Secure Outlook OST

Washout

Washout

Washout

Associate
Joined
2 Jul 2003
Posts
2,449
Our company have finally taken the hint from MS and decided to start using cached mode for Outlook.

Performance on test machines etc much better which is great.

However, security folks are getting a bit touchy on it as it leaves the OST sitting on the disk which, in theory, can be cracked open by someone else within the company.
They're not that interested in external folk getting them so I don't think they're looking at encrypting the drive. It's more internal where encryption wouldn't help.

I thought this would be nice and simple as most users are not local admin and therefore can't get into the c:\users folder of another. However, they're looking for ways of preventing local admins doing so too (basically most of IT).

Thinking of shifting the OST to a different location and scripting permissions on the folder but can't get around the fact that at the end of the day if they're local admin they can just take ownership and change permissions to let themselves in? Could get the script to look at those permissions at login/out and shoot an email if it's different to what it expects but that's getting pretty messy.

Anyone have any ideas?!
 
Agreed, I think best case might be able to pickup where someone has changed the rights to a folder they shouldn't.
Even then if they know to stick it back afterwards a script would miss that.

...unless I set the owner of the folder to the user, only way to change permissions would be to change ownership to local admin group or yourself where you wouldn't be able to set back to the rightful owner afterward.
Bah, messy.
 
Washout said:
I thought this would be nice and simple as most users are not local admin and therefore can't get into the c:\users folder of another. However, they're looking for ways of preventing local admins doing so too (basically most of IT).
Click to expand...

What you request could be very tricky. Local IT will need to be able to access the local Outlook data files to do their job when Outlook isn't working locally. Typically repairing, deleting, renaming, copying etc.

I suggest you need to look at the problem another way: detect and report the access happening. You can do this by setting up auditing. Not one of my specialisms, I'm afraid, but I know it can be done. You'll need some central management tools as well so you can monitor all the audit logs.

That said, you could take the opportunity to review and segment which staff have admin rights and which subset of admin rights they have. IT staff should never have admin rights on their own credentials, but have separate admin logins. Staff who only install and remove apps don't need admin rights over c:\users etc.
 
Washout said:
...unless I set the owner of the folder to the user, only way to change permissions would be to change ownership to local admin group or yourself where you wouldn't be able to set back to the rightful owner afterward.
Click to expand...

I believe there are tools to change ownership to any user.
 
If it was my company and I was that concerned then a terminal services/remote access situation would be setup for mail access with special admin rights only for the trust worthy. After all this kind of thing is part of the reason companies use thin clients

I'd have a server setup just for mail access with Terminal services licenses for all mail users...of course this becomes less practical for lots of mail users
 
Nate--IRL-- said:
Terminal Servers and Cached mode Outlook do not mix well.

Nate
Click to expand...

Depends where the profile is stored - I've seen many a terminal server with local profiles and OST files.

By default only the user will have access to the OST. To gain access requires elevated privileges. If the security people are not happy with that then the people who have the elevated rights are the ones they need to look at rather than the OST because, typically, the people who have the elevated rights can already gain access to someone's mailbox by just giving them full control on that persons account in Exchange.

Normally the people with elevated rights are admins.



M.
 
You must log in or register to reply here.
Back
Top Bottom