exchange System, by giving your Administrator the ability to review and change permissions quickly and accurately.

• ESRA enables an automated audit of all permissions associated with an Exchange mailbox or public folder, and performs relevant changes.

Regain Control

ESRA should be used both for

• Routine systems maintenance eg when a user leaves the organisation, all their permissions are changed.

• Regular security audits.

Technical / FAQ's

Exchange Security Risk Auditor (ESRA) allows the monitoring and controlling of Exchange permissions for mailboxes and public folders. It is virtually impossible to ensure manually that all permissions are correct and up to date; automation ensures the appropriate level of security is reached.

Three permissions areas are checked by ESRA:

• Mailbox Access Permissions - Checks which Exchange users have access to which mailboxes. Incorrectly set mailbox Access Permissions can lead to users being able to read mail of other users.
  
  
• Send On Behalf Of Permissions - Shows which user can send mail on behalf of another – send on behalf of (SOBO) rights are dangerous, as messages appearing to come from one user can have huge consequences for corporations
  
  
• NT rights associated with mailboxes - Illustrates which users have NT rights allowing them to enter the mailbox of another user and assume that Exchange user's identity and security rights

ESRA makes it easy to find all objects over which a user has rights across the whole Exchange system

The information store can be searched for specific permissions or roles, or for all the roles that are assigned to specific users or groups of users. This makes ESRA the ideal tool for an Exchange security audit. Who does have access to the board of directors' email accounts? Are the secure public folders as secure as we need them to be? The application has been designed to be operated by professionals concerned with the security of corporate email.

Permission Maintenance

Not only is ESRA an ideal tool for the security audit, it is also an invaluable tool for day to day permissions maintenance. For example, cleaning up the rights and permissions of deleted users is no longer a problem. With ESRA, the deleted user can be described and located anywhere in the Exchange public or private information stores.

Other tasks such as reassigning rights is easy as you do not need to know where the original user had rights, only that the new users will have the same ones.

Once a permission is located it can be changed in a simple fashion.

If you have chosen to alter permissions in any way then ESRA will highlight the changes before any update is performed, meaning that you are always in control of permissions updates. You will also be able to export the results of a permissions search directly to Excel.

Deployment and support

ESRA is a standalone application (not requiring a service) that is controlled using a standard MMC Snap-in. It is run on NT, 2000, XP and 2003 operating systems and supports Exchange 5.5, 2000 and 2003.

C2C Systems suggests that the application be installed on a desktop machine as opposed to being installed on the same machine as the Exchange Server.

It uses Windows messaging (minimum Outlook 98 required on ESRA machine) to access the Exchange server and sufficient permissions will be needed by the user both installing and operating ESRA. The specific permissions that are needed are outlined in the ESRA manual.