Scribd Logo
Upload

Welcome to Scribd!

  • Microsoft Official Course: Planning and Configuring Administrative Security and Auditing

    Uploaded by

    J Loudes Anthoo Roys
    31 views21 pages

    Original Title

    20341B_10

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    31 views21 pages

    Microsoft Official Course: Planning and Configuring Administrative Security and Auditing

    Uploaded by

    J Loudes Anthoo Roys

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    Microsoft Official Course

    Module 10

    Planning and Configuring


    Administrative Security and Auditing
    Module Overview

    Configuring Role-Based Access Control


    • Configuring Audit Logging
    Lesson 1: Configuring Role-Based Access Control

    What Is Role-Based Access Control?


    What Are Management Role Groups?
    Built-In Management Role Groups
    Demonstration: Managing Permissions Using the
    Built-In Role Groups
    Process for Configuring Custom Role Groups
    Demonstration: Configuring Custom Role Groups
    What Are Management Role Assignment Policies?
    What Are Exchange Server Split Permissions?
    Configuring RBAC Split Permissions
    What Is Role-Based Access Control?

    • RBAC defines all Exchange Server 2013 permissions, and is


    applied by all Exchange Server management tools

    • RBAC defines which cmdlets the user can run :


    • Who: Can modify objects
    • What: Objects and attributes that can be modified
    • Where: Scope or context of objects that can be modified

    • RBAC options include:


    • Management role groups
    • Management role-assignment policies
    • Direct policy assignment (avoid using)
    What Are Management Role Groups?

    Role Holder
    Role Management
    Assignment Role
    Role Role
    Group Entry
    “User
    Options”
    “Help Desk” Role
    “Maria”
    Assignment
    “Ian” Management Role
    Role Entry
    “Pat” “Get-Mailbox”
    Configuration
    WHO Read/Write Scope “View-only
    Recipients”
    WHERE
    Recipient
    Read/Write Scope
    WHAT

    Role Holder Role Group Role Management Role Entry


    Assignment Role
    Mailboxes or universal Higher-level Binding layer Task-based Cmdlet +
    security groups or users or job function permissions parameters
    distribution groups or role
    groups
    Built-In Management Role Groups

    Management role groups include:


    • Organization Management
    • View-Only Organization Management
    • Recipient Management
    • Unified Messaging Management
    • Discovery Management
    • Records Management
    • Server Management
    • Help Desk
    • Public Folder Management
    • Delegated Setup
    • Compliance Management (new in Exchange Server 2013)
    • Hygiene Management (new in Exchange Server 2013)
    Demonstration: Managing Permissions Using the
    Built-In Role Groups
    In this demonstration, you will see how to:
    • Add role holders to a role group
    • Verify the permissions assigned to the built-in role
    groups
    Process for Configuring Custom Role Groups

    • Identify the role groups and the role group


    members

    • Identify the management roles to assign the


    group

    • Identify the management scope

    • Create the role group using the Exchange


    Administration Center or the Exchange
    Management Shell
    Demonstration: Configuring Custom Role Groups

    In this demonstration, you will see how to create a


    custom role group
    What Are Management Role Assignment Policies?

    Management role-assignment policies assign permissions to


    users to manage their mailboxes or distribution groups
    Component Explanation
    Mailbox Each mailbox is assigned one
    role-assignment policy

    Management role assignment Object for associating


    policy management roles with mailboxes

    Management role Container for grouping other


    RBAC components

    Management role assignment Associates management roles with


    management role assignment
    policies

    Management role entry Defines which Exchange cmdlets


    the user can run on their
    mailboxes or groups
    What Are Exchange Server Split Permissions?

    • Split permissions separate creation of security principals in


    AD DS, such as users and security groups, from the
    subsequent configuration of those objects through
    Exchange Server 2013 tools

    • With Exchange Server split permissions you can:


    • Separate the ability to create or delete security principals
    from Exchange administration
    • Choose between two models:
    • RBAC split permissions
    • Active Directory split permissions

    • Available since Exchange Server 2010 SP1


    Configuring RBAC Split Permissions

    You must manually configure RBAC split permissions as


    follows:
    1. Verify that Active Directory split permissions have not been enabled
    2. Create a new role group for AD DS administrators
    3. Create regular and delegating role assignments for the new role
    group for appropriate roles
    4. Remove regular and delegating management role assignments
    between the Mail Recipient Creation role, and both the Organization
    Management and Recipient Management role groups
    5. Remove the regular and delegating role assignments between the
    Security Group Creation and Membership role and the Organization
    Management role group

    RBAC split permission results:


    • Only members of the new role group that you create can create security
    principals, such as mailboxes
    Configuring Active Directory Split Permissions

    • Active Directory split permissions is configured


    automatically during Setup, or when you run the
    following command:
    setup.com /PrepareAD /ActiveDirectorySplitPermissions:true

    • Active Directory split-permissions results:


    • Cannot create security principals with Exchange Server
    management tools
    • Cannot manage distribution group members with Exchange
    Server management tools
    • Exchange Trusted Subsystem and Exchange servers cannot create
    security principals
    • Exchange servers and Exchange management tools can only
    modify Exchange attributes of existing Active Directory security
    principals
    Lesson 2: Configuring Audit Logging

    What Is Administrator Audit Logging?


    What Is Mailbox Audit Logging?
    • Demonstration: Configuring Audit Logging
    What Is Administrator Audit Logging?

    • Administrator audit logging enables you to track changes


    made to the Exchange environment by administrators

    • Administrator audit logging:


    • Is enabled by default in Exchange Server 2013

    • Is configured by default with the Set-AdminAuditLogConfigLogs


    for all cmdlets and parameters except for Test-, Get-, and Search-

    • Supports searches using the Exchange Management Shell and the


    Exchange Administration Center

    • Perform detailed log searches with the Search-


    AdminAuditLog and New-AdminAuditLogSearch cmdlets
    What Is Mailbox Audit Logging?

    • Mailbox audit logging is used to track mailbox access by


    mailbox owners, delegates, and administrators

    • Mailbox audit logging:


    • Must be enabled on a per-mailbox basis using the Set-Mailbox cmdlet

    • Does not automatically log owner access unless specified to do so

    • Supports non-owner access reports through the Exchange


    Administration Center

    • Perform detailed log searches with the Search-


    MailboxAuditLog and New-MailboxAuditLogSearch cmdlets
    Demonstration: Configuring Audit Logging

    In this demonstration, you will see how to enable


    audit logging and search audit logs
    Lab: Configuring Administrative Security and Auditing

    Exercise 1: Configuring Exchange Server


    Permissions
    Exercise 2: Configuring Audit Logging
    • Exercise 3: Configuring RBAC Split Permissions on
    Exchange Server 2013
    Logon Information
    Virtual Machines 20341B-LON-DC1
    20341B-LON-CAS1
    20341B-LON-MBX1
    User name Adatum\Administrator
    Password Pa$$w0rd

    Estimated Time: 60 minutes


    Lab Scenario

    A. Datum Corporation has deployed Exchange Server 2013. The


    company security officer has provided you a set of requirements
    to ensure that the Exchange Server 2013 deployment is as
    secure as possible. The requirement’s specific concerns include:
     Exchange Server administrators should have minimal permissions. This
    means that whenever possible, you should delegate Exchange Server
    management permissions.
     Any configuration changes made to the Exchange Server environment
    should be audited. The audit logs must be available for inspection by
    company auditors.
     The organization must have the option of auditing all non-owner access to
    user mailboxes. The audit logs must be available for inspection by
    company auditors.
     AD DS object creation should be done by only the HRAdmins group.
    Nobody else should create AD DS objects such as user accounts in
    Exchange.
    Lab Review

    You have a shared mailbox that requires logging


    any activity in which other users send on behalf of
    this mailbox. What do you need to do?
    • Your compliance office requires permission to
    configure and manage compliance settings in your
    Exchange organization. You want to make sure
    that the compliance officer has the least amount
    of permissions necessary for doing his or her job.
    What built-in management role group would you
    use?
    Module Review and Takeaways

    Review Questions
    Best Practice
    • Common Issues and Troubleshooting Tips

    You might also like