exchange deployment planning services exchange 2010 management tools and rbac
TRANSCRIPT
Exchange Deployment Planning Services
Exchange 2010 Management Tools and RBAC
Exchange 2010 Management Tools and RBAC
The Exchange 2010 Management Tools and RBAC has the following goals: Review of Exchange Server 2010 Management
toolset functionalities Overview of Exchange Server 2010 access control Overview Exchange Server 2010 RBAC
fundamentals
Ideal audience for this workshop Messaging SME Network SME Security SME
Exchange 2010 Management Tools and RBAC
Exchange 2010 Management Tools and RBAC
During this session focus on the following : How will we leverage this functionality
in our organization? What management requirements do
we have around our messaging solution?
Agenda
• Microsoft® Exchange management history and challenges
• Exchange 2010 Management GUIs− EMC− ECP
• RBAC• Remote PowerShell • Auditing
Exchange Management
History and Challenges
The annual cost of helpdesk support staff for e-mail systems with 7,500 mailboxes is approximately $20/mailbox. This cost goes up the smaller the organization. (“Email Support Staff Requirements and Costs: A Survey of 136 Organizations”, Ferris Research, June 2008).
Exchange Management HistoryExchange Server 2003• Exchange System Manager and Active Directory
Users and Computers required to access all mail related attributes
• Management tools rely on permissions granted on recipient or configuration objects in Active Directory
• Management groups assigned on Organization/AG Level
• 3 Management Groups available− Exchange Full Administrator− Exchange Administrator − Exchange View-Only Administrator
Exchange Management HistoryExchange Server 2007• Exchange Server 2007 introduced new tools for
richer management − EMS− Exchange Management Console and Management shell
introduced richer Management capabilities • Management Tools rely on permissions granted on
recipient or configuration objects in AD• 5 Management Groups available
− Exchange Organization Administrator− Exchange Recipient Administrator − Exchange View Only Administrator− Exchange Public Folder Administrator− Exchange Server Administrator
Challenges• Current management role implementation
is limited• Access control management is complex• Permissions are focused on objects and not
tasks• Excessive privileges required for some
Exchange operations• Object access auditing and delegated
permissions reporting is difficult• There is no support for self-service
management
Exchange 2010 ManagementWhat's New?• New EMC features• ECP
− New and simplified web based management console− Targeted for end users, hosted tenants, and specialists
• RBAC− New authorization model− Easy to delegate and customize− All Exchange management clients (EMS, EMC, ECP) use
RBAC• Remote PowerShell
− Manage Exchange remotely using PowerShell v2.0− Note: No more local PowerShell, it's all remote in
Exchange 2010• Auditing and Logging
Exchange 2010 ManagementSupported OS Platforms• All of Exchange 2010 is 64-bit only• Supported platforms for installing Exchange
management tools− Vista x64 Service Pack 2− Windows 2008 x64 SP2− Windows 7 x64 Client and Windows 2008 R2 x64
• Remote PowerShell management− Does not require Exchange management tools on client− Supported client OS platforms
− Vista (x86 or x64)− Windows 2008 SP2 (x86 or x64)− Windows 2008 R2 (x86 or x64)− Windows 7 (x86 or x64)− Windows 2003 (x86 or x64)− Windows XP (x86 or x64)
Management GUIs
EMC• Primarily for on-premise IT pros• Requires client side installation
ECP• Primarily for • Tenant Administrators• Specialists (helpdesk, discovery, etc)
• End Users (message tracking, DGs, OWA options, etc
• Web Browser based administration
Exchange Management Console• Built on Remote PowerShell• Multiple Forest Support• RBAC Aware UI• Notable new features
− Recipient Bulk Edit− PowerShell Command Logging− Links from ECP
Exchange Control Panel Architecture Overview
• High-level view− AJAX-based− Shares some code with OWA, but two
separate applications− Deployed on CAS− ECP ASP.Net RBAC PowerShell− Authentication
− Windows Integrated, Basic, Forms Based
− Browser support - Same as OWA
Web Browser
ECP Client Library
AJAX
Client Access Server
HTTP.SYS (IIS)
LiveId/FBA Auth
PowerShell
Exchange Cmdlets
RBAC
ECP Server Library
Exchange Control Panel
• Administrator logon
RBAC Aware Checks user permissions to interface componentsExample: Management dropdownIf you are an administrator, you will have access to the dropdown
• Client logon
Role Based Access Control
Role Based Access ControlAdvantages • Simplified access control model based on
defined management roles• Customized roles can be created to meet
specific needs of an organization• Access can be scoped to specific objects in
Domain and Configuration naming contexts• Enforcement of access control is maintained
organization wide through all management interfaces
• Granular control of tasks at cmdlet/parameter level
• Reporting available for determining level of access control that is in place
Role Based Access Control
• RBAC creates a new object called a role
• Assign users to a role• Roles are mapped to application
permissions
Basic RBAC Model
Role
Assignme
nt “Glue”
User/USG
“Who”
Scope
“Where”
Role
“What”
RBAC Components
• The parts of RBAC that do all the work can be divided into two sections:
− Definition and Creation−Directory objects that define RBAC
configuration−Exchange Tools used to create the
RBAC configuration− Enforcement
−Exchange Administrative tools use RBAC to determine the access control granted to a user
Configuration Objects
• Management role• Management role entries• Management scope• Management role assignment• Role assignment policy• Role group
Management Role
• A management role is a configuration object that defines which tasks are available for users who are assigned the role
• There are two types of management roles:
− Built-in management roles are pre-defined roles provided by Exchange
− Custom management roles - copies of built-in roles, can be customized to meet needs of an organization
− Custom management roles are child objects of the built-in management roles and inherit all the attributes of the parent
Management Role Entries
• Management role entries are a list of Exchange tasks (cmdlets/parameters)
• When a management role is assigned, the assignee has access to all the tasks in the list
• Built-in roles are read-only and cannot be edited to remove role entries
• Custom management role can be edited to remove cmdlets and/or parameters that shouldn’t be available to role assignee− Entries that do not exist on a parent role cannot
be added to a child role
Management Scopes
• Management scopes define the extent of control for a management role assignment
• When you assign a management role, a scope is used to determine what objects the assignee can access and act upon
• Management scopes apply to recipient or configuration objects
• Scopes can be defined using objects like Exchange servers, OUs, filterable properties on Exchange server, Recipient objects, etc. (SP1 adds database scope)
Management Scopes – Types
• Two types of Scopes: Implicit and Explicit− Implicit scopes are pre-defined on default
management roles and apply to objects appropriate to the role− Range from broad (organization) to narrow (self)− Custom roles inherit the implicit scope from their
parent role− Explicit scopes are administrator defined and
can be:− A management scope configuration object defined in
advance by the administrator− A custom scope defined at the time of role assignment
• If an explicit scope is not used during role assignment, the implicit scope of the management role is always used
Management Role Assignment• A management role assignment is a
configuration object that links a management role to an assignee
• Assignment can be made:− Directly to a specific user − Directly to a USG
− Adding users or other USGs as members in effect extends the Role Assignment to the members
− Indirectly to a mailbox user though a Role Assignment Policy
Exchange Administrative Tools• All Exchange 2010 tools use Remote
PowerShell:− EMS− EMC− ECP
• Using Remote PowerShell ensures all tasks pass through RBAC code
Managing RBAC• RBAC managed using EMS:
− *-ManagementRole− *-ManagementRoleEntry− *-ManagementScope− *-ManagementRoleAssignment− *-RoleAssignmentPolicy− *-RoleGroup− *-RoleGroupMember
− Role groups and role assignment policies can be administered via ECP− Role group members can be added/removed− Roles assigned by role assignment policy can be
enabled/disabled
Example 1 Removing Recipient Creation Right
• Simplest method• Change effects all members• Assignments can be additive or subtractive
− Add/Remove-ManagementRoleAssignment
Example 2:Enable Users to Change Personal Contact Information• Some limited customization supported
through ECP• Change effects entire user segment• Assignments can be additive or subtractive
− Add/remove-ManagementRoleAssignment− Only applies to end user roles
Management Task Security Context• Tasks run under context of the
Exchange server that is providing PowerShell session
• Exchange servers member of the Exchange Trusted Subsystem USG
• Exchange Trusted Subsystem USG has the permissions needed to carry out all Exchange tasks
RBAC Reporting• Effective User Reporting
Writable Object Reporting
Remote PowerShell
Remote PowerShellNew management architecture for PowerShell in Exchange 2010
Allows RBAC modelRestricted PSSession allows RBAC to hide cmdlets and parameters
Client/Server separationRemote PowerShell is always used to connect “remotely” to localhostEnables firewall and cross-forest scenarios (standard protocol: http(s))
“No Binaries” scenariosExchange management from a client machine which does not have Exchange Management Tools installed
Remote PowerShellHow Does It Work?
IIS
WSMan +RBAC stack:
Authorization
PSv2 RBACServer
Runspace
> New-Mailbox –Name Bob
PSv2 Client
RunspaceEvan
Evan: Role AssignmentNew-Mailbox -NameGet-MailboxSet-Mailbox -Name
Cmdlets Available in Runspace:New-PSSession
> New-PSSession –URI https://server.fqdn.com/PowerShell/
Remote Cmdlets Available in Runspace:New-Mailbox -NameGet-MailboxSet-Mailbox -Name
Exchange Server
IIS: Authentication
Active Directory
Cmdlets Available in Runspace:New-Mailbox -NameGet-MailboxSet-Mailbox -Name
[Bob Mailbox Object in Pipeline]
Remote PowerShell
1. Client opens PowerShell (no Exchange Management Tools installed):
Remote PowerShell
• Client adds his Credentials to a variable (Client Side RunSpace)
Remote PowerShell
• Adding all information for Remote PowerShell Session (Endpoint, Credentials)
Remote PowerShell
• Client connects to endpoint and creates Server side runspace
Remote PowerShell • Client now successfully runs get-
mailbox
Auditing
Auditing • Exchange 2010 allows auditing for any
executed cmdlet − by any User or Administrator− via EMC, ECP, or Management Shell
• Managed via *-AdminAuditLogConfig− List of cmdlets/parameter usage to audit
(default is ALL)− Mailbox to used to store logging information
• Additional points− “Get” cmdlets are not logged − Settings are global and stored in AD DS− Events are discoverable via Search
Auditing
End of Exchange 2007 Management Tools and RBAC module
For More Information
• Exchange Server Tech Centerhttp://technet.microsoft.com/en-us/exchange/default.aspx
• Planning serviceshttp://technet.microsoft.com/en-us/library/cc261834.aspx
• Microsoft IT Showcase Webcasts http://www.microsoft.com/howmicrosoftdoesitwebcasts
• Microsoft TechNet http://www.microsoft.com/technet/itshowcase
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.