Forum Discussion

AndrewB's avatar
AndrewB
Moderator
16 years ago
Solved

Separate Service Account for Exchange Archiving and FSA

Looking for anybody share their experience and expertise on how to utilize a separate service account for Exchange Archiving and for FSA. We have been handed down a security requirement to do this over concerns about a single process account having too much access.
(The point is not to battle with the security folks, just need to determine if it's something that is supported configuration in EV and how to do it.)

We are currently on EV 2007 SP5 running on Win2k3 SP2, archiving from Exchange 2007 SP1 running on Win2k8 and FSA from NetApp filers. Planning to upgrade within the next few months to V8 SP1. The Exchange archiving and FSA tasks are on separate servers.

All input is greatly appreciated.
  • Also, it is pretty easy to set the Exchange task to run under different accounts.
    If you look on the properties of the Task you will see the Log on tab

    Exchange Mailbox Task Properties: Log On
    Select the account that this task will run under. If required, you can run different tasks under different accounts. This may be useful if you have different Exchange Server environments.:

    Use the Vault Service Account. Select this to use the Vault Service Account.

    Use this account. If you do not want this task to log on as the Vault Service Account, select Use this account and then click Browse to pick from the list of accounts. Enter the account's password and confirm it.

    The account you pick must have appropriate permissions; see Creating the Vault Service account for details.

    Additionally, the account that you pick must have the following permissions:

    Act as part of the operating system

    Log on locally

    Log on as a service

    Also, the Vault Service account must have the permission "Replace a process level token".

    If the accounts do not already have these permissions, add them as follows:

    On the Windows Start menu, click All Programs > Administrative Tools > Local Security Policy.

    In the left pane of the Local Security Settings window, expand Local Policies and click User Rights Assignment.

    Add your preferred account to Act as part of the operating system, Log on locally, and Log on as a service.

    Add the Vault Service account to Replace a process level token.

  • Is this something that could be resolved by using Roles Based Administration and limiting the number of folks that use the VSA account?  There is an article in the Articles section about RBA. 
  • Also, it is pretty easy to set the Exchange task to run under different accounts.
    If you look on the properties of the Task you will see the Log on tab

    Exchange Mailbox Task Properties: Log On
    Select the account that this task will run under. If required, you can run different tasks under different accounts. This may be useful if you have different Exchange Server environments.:

    Use the Vault Service Account. Select this to use the Vault Service Account.

    Use this account. If you do not want this task to log on as the Vault Service Account, select Use this account and then click Browse to pick from the list of accounts. Enter the account's password and confirm it.

    The account you pick must have appropriate permissions; see Creating the Vault Service account for details.

    Additionally, the account that you pick must have the following permissions:

    Act as part of the operating system

    Log on locally

    Log on as a service

    Also, the Vault Service account must have the permission "Replace a process level token".

    If the accounts do not already have these permissions, add them as follows:

    On the Windows Start menu, click All Programs > Administrative Tools > Local Security Policy.

    In the left pane of the Local Security Settings window, expand Local Policies and click User Rights Assignment.

    Add your preferred account to Act as part of the operating system, Log on locally, and Log on as a service.

    Add the Vault Service account to Replace a process level token.

  • I dont think RBA will do. Your suggestion for changing the account that the mailbox archiving tasks run under seems like the best option. Thanks for pointing it out. If I create a new account with the proper exchange permissions and update the EV tasks, do you forsee any complications regarding the previously archived data or anything else?
  • In my experience roles based admin as tony suggested was mainly why this was designed. Yep you can run the tasks under another account but never forget the service account is god in ev world. For example take pst migrator task, you can run this under another account. However this will then hand over during processing to a process called migrator server which in turn is spawned by the storage service which hey presto runs using service account. Lose the service account and no matter what is running utilizing other accounts ev will stop working. This at low level I would believe can never be truely split. Only other thing I can think of is to completely seperate file and mailbox archiving in two seperate installs with seperate directory dayabases and the works.
  • I understand what you're saying about RBA but I think the point our security team is trying to push is this:
    Need two separate accounts in order to limit one to only exchange access and the other to only Netapp Filer access. Once the data is in EV it doesn't matter to them anymore.
  • Unfortunately the only way forward would be two different installs. One for mail one for fsa I believe.
  • You can seperate the Account for Exchange, as Tony mentioned, however, I'm not sure if you can do the same with FSA.
    So basically, you can have an account for Exchange which has no permission to FSA/Fileserver, but not vice-versa, I think.

    Cheers
  • We tried to have to have seperate accounts and was told by Symantec that is a bad idea and that we should not configure it that way. We were told that having two sites one for FSA and another for MBX and PF would be the only way to get this done, but splitting into two sites also causes more problems. Users would have to perform two searches, more hardware, etc.