Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

Reply
Visitor
essexboy
Posts: 1
Registered: ‎10-01-2008
My Device: Not Specified

Domain Admins Cannot Send Emails

Hi

 

I have a couple of users that are part of some of the built in groups including domain admins.


How can I enable them to send email from the Blackberry?

 

Thanks

Forums Veteran I
BBsingh
Posts: 1,546
Registered: ‎04-01-2008
My Device: 8120, Storm, 8200

Re: Domain Admins Cannot Send Emails

chk the solution on this thread: http://supportforums.blackberry.com/rim/board/message?board.id=BlackBerryDesktopSoftware&message.id=...

 

*****************************************************************************
Click on KUDOS to appreciate our efforts and mark the thread RESOLVED if your issue is resolved.
Forums Veteran II
AndyDufresne
Posts: 2,744
Registered: ‎04-01-2008
My Device: Bold

Re: Domain Admins Cannot Send Emails

Admin accounts shouldn't be used at a user level ...  AdminSDHolder / principle of least privilege

 

 

------------------------------
If you've found a solution through a post; please mark it as a solution.
If someone's was particularly helpful, give them kudo's!.


Get busy living, or get busy dying.

http://blog.port3101.org/hdawg/
New Contributor
MMMM
Posts: 8
Registered: ‎09-30-2008
My Device: Not Specified

Re: Domain Admins Cannot Send Emails

And you should never use an Application that requires a "user" account to access email box's. This is to prevent malicious use of the account so that no one can log in as the application's user account and read other people email ... oh, wait! you can do that with BES. 

 

Oh, well same reason permision on administrator accounts cannot be used for BB.

Forums Veteran II
AndyDufresne
Posts: 2,744
Registered: ‎04-01-2008
My Device: Bold

Re: Domain Admins Cannot Send Emails


MMMM wrote:

And you should never use an Application that requires a "user" account to access email box's. This is to prevent malicious use of the account so that no one can log in as the application's user account and read other people email ... oh, wait! you can do that with BES. 

 

Oh, well same reason permision on administrator accounts cannot be used for BB.


 

Why shouldn't you use an application that requires a "user" account?  I'm glad you put user in quotes, as while it is a user account, it can be secured so that it cannot login interactively, that it can only login from specific workstations, and with proper auditing in place you've effectively mitigated any supposed security risk.  ... All things that any security professional would recommend you do anyway.

------------------------------
If you've found a solution through a post; please mark it as a solution.
If someone's was particularly helpful, give them kudo's!.


Get busy living, or get busy dying.

http://blog.port3101.org/hdawg/
New Contributor
MMMM
Posts: 8
Registered: ‎09-30-2008
My Device: Not Specified

Re: Domain Admins Cannot Send Emails

You should not use an application that requires a "user" account for many reasons, most deal with password policies and auditing.  You would only do it if you had no other way to do it. It is bad form.

 

 In the case of BES it is very unsecure.  Yes, you can set the account not to login interactively, and if you want to make it so you can log in from specific workstations. I say go for it.  That would prevent a person from logging into a system.  However, you do not need to log into a system to view email.  The only thing that will let you know something is going on would be the audit trail. However, those things do not even come close to effectively mitigating the security risk.  

 

Any Security Professional, who will claim that title, will point out that none of your suggestions will stop another user from using the BES "user' account from reading other peoples. Both Telnet and OWA are the easiest way to work around your recommendations. It is the nature of what the BES account does that makes it so difficult to secure. 

 

So how would you mitigate the security risk.  For starters? How do you stop a user from doing  http://exchange/OWA/UserAccount  and just login in with the BES account?

 

Forums Veteran II
AndyDufresne
Posts: 2,744
Registered: ‎04-01-2008
My Device: Bold

Re: Domain Admins Cannot Send Emails


MMMM wrote:

So how would you mitigate the security risk.  For starters? How do you stop a user from doing  http://exchange/OWA/UserAccount  and just login in with the BES account?

 


I'd disable OWA logon for that user.

------------------------------
If you've found a solution through a post; please mark it as a solution.
If someone's was particularly helpful, give them kudo's!.


Get busy living, or get busy dying.

http://blog.port3101.org/hdawg/
New Contributor
MMMM
Posts: 8
Registered: ‎09-30-2008
My Device: Not Specified

Re: Domain Admins Cannot Send Emails

And your rouge administrator goes in, turns it off, looks into someone’s email and then turns it back on.  The point is the "account" should not be able to do OWA in the first place. So how do you get BES to work without a user account, so that it would pass a medium security audit?  You would think someone at Blackberry would be working on this huge security hole?

Forums Veteran II
AndyDufresne
Posts: 2,744
Registered: ‎04-01-2008
My Device: Bold

Re: Domain Admins Cannot Send Emails


MMMM wrote:

And your rouge administrator goes in, turns it off, looks into someone’s email and then turns it back on.  The point is the "account" should not be able to do OWA in the first place. So how do you get BES to work without a user account, so that it would pass a medium security audit?  You would think someone at Blackberry would be working on this huge security hole?


Ok, so just as your administrator could do that they could just as easily create a new temporary account assign the permissions to that account, perform the action, and then delete the account.

 

This isn't a huge security hole; you're not looking at this from the big picture.  If someone is so concerned with this account auditing will be turned on, and notifications will occur if / when some action that shouldn't happen occurs.

 

BES is good enough for the US Government security audits, along with the thousands of independent security audits that happen in the US annually.

------------------------------
If you've found a solution through a post; please mark it as a solution.
If someone's was particularly helpful, give them kudo's!.


Get busy living, or get busy dying.

http://blog.port3101.org/hdawg/
New Contributor
MMMM
Posts: 8
Registered: ‎09-30-2008
My Device: Not Specified

Re: Domain Admins Cannot Send Emails

It is not just the administrator; it is anyone who knows the BES accounts password. They can log into any system or just do a Telnet as the BES account and they can get to any ones email. Of course it will show up in the logs, but you would need to monitor a lot and set a lot of triggers.

 

The default security permissions that Microsoft has placed on Administrator accounts, specifically to prevent the abuse of reading other users mail, would not work for the BES account because it will break BES?  And you know of no way to configure BES as a true service.

 

BTW, from my recollection the US government security audits do not test the BES account's access, the account is seen more of a service account than a user account. But I will need to check this on the next audit.