Streamlining your Exchange Server permissions to prevent bad actors from gaining unauthorized access to your organization’s email

Your Data is very important !!! Email servers are gold mine for hackers…

Modern day cyber security threats are constantly evolving, making it increasingly difficult for organizations to protect their networks and data from unauthorized access. Some of the most common threats include:

  • Phishing: This is a method of tricking users into providing sensitive information, such as login credentials, by disguising a malicious link or email as a legitimate one.
  • Ransomware: This is a type of malware that encrypts the victim’s files and demands a ransom payment in exchange for the decryption key.
  • Advanced Persistent Threats (APT): These are highly targeted attacks that are usually carried out by nation-state actors or other sophisticated groups. They are designed to steal sensitive information or disrupt operations over a prolonged period of time.
  • Cloud attacks: As more organizations are moving their data and infrastructure to the cloud, they become vulnerable to attacks on these cloud-based systems.

To combat these threats, organizations must implement robust security measures, such as firewalls, intrusion detection and prevention systems, and regular security training for employees.

Streamlining your Exchange Server permissions is an important step to prevent bad actors from gaining unauthorized access to your organization’s email and communication infrastructure:

Exchange Server is a popular email and calendar service used by businesses and organizations of all sizes. One of the key features of Exchange Server is its ability to use a split permissions model, which allows administrators to delegate control over certain aspects of the service while maintaining a high level of security.

  1. Shared Permissions (Default)
  2. RBAC Split Permissions
  3. Active Directory Split Permissions

The shared permissions model is the default model for Exchange. You don’t need to change anything if this is the permissions model you want to use. This model doesn’t separate the management of Exchange and Active Directory objects from within the Exchange management tools. It allows administrators using the Exchange management tools to create security principals in Active Directory.

The following illustration represents that Bob is managing the entire infrastructure so once Bob is compromised then entire organization will be at risk !!!

No alt text provided for this image
Shared permissions (Default)

RBAC Permissions (Role Based Access Control) Recommended

The RBAC permissions model in Exchange Server allows administrators to assign different levels of access to different users or groups of users. For example, an administrator may want to give a group of users the ability to create and manage email distribution lists, while another group of users may only be allowed to send and receive email.

Permissions to create security principals in the Active Directory domain partition are controlled by RBAC. Only Exchange servers, services, and those who are members of the appropriate role groups can create security principals.

Always consider to segregate roles

No alt text provided for this image
Role Based Access Control

Active Directory Split Permissions (Very Restrictive)

With Active Directory split permissions, the creation of security principals in the Active Directory domain partition, such as mailboxes and distribution groups, must be performed using Active Directory management tools. Several changes are made to the permissions granted to the Exchange Trusted Subsystem and Exchange servers to limit what Exchange administrators and servers can do.


Overall, the split permissions model in Exchange Server is a powerful tool that allows administrators to delegate control while maintaining security and compliance. It is an essential component of an effective Exchange Server environment and can help organizations to better manage their email and calendar services.

Share the Post:

Related Posts