Exchange server uses a security permission model called RBAC (Roles Based Access Control). This model allows the implementation of specific security permissions for Exchange administration. In my experiences, RBAC is seldom utilized. Administrators are just added to the Organization Management group and it’s left at that. It’s rare that every admin needs full access to Exchange. It is much more likely that a few people need full admin rights and everyone else should have smaller more specialize roles of administration. For example, you may have a help desk staffed with admins that you only want to be able to create new contacts and user mailboxes. RBAC can be used to provide ONLY those specific permissions to those users. This helps limit the risk of issues occurring because people have to much access.
Exchange is shipped with a set of pre-defined permissions that are intended for common Exchange administrative tasks. We can look at these setting to better understand what makes up RBAC and how we can use it to protect ourselves. When we look in AD, we can see the first part that makes up RBAC, the management role groups. You should be familiar with some of these groups as they are the security groups located in the Microsoft Exchange Security Groups OU. We can also view them by running the PowerShell cmdlet:
The results of the above command show us that each role group has a list of assigned roles. These are the management roles. The roles are made up of management role entries which are the specific tasks that an assigned user will be allowed to perform. To get a better understanding, we will look at the Server Management role group. We can get a brief description of the permissions provided by a role group by running the following command:
[PS] C:\>Get-RoleGroup "Server Management" | fl Description
To get a list of Management Roles associated with the role group we can run the following:
[PS] C:\>Get-RoleGroup "Server Management" | fl Roles
We can look a little deeper at the specific management roles assigned to the role group. Just like before, we can get a brief description of the individual roles by running the following command against one of the listed management roles:
[PS] C:\>Get-ManagementRole "Exchange Virtual Directories" | fl Description
Each management role contains a list of management role entries. These are the specific cmdlets included with the permissions. To list the management role entries included with the management role, we can run the following:
[PS] C:\>Get-ManagementRoleEntry "Exchange Virtual Directories\*" | Select Name
We can use the above commands to completely understand the permissions that are applied to user accounts. In part 2, we look at creating custom role groups to limit administrative permissions to a few specialized tasks.