Administrators often forget that management of emails isn't simply a question of who can send or receive them, or the content. When email arrives it sits in the inbox, but who has permission to access that inbox, or other folders for that matter?
With high turnovers of employees becoming increasingly common, the stressed administrator may well lose track of individual permissions. For example, many companies usually have a set of freelance or contract email accounts that can be assigned to temporary staff. The permissions required by one contractor may be far more extensive than those required by their successor, but they could very well inherit those permissions when they arrive. And human nature being what it is, inquiring minds will almost certainly take advantage of this, whether innocently or maliciously.
C2C Systems has been looking at all aspects of email security for 10 years, and has evolved a comprehensive email lifecycle strategy. Part of that strategy is Exchange Security Risk Auditor (ESRA), a standalone application that analyzes all folders on an Exchange server and lists all permissions.
The product is installed on a machine running Windows 2000, Exchange and Outlook. The only proviso is that the user installing ESRA must have permission rights up to and including those they wish to see and change. Given that the most valuable - and potentially dangerous - permissions are the most high-level, this requires that employee to be an extremely trusted member of the company.
Configuration is just as easy. Starting with the question "who has rights over my mailbox?", the product orientates itself and is then ready to analyze the permissions of other users and groups in the network. It also works the other way, and will tell you which users have which permissions.
ESRA looks for three types of permission: Exchange, NT, and Send on Behalf of (delegate). Once it has detected either users or permissions, it asks you whether you want to change them, and what to change them to (not NT rights, however). Assuming you do have the necessary authority, tell it and run the application, it really is as simple as that.
Although this is a specialized product, it does address a potentially disastrous loophole. It is extremely simple to use, and provides a complete audit which is useful not just from a technical point of view, but also from a legal one if disaster has already struck.