Product Reviews

Taming Exchange Security

Configuring permissions with ESRA 2.0.

While I am by no means an expert on Microsoft Exchange Server, I do administer a few Exchange servers for local organizations. One of the things I’ve noticed is that managing mailbox and public folder permissions can be a royal pain. C2C’s Exchange Security Risk Auditor 2.0 attempts to simplify Exchange security for you.

ESRA 2.0 provides the ability to set up complex permissions. For example, if you want to grant an Administrative Assistant Reviewer permission to all of the calendars for the people in the Marketing department, ESRA can do it.

C2C’s Web site lists “simple and intuitive interface” among the product’s features. It’s easy to understand, if that’s what they mean, but I don’t think this is going to win any design awards anytime soon. ESRA appears as an MMC snap-in, so any Exchange administrator should be familiar with that part. The second level of the snap-in includes two nodes: “Public folder search” and “Mailbox search.” Beyond that, each node includes five child nodes: “Where to search,” “What to search for,” “Folder searching filter,” “What changes to make,” and “[Public folder/Mailbox] search results." The “What to search for” node contains three more child nodes for the Mailbox search. Each node must be configured separately. That’s a lot of clicking for our carpal-tunnel-plagued world and keyboard shortcuts are few or non-existent in this product.

Exchange administrators are used to a multiple-tabbed properties dialog box for configuring users, and just about everything else in Exchange. This interface could be vastly improved by sticking with that standard. I want to just click on the search type node (public folder or mailbox) to display the results. I’m okay with having to right-click to run the query and configure it, but this really only needs one configuration dialog.

I'd also like to see the ability to save my settings (such as the Administrative Assistant example), and run these pre-defined searches later on. Better yet, I’d like to schedule queries and tasks to run without me having to even think about it.

Reporting could also be better. Right now, you’re limited to exporting the query results via the MMC 1.2 (or newer) “Export list” functionality.

ESRA does include a couple of other features worth mentioning. First, the mailbox search will display Send On Behalf Of (SOBO) permissions, though I don’t see that the tool will allow you to set or change them.

The one extremely useful feature is the ability to identify and remove Zombies (i.e., those permissions that no longer resolve to a valid account because someone deleted the user and forgot to tell you about it). Just identifying those in a large enterprise can be a full time job.

ESRA 2.0
The ESRA 2.0 Microsoft Management Console interface

So, while I don’t like the interface, ESRA has the potential to save you a lot of headache in administering permissions in your Exchange organization. Overall, however, I think if you have a skilled VBScript developer in-house, you may be able to build ASP pages that provide you with repeatable tasks, more palatable reporting, and a more robust interface, at a comparable cost.

About the Author

Joe Crawford, MCSE, works as a support engineer for HP, supporting Microsoft networking technologies. He specializes in Microsoft Systems Management Server and scripting.


comments powered by Disqus

Subscribe on YouTube