|  BlueWolf's Howl   | Comics and Art  | Higher Level  | Photography  | Poetry and Stories  |
|  Chess  |  Letterboxing  |
|  2003 Blogathon Archive  |   2005 Blogathon Archive  | 8th Layer Archive  | Blue702 Archive  |

BlueWolf's Howl

« Mr. Watson -- come here | Bluewolf's Howl | Too Easy »

May 16, 2005

I read your email...

Between urban legend and fear of the unknown, email paranoia has thrived. Everyone is a little nervous about getting personal notes at their 'work' email address. You worry about some admin reading it and initiating a round of rumor-mongering or bringing it to the attention of those who can fire you.


Most admins wouldn't have the time to read it, even if they had the inclination. And most don't have the inclination. Ever since email was invented, the administrator has had the ability to read your mail. This not only means your work administrator, but also the administrator at your ISP. This is necessary. It is not an evil plot by the digital dweebs to rule the universe. That's what MUDs are for. (MUDs = Multiple User Dungeons)

There are reasons why admins have so much power and control over YOUR data. We back it up for you. If the server goes 'a little bit ca-ca' or you mistakenly delete something you really didn't mean to... we restore it for you. And, if by some chance you lock yourself out of your own files, we have the ability to take ownership of the files and then return the permissions back to you.

In previous versions of email server software, the email admin had total control. I have used this priviledge to trouble-shoot many email problems. It was easy to just "Open Additional Mailbox" and see what the problem was. That was how I fixed quite a few problems. I remember it being quite a blessing during a particular virus outbreak. I happened to get in early that morning and noticed a few suspicious emails in my inbox. The virus definitions for that particular virus had not yet been posted. I opened everyone's mailbox and deleted the similar messages. I sent out a warning message and somehow filtered the messages so that no more would arrive. By then the new virus definitions were posted. I updated everyone's anti-virus software. Whew! Not only were we one of the few sites that did not go down during that outbreak, but we also did not send out any messages to spread the virus further. It was a blessing to have that ability already built-in. And no one complained about 'invasion of privacy.' They knew I did them a favor. I saved them from being the jerk who sent so-and-so a virus.

I knew my users. They would have opened the virus and *then* opened the warning message and said..."ooops - what do I do now?" No, I'm not bashing users here. One of the users at that site actually clicked on a virus attachment and PRINTED the file to take it to me. "What is this? I got it from so-and-so." [Luckily in that instance, the anti-virus software had definitions for that virus and mitigated any further problems. But, like I said...I knew my users.]

The reason I started thinking about this relates to something I read in the Mastering Exchange Server 2003 by Barry Gerber. Apparently Microsoft doesn't think it's necessary for admins to have that ability anymore (I think it might have disappeared in Exchange 2000). When you install Exchange Server 2003 and delegate "Full Administrator" control to an account, that account has permissions to fully administer the mailbox, but not to access the messages in it.

Pretty interesting, isn't it? For those who have admins that barely know what they're doing - they will never be able to read your mail. Since "IT doesn't matter" and most companies are trying to cut IT costs by hiring the lowest cost resource, the person running the server (who might just be someone who's 'good with computers'), chances are that everything has been left at the default.

But there are so many admin accounts on a network. If you are the admin and you need this ability, you can create an account just for that purpose. You may need it someday. Create the account and do NOT give it Full Exchange Admin rights (this puts an explicit deny in the permissions). Give the account 'custom' permissions. If you know how to do this and you know which permissions to give the account and where to find them, then you're the type of experienced admin that has earned this priviledge. You already know how to use your power for Good not Evil. Hide that loaded gun and protect it with the safety of a STRONG password.

Yes, I can still read your email...

[Note: Any Domain Administrator can change the password on your user account and log in AS YOU and accomplish the same thing. It's just more noticable to the user (unless they have already been canned).]

Posted by BlueWolf on May 16, 2005 04:25 PM