Secure Exchange mailboxes

We have a Exchange server which has 50 mailboxes on it.

The senior directors of the company(About 5 mailboxes) want their mailboxes to be ultra secure and therefor do not want the administrator to be able to take control of their mailboxes to view any emails etc.

Any ideas how we could do this?


Solution 1:

I don't know if you can lock out the administrator. How would you repair the mailbox if there's corruption?

Sysadmins are sysadmins in part because there's a layer of implicit trust for the high ranking system administrator. Sysadmins can read any data on the server, read emails, sniff traffic, reset passwords...essentially they are gods within the network and servers.

If you don't trust the system administrator, you have an issue.

This is an HR and policy issue, not a technology issue. You need clearly spelled out policies that dictate what can and can't be tolerated. Otherwise, they would need to know that even if the mailboxes are secured, sysadmins could use packet sniffing, screen capture, etc...and if you managed to somehow lock out the administrator, good luck retrieving mails, diagnosing issues on those machines, and finding out if someone else installed malware on those workstations and is reading those messages!

Solution 2:

As has been said, it isn't really possible.

What can be done, of course, is events on those mailboxes can be audited and the event logs on the exchange servers can be secured. As Erik points out, even this won't help if a sysadmin takes a backup tape home and restore it.

At the end of the day though, if the directors don't trust the sysadmins then the business either needs less paranoid directors or more trustworthy sysadmins, depending on whether or not the directors are right to be worried.

Solution 3:

The only way this is possible is to not keep the emails in Exchange, which in tern exempts them from any email archiving system in place. Depending on what kind of regulatory environment you live in, that can be a very very bad idea.

But ultimately it comes down to the trust issue. If they can't trust their own highest level Administrators to not poke their nose in areas they haven't been invited in to (perhaps they've read a bit too many BOFH stories), then that admin doesn't need to work there. It's called professional ethics, and one of the top ones for sysadmins is to not go info-hunting for curiosity. This is why I got a solid background check for this and my last sysadmin job.

That said, I have seen examples where the top level users had their own single IT person just for them. They maintained separate email environments, and were the person who handled desktop IT for the C-suite. The rest of the hoi polloi IT had to work through that one person. It can really work when that one person is a nice guy and is willing to work with the rest of the company. It can be downright evil when that one person lets the power go to their head and they start going their own way just to go their own way.