Separation of administrative authority in Zimbra
In the modern world, the main threat to the information security of an enterprise is its employees. The scale of cyber attacks with the use of so-called insiders, who, out of mercenary or any other motives, use their official position to harm the enterprise, became a real disaster for medium and large companies. Industrial espionage, the collection of dirt on the management, as well as the good old theft of money: all this at any time can become a reality if an enterprise has an insider and he has enough authority.
Since almost all business correspondence in enterprises is now conducted electronically, the mail server and the collaboration platform are always a tasty morsel for any insider. Let's see what tools Zimbra can offer to protect against attacks from the inside.
The main source of potential danger, of course, is the Zimbra server administrator. Free Zimbra Open-Source Edition allows you to create any number of administrator accounts. To do this, you can use the following command:
Such a team will create an administrator account on the domain.com domain with the password qwerty. Also, using the command, you can make an administrator of an already existing user:
')
As you can see, creating an admin account in Zimbra is very easy. But there is a small nuance. All of these admin accounts will have full privileges. There are no built-in tools for the separation of powers between them. This feature is especially inconvenient for SaaS providers using Zimbra in multi-tenancy conditions, as well as for companies with large IT departments. Agree that it’s rather reckless to trust junior employees with full powers. Even if they are not insiders, they can break everything just because of inexperience.
That is why for those Zimbra users who need to have several administrator accounts on the server, but also need the opportunity for a clear separation of powers, Zextras has developed a Zextras Admin zimlet, part of the Zextras Suite. It adds an advanced administrator account management system to Zimbra, which allows you to flexibly customize the range of administrator privileges available to certain users.
All configuration is done in the Zimbra administration console, or on the command line. In the case of the graphical interface, after installing Zextras Admin on the web, the corresponding item appears there, when you switch to which you can conveniently delegate administrative authority to other users and manage the list of administrator accounts. In the case of the command line, you need to set the zxsuite admin doAddDelegationSettings command and add the necessary parameters to it, including:
The final command might look like this:
zxsuite admin doAddDelegationSettings newadmin zimbra.server.com viewMail false adminQuota 0
You can also deprive the user of administrator privileges with one command:
zxsuite admin doRemoveDelegationSettings newadmin zimbra.server.com
It works like this: when using Zextras Admin, all users with administrative privileges will, like full administrators, have access to the administration console, but the range of their privileges can be reduced. What this spectrum of authority will be, is decided by the global server administrator with Zimbra. In particular, you can easily and unconditionally prohibit administrator accounts to view the contents of mail of employees of the enterprise, as well as prohibit making changes to the global server settings.
In addition to restricting rights, Zextras Admin adds the ability to log users' actions with administrator rights. This allows you to track any suspicious activity and take preventive measures to identify potential threats. In addition, Zextras Admin has a kind of Reset button, which allows you to revoke all rights from users with administrator privileges at any time.
However, Zextras Admin may be of interest not only to SaaS providers and enterprises with a large IT department, but also to those companies that are looking for ways to improve the efficiency of their IT infrastructure. Zextras' zimlet allows you to fine-tune various user categories, quoting and user restrictions on domains. This allows you to achieve full control over your servers with Zimbra and, as a result, significantly improve the efficiency and security of the entire infrastructure.
Since almost all business correspondence in enterprises is now conducted electronically, the mail server and the collaboration platform are always a tasty morsel for any insider. Let's see what tools Zimbra can offer to protect against attacks from the inside.
The main source of potential danger, of course, is the Zimbra server administrator. Free Zimbra Open-Source Edition allows you to create any number of administrator accounts. To do this, you can use the following command:
zmprov ca admin@domain.com qwerty zimbraIsAdminAccount TRUE
Such a team will create an administrator account on the domain.com domain with the password qwerty. Also, using the command, you can make an administrator of an already existing user:
')
zmprov ma user@domain.com zimbraIsAdminAccount TRUE
As you can see, creating an admin account in Zimbra is very easy. But there is a small nuance. All of these admin accounts will have full privileges. There are no built-in tools for the separation of powers between them. This feature is especially inconvenient for SaaS providers using Zimbra in multi-tenancy conditions, as well as for companies with large IT departments. Agree that it’s rather reckless to trust junior employees with full powers. Even if they are not insiders, they can break everything just because of inexperience.
That is why for those Zimbra users who need to have several administrator accounts on the server, but also need the opportunity for a clear separation of powers, Zextras has developed a Zextras Admin zimlet, part of the Zextras Suite. It adds an advanced administrator account management system to Zimbra, which allows you to flexibly customize the range of administrator privileges available to certain users.
All configuration is done in the Zimbra administration console, or on the command line. In the case of the graphical interface, after installing Zextras Admin on the web, the corresponding item appears there, when you switch to which you can conveniently delegate administrative authority to other users and manage the list of administrator accounts. In the case of the command line, you need to set the zxsuite admin doAddDelegationSettings command and add the necessary parameters to it, including:
- account - account name
- domain - the name of the domain
- viewMail - ability to view mail contents
- adminQuota - the ability to configure quotas for mailboxes
The final command might look like this:
zxsuite admin doAddDelegationSettings newadmin zimbra.server.com viewMail false adminQuota 0
You can also deprive the user of administrator privileges with one command:
zxsuite admin doRemoveDelegationSettings newadmin zimbra.server.com
It works like this: when using Zextras Admin, all users with administrative privileges will, like full administrators, have access to the administration console, but the range of their privileges can be reduced. What this spectrum of authority will be, is decided by the global server administrator with Zimbra. In particular, you can easily and unconditionally prohibit administrator accounts to view the contents of mail of employees of the enterprise, as well as prohibit making changes to the global server settings.
In addition to restricting rights, Zextras Admin adds the ability to log users' actions with administrator rights. This allows you to track any suspicious activity and take preventive measures to identify potential threats. In addition, Zextras Admin has a kind of Reset button, which allows you to revoke all rights from users with administrator privileges at any time.
However, Zextras Admin may be of interest not only to SaaS providers and enterprises with a large IT department, but also to those companies that are looking for ways to improve the efficiency of their IT infrastructure. Zextras' zimlet allows you to fine-tune various user categories, quoting and user restrictions on domains. This allows you to achieve full control over your servers with Zimbra and, as a result, significantly improve the efficiency and security of the entire infrastructure.
Source: https://habr.com/ru/post/421389/
All Articles