Managing groups with groups in Exchange 2013 CU1

Exchange 2013 CU1 brings back the feature that allows groups to manage other groups - very good news! But you have to take care because it's possible to add some very special groups to the ownership of other groups and that might just be a security problem.

 

One of the small but very welcome changes made in Exchange 2013 CU1 is the reintroduction of support for “groups managing groups”. This feature was supported in previous versions of Exchange but was removed in Exchange 2010. Microsoft published some workarounds to help companies migrating to Exchange 2010 cope with the problem. The net effect was a real mess.

With Exchange 2013 CU1 you can now edit the ownership properties of groups and add other groups to the ownership list. The groups that you use for this purpose must be security-enabled groups; you can’t use “normal” groups or dynamic distribution groups because neither type is a security principal. Without the ability to be authenticated to Windows, normal groups and dynamic distribution groups cannot be used for management purposes. This should not come as a surprise because the same restriction exists in previous versions of Exchange.

Everything works as you’d expect and I think that the return of this feature will be welcomed by administrators. However, I do want to point out one concern that I have with the implementation that I have reported as a bug (in my opinion, anyway) to Microsoft.

The picker used by the Exchange Administration Center (EAC) to present the list of valid mailboxes and groups that can be selected as group owners selects these objects from Active Directory. However, I think a better filter could have been used to build the list. If you look at the screen shot below, you can see that it includes some highly privileged “special” security groups such as Exchange Trusted Subsystem and Exchange Servers. And yes, you can go ahead and add these groups to the ownership list for a group.

There’s no way in the world that I would ever recommend that you should add these groups to the ownership of another group. In fact, I bet those who look after system security would think that even exposing these groups in EAC’s picker represents a potential security vulnerability simply because these groups are so highly permissioned.

You can also add these special groups to the ownership of other groups with EMS, which might be considered a separate bug. For example:

Set-DistributionGroup -Identity 'My Group' -ManagedBy 'Exchange Trusted Subsystem'

It’s possible that I am being a tad critical here but I don’t think so. In my mind, highly permissioned objects should be hidden out of sight and never exposed unless absolutely necessary. Listing them alongside more prosaic security groups and mailboxes does not come into the “absolutely necessary” category. I hope that Microsoft uses a better filter in future, but for now you have been warned.

Follow Tony @12Knocksinna

Please or Register to post comments.

What's Tony Redmond's Exchange Unwashed Blog?

On-premises and cloud-based Microsoft Exchange Server and all the associated technology that runs alongside Microsoft's enterprise messaging server.

Contributors

Tony Redmond

Tony Redmond is a senior contributing editor for Windows IT Pro and the author of Microsoft Exchange Server 2010 Inside Out (Microsoft Press) and Microsoft Exchange Server 2013 Inside Out: Mailbox...
Blog Archive