Looking for information on how to secure data from the administrators of Enterprise Vault. Is there a way to prevent evault administrators from searching specific mail? Is their a way to encrypt data with a key? Is there a way to put certain mail in an archive and prevent access to this? Using an older version of Evault but willing to upgrade if its supported in newer versions.

So couple things for you. First, here is an article about RBA to help you out with the roles bit. https://www-secure.symantec.com/connect/articles/roles-based-administration-enterprise-vault-8 For the permissions on the archives, it would be something like this technote, only using DenyAccess: How to give permissions to an archive using Enterprise Vault Policy Manager (EVPM) Article:TECH69114 | Created: 2009-01-25 | Updated: 2011-05-09 | Article URL http://www.symantec.com/docs/TECH69114 So your script would look like this: [Directory] DirectoryComputerName = evdirectory SiteName = evsite [ArchivePermissions] ArchiveName = ALL_MAILBOX DenyAccess = read write, domain\adminusergroup No one caveat, if your admin account is the same as your user account you will be blocked from your own archive so you will need to log in as the VSA and manually remove the Deny from the properties of the archives.

How to Secure data from SysAdmins?

15 Replies

LCT
Level 6
13 years ago
Have a look at Roll Base Administration and also specify archive permissions to deny certain persions or groups acces to archives. You can do this via EVPM.
TonySterling
Moderator
13 years ago
Further to what LCT said, neither Power Admins or the Vault Service Account automatically have permission to search archives other than their own. They either need permission granted on the archives or have permission inherited from the mailbox.
Jeff_Shotton
Level 6
13 years ago
You might also want to look at switching auditing on, so an admin could not give themselves access, then search, and then remove that access.

http://www.symantec.com/docs/TECH49054

Also, there are ways that searches can be logged via webapp.ini

http://www.symantec.com/docs/TECH66548

see page 142 of the EV8 base admin guide (this still works in 9, but is not documented)

You would obviously have to stop the admin altering the logfiles created, and the webapp.ini file.

Regards,

Jeff
dmc123
Level 4
13 years ago
We are setup for journal archiving vs specific mailbox. So its one general archive that all messages are in. Although I know you can do roles, I'm asking about a way to guarantee an Admin can't assign them selves access. The audit process allows for a check mechanism, but ideal is to prevent access vs report on unauthorized.
TonySterling
Moderator
13 years ago
You would have to secure the Vault Service Account and then set up a custom role in RBA that can't manage archive permissions.

You could then manually deny permission on the journal archives for the Admins. A manual deny will override an automatically set permission.
Rob_Wilcox1
Level 6
13 years ago
As a matter of interest, how are you securing the Exchange side of things? I mean, a regular Exchange Admin *could* open a users mailbox, and read/edit/delete data.
John_Santana
Level 6
13 years ago
Yes, this is what my CIO told my manager just recently, I overheard them :-\

so yes how can I do this in EV 8.0 SP4 ?
TonySterling
Moderator
13 years ago
So couple things for you.

First, here is an article about RBA to help you out with the roles bit.

https://www-secure.symantec.com/connect/articles/roles-based-administration-enterprise-vault-8

For the permissions on the archives, it would be something like this technote, only using DenyAccess:

How to give permissions to an archive using Enterprise Vault Policy Manager (EVPM)

Article:TECH69114 | Created: 2009-01-25 | Updated: 2011-05-09 | Article URL http://www.symantec.com/docs/TECH69114

So your script would look like this:

[Directory]
DirectoryComputerName = evdirectory
SiteName = evsite

[ArchivePermissions]
ArchiveName = ALL_MAILBOX
DenyAccess = read write, domain\adminusergroup

No one caveat, if your admin account is the same as your user account you will be blocked from your own archive so you will need to log in as the VSA and manually remove the Deny from the properties of the archives.
John_Santana
Level 6
13 years ago
Wow that does make sense Tony.

Many thanks for the quick reply !
Rob_Wilcox1
Level 6
13 years ago
I second Tonys comment. In addition auditing, so admins can't change the perms without it being recorded. Then again they could maybe delete the audit records.. So you would need to prevent that in SQL too. Like I asked though how are you securing Excange?