Product Reviews

Taming Exchange Security

Configuring permissions with ESRA 2.0.

While I am by no means an expert on Microsoft Exchange Server, I do administer a few Exchange servers for local organizations. One of the things I’ve noticed is that managing mailbox and public folder permissions can be a royal pain. C2C’s Exchange Security Risk Auditor 2.0 attempts to simplify Exchange security for you.

ESRA 2.0 provides the ability to set up complex permissions. For example, if you want to grant an Administrative Assistant Reviewer permission to all of the calendars for the people in the Marketing department, ESRA can do it.

C2C’s Web site lists “simple and intuitive interface” among the product’s features. It’s easy to understand, if that’s what they mean, but I don’t think this is going to win any design awards anytime soon. ESRA appears as an MMC snap-in, so any Exchange administrator should be familiar with that part. The second level of the snap-in includes two nodes: “Public folder search” and “Mailbox search.” Beyond that, each node includes five child nodes: “Where to search,” “What to search for,” “Folder searching filter,” “What changes to make,” and “[Public folder/Mailbox] search results." The “What to search for” node contains three more child nodes for the Mailbox search. Each node must be configured separately. That’s a lot of clicking for our carpal-tunnel-plagued world and keyboard shortcuts are few or non-existent in this product.

Exchange administrators are used to a multiple-tabbed properties dialog box for configuring users, and just about everything else in Exchange. This interface could be vastly improved by sticking with that standard. I want to just click on the search type node (public folder or mailbox) to display the results. I’m okay with having to right-click to run the query and configure it, but this really only needs one configuration dialog.

I'd also like to see the ability to save my settings (such as the Administrative Assistant example), and run these pre-defined searches later on. Better yet, I’d like to schedule queries and tasks to run without me having to even think about it.

Reporting could also be better. Right now, you’re limited to exporting the query results via the MMC 1.2 (or newer) “Export list” functionality.

ESRA does include a couple of other features worth mentioning. First, the mailbox search will display Send On Behalf Of (SOBO) permissions, though I don’t see that the tool will allow you to set or change them.

The one extremely useful feature is the ability to identify and remove Zombies (i.e., those permissions that no longer resolve to a valid account because someone deleted the user and forgot to tell you about it). Just identifying those in a large enterprise can be a full time job.

ESRA 2.0
The ESRA 2.0 Microsoft Management Console interface

So, while I don’t like the interface, ESRA has the potential to save you a lot of headache in administering permissions in your Exchange organization. Overall, however, I think if you have a skilled VBScript developer in-house, you may be able to build ASP pages that provide you with repeatable tasks, more palatable reporting, and a more robust interface, at a comparable cost.

About the Author

Joe Crawford, MCSE, works as a support engineer for HP, supporting Microsoft networking technologies. He specializes in Microsoft Systems Management Server and scripting.


  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks

    This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.

  • Windows 10 Version 1809 Users May Get Visual Studio Crashes

    Microsoft on Friday issued an advisory for Windows 10 version 1809 users about possible Visual Studio crashes.

  • Standardizing the Look of Outlook's Outbound Messages

    Microsoft typically gives users a blank canvas to compose new e-mails in Outlook. In some corporate environments, however, a blank canvas isn't a good thing.

  • Windows 10 'Semiannual Channel Targeted' Goes Away This Spring

    Microsoft plans to slightly alter its Windows servicing lingo and management behavior with its next Windows 10 operating system feature update release, coming this spring.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.