Você está na página 1de 54

Microsoft Certified Solutions Master ®

MCSM: Messaging

Role Based Access Control in Exchange 2013

Bhargav Shukla

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only.
©2012 MCSM: Messaging Version 1.0, Updated 4/16/2013
Instructor Intro [with photo]

• Contact Info
• Blog – http://www.bhargavs.com
• Twitter - @bhargavs
• Email – contactme@bhargavs.com

• Bio
• Exchange & Lync MCM
• Director – Product Research &
Innovation @ KEMP Technologies
• Flight Sim Enthusiast
• Avid Model Airplane Crasher

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Module Overview

• Session Objectives
• Understand Role Based Access Control
• Administering Role Based Access Control

• Takeaways
• Effective RBAC planning and implementation

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Understanding RBAC

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab1

• Export mailbox “KenMyer” to PST


• Do you have access to appropriate cmdlets?

• Run “Delete MIE Role.ps1” on Fabrikam DC


• Don’t forget to elevate PowerShell

• If needed, Assign yourself permissions to


appropriate cmdlets
• How can you assign permissions if you don’t have them?
• How can you prevent administrators from assigning
themselves permissions?

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab1 (Continued…)

• Were you able to assign permissions?


• Is there any indication of the issue?
• Where would you look for hints?
• How can you fix it?

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Introduction

• Simplifies access control administration


• Provides better manageability in enterprise
environments
• To implement, you create a role and assign users
to that role
• Roles are mapped to application permissions
• Exchange 2010 admins don’t deal with ACLs
• Not in AD
• Not in Exchange

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Exchange 2013 Administrative Tools

• All Exchange 2013 tools are based on Remote


PowerShell
• Exchange Management Shell
• Exchange Administration Center

• All tools leverage


• PowerShell v3.0
• Windows Remote Management (WinRM)
• Remote PowerShell through IIS
• RBAC incorporated into the IIS Remote PowerShell
implementation
• This is why even local EMS goes through IIS!

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Question

• If WinRM is leveraged, why winrm enumarate


winrm/config/Listener doesn’t return any listener
on Exchange 2013 servers by default?
• How do you connect to Exchange remotely using
plain PowerShell?
• $Session = New-PSSession -ConfigurationName
Microsoft.Exchange -ConnectionUri http://<FQDN of
Exchange server>/PowerShell/
• Import-PSSession $Session

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Better than ACLs?

• RBAC provides much more granular model


• Exchange 2003 had 3 management groups
• Exchange Full Administrator
• Exchange Administrator
• Exchange View-Only Administrator
• Exchange 2007 had 5 management groups
• Exchange Organization Administrator
• Exchange Recipient Administrator
• Exchange View-Only Administrator
• Exchange Public Folder Administrator
• Exchange Server Administrator

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions

• Exchange Trusted Subsystems has full authority in


AD
• Create / Delete computer accounts
• Create / Delete OUs
• Create / Delete user objects, groups, contacts, etc..

• Use Setup to switch permission model


• setup.com /PrepareAD /ActiveDirectorySplitPermissions:true

• RBAC permissions can achieve split permissions


too
• More on split permissions later

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

Users
Administrators
What?
Who?

Management
Role Group Assignment
Policy

Management
Role
Role
Assignment
Role Entries

Cmdlet: Parameters Where?


Cmdlet: Parameters
Cmdlet: Parameters
Reipient Read Scope

Configuration Read Scope

Recipient Write Scope

Configuration Write Scope

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

Users
Administrators
What?
Who?

Management
Role Group Assignment
Policy

Management
Role
Role
Assignment
Role Entries

Cmdlet: Parameters Where?


Cmdlet: Parameters
Cmdlet: Parameters
Reipient Read Scope

Configuration Read Scope

Recipient Write Scope

Configuration Write Scope

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

• What – Roles/Cmdlets/Parameters
• Management Roles
• Group of cmdlets and parameters
• Defines a job role
• X pre-defined roles in Exchange 2013 CU1
• List all management roles
• Get-ManagementRole
• List End User Roles
• Get-ManagementRole | Where {$_.IsEndUserRole –eq $true}
• List Admin Roles
• Get-ManagementRole | Where {$_.IsEndUserRole –eq $false}

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

• What – Roles/Cmdlets/Parameters
• Management Role Entries
• Represents individual cmdlet and it’s parameters
• List Role Entries for a role
• Get-ManagementRoleEntry “RoleName\*”
• You can select cmdlets or parameters using appropriate switch

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

• What – Roles/Cmdlets/Parameters
• Creating new management roles
• Parent-Child hierarchy
• Built-In roles serve as a parent
• Existing custom roles can also be used to create new roles
• New “child” roles can be modified
• Can remove entries
• Can’t add entries parent role doesn’t have
• In general, every new role must be created from existing role
• There are always exceptions
• More on that later

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

• What – Roles/Cmdlets/Parameters
• Creating new management roles (Continued…)
• An example
• New-ManagementRole –Name “Custom Role” –Parent “Recipient
Policies”
• Get-ManagementRoleEntry “Custom Role\*”
• Get-ManagementRoleEntry “Custom Role\*” | Where {$_.name –ne
“Get-CASMailbox”} | Remove-ManagementRoleEntry
• Get-ManagementRoleEntry “Custom Role\*”
• Add-ManagementRoleEntry “Custom Role\Get-ActiveSyncDevice”
• Get-ManagementRoleEntry “Custom Role\*”
• Add-ManagementRoleEntry “Custom Role\Get-Mailbox”

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

• What – Roles/Cmdlets/Parameters
• Creating new management roles (Continued…)
• The exception - “Unscoped Top Level” role
• As the name implies:
• No scope can be assigned
• No parent can be assigned
• Creates an empty role container
• Must be member of “Unscoped Role Management” role to
create one

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab2

• Create a script to create new mailbox


• Specify a DB users must be created in
• Specify a password

• Create Unscoped Top Level role and assign the


script to it

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

Users
Administrators
What?
Who?

Management
Role Group Assignment
Policy

Management
Role
Role
Assignment
Role Entries

Cmdlet: Parameters Where?


Cmdlet: Parameters
Cmdlet: Parameters
Reipient Read Scope

Configuration Read Scope

Recipient Write Scope

Configuration Write Scope

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

• Where – Self/OU/Scope
• Defined by RBAC management scope
• Inherited from parent if none specified
• Can be defined during role assignment
• Can be created using New-ManagementScope cmdlet
• OPATH filters used to define Recipient or Server
restrictions
• Use ServerList to define server scopes
• Use RecipientRoot to define OU scope
• Use Exclusive to block inheritance

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

• Where – Self/OU/Scope
• What is the expected result of the following cmdlets?
Why?
• New-ManagementScope –Name “Test” –RecipientRoot
“fabrikam.com/Users” -RecipientRestrictionFilter {RecipientType
-eq "UserMailbox"}
• New-RoleGroup “Test-Helpdesk" -Roles “View-Only Recipients"
-CustomRecipientWriteScope “Test"
• Can’t assign a scope outside of implicit scope
boundaries
• Implicit scope for “View-Only Recipients” does not allow any
modifications
• Custom scope is allowing modifications

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

Users
Administrators
What?
Who?

Management
Role Group Assignment
Policy

Management
Role
Role
Assignment
Role Entries

Cmdlet: Parameters Where?


Cmdlet: Parameters
Cmdlet: Parameters
Reipient Read Scope

Configuration Read Scope

Recipient Write Scope

Configuration Write Scope

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

• Who – Admins/Users
• Role Assignees
• Can be direct assignment to a user
• Commonly assignments are created for a group
• Role Assignments for Administrators
• Role Assignment Policies for End Users

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

• Who – Admins/Users
• Role Group Members
• Role groups located within “Microsoft Exchange Security
Groups” OU in AD
• New-RoleGroup cmdlet creates a new USG in the OU
• *-RoleGroupMember cmdlets allow manipulation of Role Group
memberships
• Use BypassSecurityGroupManagerCheck parameter to override
owner as admin or to manage Security Distribution Groups

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Question

• Is it possible to move “Microsoft Exchange


Security Groups” OU to a different domain in the
forest?
• “otherWellKnownobjects” attribute of the org is updated
if OU is moved
• How about moving groups to different OU?
• Only moving all groups is supported, moving only few
groups is not. Will it work?
• Where will it create new Role Groups?

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

Users
Administrators
What?
Who?

Management
Role Group Assignment
Policy

Management
Role
Role
Assignment
Role Entries

Cmdlet: Parameters Where?


Cmdlet: Parameters
Cmdlet: Parameters
Reipient Read Scope

Configuration Read Scope

Recipient Write Scope

Configuration Write Scope

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components

• Role assignment
• Glue to connect Who/Where/What
• New-ManagementRoleAssignment
• Role and Group are required
• Scope is optional
• If no scope defined, assignment inherits scope from role

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Question

• If I run the following cmdlet, what else do I need to do to


make permissions effective?
• New-RoleGroup -Name "Exchange Mailbox Import Export" -Roles
"Mailbox Import Export" -Members "fabrikam\domain admins" -
DisplayName "Exchange Mailbox Import Export“

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab 3

• RBAC Planning Exercise


• Discuss a possible scenario for existing lab environment
• Ensure you have at least one configuration scope, one
exclusive scope and one user policy
• Implement and test it, Don’t use administrator account
for testing

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Under the covers

• All tasks run under the security context of the


Exchange server providing the PowerShell session
• The Exchange servers are members of the
Exchange Trusted Subsystems USG
• Exchange Trusted Subsystems USG has the
permissions to carry out all Exchange tasks
• Exchange has the permissions, RBAC determines
the level of access given to the user through the
Exchange management tools

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Question

• What do you see in Active Directory audits when


an object is created or changed?
• How do you report details to auditors?
• Active Directory modifications are made by
Exchange Trusted Subsystem, Exchange Audit logs
must be used for details of actions performed by
admins
• What if cmdlet throws an error?

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab 4

• Open new PowerShell window


• Navigate to Exchange Bin folder
• Load ExShell.psc1

• Try to move mailbox that is out of scope. Use –


verbose parameter
• Did you get expected “out of scope” error?
• Why not?
• Will it show up in Audit logs?

• Now you know why not to use ExShell.psc1 to


schedule scripts (contrary to what you may find on
Google… err Bing)

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions

• Shared Permissions model vs Split Permissions


model
• Shared Permissions model is default
• Split Permissions can be implemented setup.com

• Shared Permissions model


• Doesn’t separate management of Exchange and AD
objects
• Mail Recipient Creation Role and Security Group
Creation and Membership Role are assigned by default
and allows creation of security principals in AD

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions
Shared Permission Model

• Doesn’t separate management of Exchange and


AD objects
• Organization Management and Recipient
Management Role Groups can create security
principals
• Mail Recipient Creation and Security Group
Creation and Membership Roles make it possible
• How can you check current assignments?

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions
Shared Permission Model

• RBAC • Active Directory


• Separate who can create • Separation of roles as well as
security principals from those tools
who administer Exchange • Several changes are made to
configuration permissions granted to ETS
• Simplified process while and Exchange Servers
maintaining separation • Can’t use Exchange
• Can use Exchange management tools to create
management tools security principals
• Allow Exchange Servers and • Can’t manage DG
services to create security membership from Exchange
principals management tools

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions

• RBAC Split Permissions


• Permissions to create security principals controlled by
RBAC
• Only Exchange servers, services and members of
appropriate groups can create security principals
• Switching to RBAC Split Permissions is a manual process
• To implement - http://bit.ly/17yvC5i
• To Remove - http://bit.ly/16TgQGZ

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions

• Active Directory Split Permissions


• setup.com to implement during or after install
• Microsoft Exchange Protected Groups OU is created
• Exchange Windows Permissions group is created or
moved to that OU
• ETS isn’t added to EWP group
• ACEs aren't added to AD domain object for EWP group
• Non-Delegating assignments are not created for Mail
Recipient Creation and Security Group Creation and
Membership
• More details - http://bit.ly/16Thp3w

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Troubleshooting RBAC

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Troubleshooting

• Get-* cmdlets are your friend


• Get-ManagementScope
• Get-ManagementRole
• Get-ManagementRoleEntry
• Get-RoleGroup
• Get-RoleGroupMember
• Get-RoleAssignmentPolicy
• Get-ManagementRoleAssignment

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Troubleshooting

• Handy one-liners
• Get-ManagementRoleAssignment –Role “Organization
Configuration” –GetEffectiveUser –Delegating $False | FL
Name, RoleAssigneeName, EffectiveUserName,
AssignmentChain

• Get-ManagementRoleAssignment –WriteableRecipient
Administrator –GetEffectiveUsers
• WriteableRecipient is the object in question
• EffectiveUsers are the ones who are able to modify the object
based on their role assignments

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Troubleshooting

• More useful one-liners


• Can user x modify object y?
• Get-ManagementRoleAssignment -WritableRecipient “object y”
-GetEffectiveUsers | ?{$_.EffectiveUserName -eq “user x"}

• Who is assigned to a Management Role?


• Get-ManagementRoleAssignment -Role 'Legal Hold' –
GetEffectiveUsers –Delegating:$false | select EffectiveUserName
–Unique

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab 5

• Do not assign roles directly to users in this lab


• Admin Roles Lab
• Create administrative users – at least one each for Tokyo,
Redmond and London
• Create two server administrator roles (based on the
“Exchange Servers” role)
• One role to administer the Tokyo server
• One role to administer the London server
• Use server restriction filter for one (and only one) of these roles

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab 5 (Continued…)

• User Roles Lab


• Create a default user role policy such that all users can
change their Home Phone and Mobile Phone, but no
other contact information
• Ensure that this role is applied to all existing users
• Ensure that this role is automatically applied to all new
users
• create at least one new user after applying the policy and ensure
policy is applied as expected
• Ensure that EAC/ECP reflects the changes that you made
with this policy

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab 6

• Implement AD Split Permissions


• Go ahead, feel the pain! 

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Summary

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Role Based Access Control

• Allows granular access to application management


• Exchange along with other Microsoft products
such as Lync deploys RBAC for permissions
management
• Exchange 2013 allows for custom role creation
and addition/removal of cmdlets and parameters
• Consider permissions delegation and custom roles
during planning phase to deploy “least privilege”
permissions model

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Q&A

©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013

Você também pode gostar