Taming Exchange Security
Configuring permissions with ESRA 2.0.
While I am by no means an expert on Microsoft Exchange Server, I do administer
a few Exchange servers for local organizations. One of the things I’ve
noticed is that managing mailbox and public folder permissions can be
a royal pain. C2C’s Exchange Security Risk Auditor 2.0 attempts
to simplify Exchange security for you.
ESRA 2.0 provides the ability to set up complex permissions. For example,
if you want to grant an Administrative Assistant Reviewer permission to
all of the calendars for the people in the Marketing department, ESRA
can do it.
C2C’s Web site lists “simple and intuitive interface”
among the product’s features. It’s easy to understand, if
that’s what they mean, but I don’t think this is going to
win any design awards anytime soon. ESRA appears as an MMC snap-in, so
any Exchange administrator should be familiar with that part. The second
level of the snap-in includes two nodes: “Public folder search”
and “Mailbox search.” Beyond that, each node includes five
child nodes: “Where to search,” “What to search for,”
“Folder searching filter,” “What changes to make,”
and “[Public folder/Mailbox] search results." The “What
to search for” node contains three more child nodes for the Mailbox
search. Each node must be configured separately. That’s a lot of
clicking for our carpal-tunnel-plagued world and keyboard shortcuts are
few or non-existent in this product.
Exchange administrators are used to a multiple-tabbed properties dialog
box for configuring users, and just about everything else in Exchange.
This interface could be vastly improved by sticking with that standard.
I want to just click on the search type node (public folder or mailbox)
to display the results. I’m okay with having to right-click to run
the query and configure it, but this really only needs one configuration
I'd also like to see the ability to save my settings (such as the Administrative
Assistant example), and run these pre-defined searches later on. Better
yet, I’d like to schedule queries and tasks to run without me having
to even think about it.
Reporting could also be better. Right now, you’re limited to exporting
the query results via the MMC 1.2 (or newer) “Export list”
ESRA does include a couple of other features worth mentioning. First,
the mailbox search will display Send On Behalf Of (SOBO) permissions,
though I don’t see that the tool will allow you to set or change
The one extremely useful feature is the ability to identify and remove
Zombies (i.e., those permissions that no longer resolve to a valid account
because someone deleted the user and forgot to tell you about it). Just
identifying those in a large enterprise can be a full time job.
|The ESRA 2.0 Microsoft Management Console interface
So, while I don’t like the interface, ESRA has the potential to
save you a lot of headache in administering permissions in your Exchange
organization. Overall, however, I think if you have a skilled VBScript
developer in-house, you may be able to build ASP pages that provide you
with repeatable tasks, more palatable reporting, and a more robust interface,
at a comparable cost.
Joe Crawford, MCSE, works as a support engineer for HP, supporting Microsoft networking technologies. He specializes in Microsoft Systems Management Server and scripting.