Exchange & Outlook UPDATE, Exchange Edition--Watching the Watchers--April 12, 2007

-------| Exchange & Outlook UPDATE |-------

*Commentary: Watching the Watchers
*Windows IT Pro 2007 Community Choice Awards!
*Exchanging Ideas: Windows Connections and Microsoft Exchange Connections
*New and Improved: SIP Connectivity with Exchange 2007 UM



Managed Microsoft Exchange from Rackspace

Free White Paper: What's Missing from SEM?

Cut Costs with On-Demand CRM & ERP Solutions


Sponsor: Rackspace

Managed Microsoft Exchange from Rackspace
Managed Exchange is more than a technology solution. It's a service solution, too—designed to be as simple and as flexible as possible. With a Rackspace hosting solution, you can easily get the full functionality of Microsoft Exchange 2003, without the worry of having to constantly support it. All you have to do is tell us how many mailboxes you want, and then simply manage your accounts, domains and users through an intuitive Web-based portal. We literally take care of everything else. And that means you'll never again have to deal with the monitoring, filtering, patching, updating, troubleshooting and backing up of data. It's all been taken care of by us. Click here to learn more about Managed Exchange and to receive special pricing!


***COMMENTARY: Watching the Watchers
by Paul Robichaux, Exchange Editor, [email protected]

Even if your Latin skills are weak, you might recognize a few well-known phrases such as ipso facto and quod erat demonstrandum (Q.E.D.). Another key phrase you might know is quis custodiet ipsos custodes? It means something close to "who watches the watchers?" That's a question that might be on your mind even if you don't recognize it in the original Latin. Who watches your watchers? Who monitors the activities of your users and administrators, and who watches the ones doing the monitoring?

I thought about this recently when I read a Wall Street Journal article about Bruce Gabbard, a former security engineer for Wal-Mart ("Wal-Mart's Firing Of a Security Aide Bites the Firm Back," April 9, 2007). Gabbard was responsible for counter-surveillance and had nearly unlimited access to some of Wal-Mart's most sensitive data, and now Wal-Mart is suing him because the company thinks he's misappropriated some of that information. The suit raises some interesting questions about whether Wal-Mart knew the full extent of Gabbard's access. The matter will undoubtedly work its way through the courts with a lot of sound and fury; no matter how it's resolved, the case gives cause for thinking about similar issues in your own organization.

Administrators, of course, have a broad array of privileges. However, Exchange Server administrators don't have to have administrator privileges to Windows and Active Directory (AD), and vice versa. Specific Exchange tasks, such as installing service packs or adding or removing Exchange servers, do require Windows administrative privileges. In addition, user management tasks, such as adding or removing user accounts or distribution groups, require AD permissions.

Exchange and Windows allow delegation of administration so that you can delegate access rights for specific operations to only the groups that should have them. Here's a security tip: Don't assign delegated permissions to individual users. Instead, assign them to groups and put users in the groups. This method reduces the risk that you'll end up with orphaned permissions on an object or that you'll forget to remove an account when the user no longer needs access.

One of the most common questions related to administrator access is how you can tell if administrators are reading other people's mail when they shouldn't be. This is a tough nut to crack because if you look at the event log you'll see that Exchange logs an event ID 1016 whenever one user attempts to access another user's mailbox. Sounds good—except that the event is logged for legitimate access, too, not just failed attempts. You can check the mailbox databases and mailboxes to see whether administrators have Send As and Receive As privileges on mailboxes they don't own, but that's not a complete solution either; administrators can always grant the permission, read the mail, then remove the permission—making it much more difficult to catch.

I once taught a security workshop for Microsoft field engineers. We had a lively discussion about what the ultimate defense is against an untrustworthy administrator. We discussed various security measures, but for everything I proposed, the engineers came up with a clever workaround. Finally I described the ultimate security measure: Get the sheriff to arrest the evildoer after you catch him. But this method sounds fairly unsatisfying. After all, you like to think of security measures as proactive steps that will either block attackers from succeeding or help you catch them in the act. However, it's a time-tested rule of computer security that administrators can do anything they want; having that level of access is what makes an administrator.

The bottom line: Hire trustworthy administrators, and if you have reason to think that someone is no longer trustworthy, consider removing that person's administrator access.

Editor's Note: TechX Interoperability Web Site and UPDATE Email Newsletter:
Do you work in a mixed environment? Visit TechX World for information about Windows interoperability. The TechX World community gives you access to interoperability articles that aren't available anywhere else; news, tips, and tricks from interop experts and other users; and forums and blog posts by other community members.

Join the TechX World community and sign up for the TechX Interoperability UPDATE email newsletter.


Sponsor: NetIQ

Free White Paper: What's Missing from SEM?
"What's Missing from SEM" examines what is required for a comprehensive and integrated solution to meet all your security management needs. This paper reveals the 12 critical questions to ask of your security management system, and explains why it's time to move beyond simple event management.


***Windows IT Pro 2007 Community Choice Awards!

We Need Your Help Picking the Best Products
Vote for your favorite products from the Buyer's Guides we published in Windows IT Pro over the past 12 months. The first six categories are now open for voting on the Windows IT Pro forums, but only for a limited time. To see the list of products in each category and place your vote, follow the links below.

The following categories are now open for voting: Host-Based Intrusion Prevention Systems

KVM over IP Switches

Ultra-Portable Laptops

iSCSI Storage Arrays

UPS Products

Two-Factor Authentication Products



Focus: Windows Connections and Microsoft Exchange Connections

Technical IT conferences provide an opportunity to connect with contributing editors, readers, and the Windows IT vendor community
Windows IT Pro executive editor Amy Eisenberg shares her thoughts on the spring 2007 Connections conference in Orlando, Florida. Included is Tony Redmond's report card on Exchange Server 2007.

Tell Us About the Products You Love!
What products are you using that save you time or make your workload a little lighter? What hot product discoveries have you made that other IT pros need to know about? Let the world know about your experiences in Windows IT Pro's monthly What's Hot department. If we publish your story in What's Hot, we'll send you a Best Buy gift card! Send information about your favorite product and how it has helped you to [email protected]

Have a question? Got answers? Join your peers in the Exchange discussion forums:

Here are some current threads that your colleagues hope you can help answer:

Deleted Items cleanup policy
Outlook clients in cached mode still see old items in the folder, even though the folder appears cleaned up through OWA.

Edge Transport Anti-Spam - any good?
Just wondering if folk think there is now no need for a 3rd party service?

Reporting Tools
Does anyone know of any Exchange tools that will give statistics of user mail, public mail, etc.?

Don't forget to sound off in our Instant Poll. This month's question is "Is managing Exchange getting too complicated for your IT staff?"

~~~~ Hot Spot: ~~~~

Cut Costs with On-Demand CRM & ERP Solutions
On-demand applications significantly reduce cost vs. licensed applications. See how to reduce the total cost of ownership by switching to these CRM & accounting/ERP applications. Get the White Paper!


by Blake Eno, [email protected]

SIP Connectivity with Exchange 2007 UM
pbxnsip, a provider of Session Initiation Protocol (SIP)-based IP-PBX software, announced that they have successfully demonstrated direct SIP connection with the Exchange 2007 Unified Messaging (UM) platform. pbxnsip provides the ability to interface with Exchange without the need for gateways, giving you a SIP solution that lowers the cost of ownership and management between your PBX and email platform. To learn more about pbxnsip, visit them on the Web or call 978-746-2777.



These Windows-related events, papers, and resources will help you keep your knowledge and skills up to date and help you deploy, secure, and maintain the latest Exchange- and Windows-related technologies. For more Exchange related resources, visit

Windows + UNIX/Linux = You Need TechX World!
If you work in an environment that includes both Windows and UNIX or Linux, TechX World is the place to go for practical strategies and resources to add to your toolkit. This one-day technical training event will teach you how to make the most of open-source tools on Windows and how to manage and sync multiple directories. Register today!

Get Ready for the Windows Server Longhorn Roadshow!
Seize control of your Windows infrastructure with Microsoft's biggest server release since Windows 2003. Get a live, under-the-hood look at Longhorn virtualization, deployment, Web services, and breakthroughs in core reliability. This one-day event is filled with demonstrations and in-depth discussions designed for IT pros who want a deep understanding of Windows Server Longhorn.

Deploy Exchange Server 2007 Without a Hitch!
This one-day technical training event teaches you how to preempt pitfalls and avoid corrupting your email infrastructure. Learn how to effectively install, manage, and secure Exchange Server 2007 in a 64-bit environment. You'll also get a peek into the integration of Outlook, SharePoint Server 2007, and Exchange Server 2007. Register today!



Do you want to block unwanted or undesirable email? Download this free white paper to learn how to manage the content of messages traversing your network.



Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!

Grab Your Share of the Spotlight!
Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter—we're accepting June nominations now, but only for a limited time! Submit your nomination today:

~~~~ Contact Us ~~~~

About the newsletter -- [email protected]
About technical questions --
About product news -- [email protected] About your subscription -- [email protected]
About sponsoring UPDATE -- [email protected]


This email newsletter is brought to you by Exchange & Outlook Pro VIP, the leading source of information for IT professionals managing, securing, optimizing, and migrating Exchange and Outlook. Subscribe today!

View the Windows IT Pro Privacy policy at

Windows IT Pro a division of Penton Media Inc.
221 East 29th Street, Loveland, CO 80538,
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All Rights Reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.