Security Stories

If you tell enough stories, perhaps the moral will show up.

2009-06-15

Ouch!

As Fail goes, this one is a) personal and b) embarrassing.
Four years ago, just as I was starting this position, I met a recent contractor leaver on the train. In our conversation it emerged that he was getting email from his work account. I asked him how and he wouldn't tell me. Playful, but definite, refusal. I think he wanted to impress me with his skills. I checked -- with some difficulty, our logging is better now -- and his account was definitely disabled, the VPN accesses made sense, and I had a hundred other holes to fix, so I let it go. He was an honest man, so I was annoyed rather than fearful.
Now one of the things we fixed, as four years roll by, is the leaver process. Accounts are disabled on departure and deleted after three months and we have two independent cross checks to confirm that. Home drives and mailboxes are kept for three months for reference, archived, and deleted with the account.
So now, in 2009, we're looking at data leakage. I wrote a report to identify top correspondents to specific mail addresses -- looking for a John Smith sending two hundred mails a week to johnsmith8209@yahoo.com. To cut a long story short, I found what I was looking for, but I also found, way up that list, a leaver: left a couple of months ago. She shouldn't have been sending anything, but there it was -- all off to personal accounts -- several of them, apparently.
And this is my problem. We disable the accounts and log-off or re-build the workstations, but that doesn't -- contrary to all the assumptions of auditors and provisioning experts, stop leavers from running code. You can't disable an Exchange mailbox and so any server-side rules -- and yes, that includes forwarding rules -- will continue to run.
I don't quite know what to do about this.

  • It's quite laborious to set up to remove rules from someone else's mailbox as outlook only displays ruls from the primary mailbox.
  • The MAPI Editor lets you remove rules if you attach the box to your profile, but it's a complex tool with a huge capacity for mischief or misfortune, and anyway I'd really rather disable them.
  • There are some gateway options, but they're very global, and I don't want a global ban (I might go for it though, if it's all I can do.)
  • We could do the box early in the leavers process, but not instantly, and that's when I want the rules to stop.
It seems like there should be a utility -- point it at a mailbox and it unchecks the "enable" on every rule that forwards mail -- ideally, every rule that forwards mail to a non-local address. I can find documentation for Exchange 2K10 which has Get-inboxRule and Disable InboxRule. But twenty minutes with MAPI Editor shows me it may not be that easy.....

at 22:15

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)