[Feature Request] check for excessive permissions assigned in AD to Exchange groups using HealthChecker #2276
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Is your request related to a problem? Please describe.
A clear and concise description of what the problem is and the results it had on the environment.
Exchange is an application that has historically been granted an excessive amount of permissions at the Active Directory level
The split permissions models can reduce some of these, but its probably worth having some checks built into HealthChecker that scan for excessive permissions assigned to the Exchange related groups (perhaps these were added manually) or still existing even after a switch to a split permissions model
Describe The Request
A clear and concise description of the feature to add to a current tool or a new tool with what we all want to be checking with examples.
the goal of these checks would be to make the risks of these low level permissions visible to Exchange and domain admins in order to better isolate a compromise in Exchange to just that application and not have it immediately become a domain wide compromise to the entire directory
Additional context
Add any other context or screenshots about the feature request here.
article below has references to several resources on the topic
reference: https://www.hub.trimarcsecurity.com/post/mitigating-exchange-permission-paths-to-domain-admins-in-active-directory
The text was updated successfully, but these errors were encountered: