Removing mail access immediately »
PHILIP STORRY - DEC 1, 2008 (12:15:29 PM)
I read Paul Robichaux's description of how to immediately disable access to an Exchange mailbox which got me thinking.
A brief summary for those that didn't follow the link - if you have someone who's leaving very quickly - being escorted off site by security, one presumes - then to remove their access to their mail on an Exchange Server you'll need to do the following:
- Disable the mailbox
- Set the send quota for the user to 0
- Move the mailbox to a new information store
If you don't do these steps and someone still has Outlook open, then they may still have access for up to two hours after you disable them.
(Note that two hours is probably a worst case timescale, but still worth remembering.)
So, what do we do to remove access for a Domino user?
- Add the user to a Deny Access Group (which will prevent them accessing their mailbox and sending email)
- On the user's home server (and cluster servers if used), check for connections and drop them
- Remove access for webmail/applications as appropriate.
Total delay? Probably about an hour, depending on the environment.
And note that we're talking about removing access, not restricting - the difference (in this context) is that we want to drop active connections too, rather than just change the access allowed for future connections.
So why the difference between the two products?
Well, Exchange Server is using tokens from a central directory, whereas Domino Server creates its access tokens using a local directory. (Yes, you could use a Configuration Only directory in Domino. But I've never seen one on a live production mail server...)
This is why Exchange Server may preserve access to up to two hours - the security tokens from Active Directory have an expiry date which is designed to make sure that the Active Directory server isn't overwhelmed with requests for new tokens, but at the same time security isn't too lax.
Domino's method of distributing the Directory means that whilst it likely also uses tokens internally, they're easier to update as any query stays on the same machine. Plus both the Notes client and Domino Server cache such information, which is why you need to drop (destroy) needing to drop the user's connection.
So even if you edit the deny access group on a central hub server rather than their home mail server, you're a replication and a drop user command away from it taking effect within minutes.
It's worth noting that Domino has, for a long time, allowed you to see who has a connected Notes client and drop them - and this is what allows Domino to be faster in removing access.
By contrast, the Exchange Server evidently has a token for access at the Information Store level, which can only be cleared by moving the mailbox to a new information store (database). That's their closest equivalent of "drop user", which will clear the cached token.
But the advantage of the Exchange "centralise everything" design is that once access to their mailbox is gone, you're done - other services such as webmail, Windows Mobile devices etc should also stop their access because they're effectively just proxies for access to that one store of information.
Whereas Domino's distributed design means that you'll need to make sure that the change occurs where it's needed. If you need to remove access on a webmail server, then that Deny Access Group change needs to be replicated before it'll happen. And the same applies to sessions on application servers, and systems like Quickr/SameTime/Domino.Doc. Users can access many different stores, some of which are just replicas of each other, so stopping all access in a large environment can require a little more work.
(For both Exchange and Domino, third party access products like BlackBerries have their own arrangements to disable accounts and devices, so I'm skipping those.)
To my mind, the advantage to Domino's distributed design is that in this case it's more intuitive. Unless you're thinking about tokens, it's easy to assume that denying access to a mailbox does just that, immediately. The other advantage is that you have fewer single points of failure, so your systems are more resilient. If someone accidentally deletes something in the Directory or a database somewhere, then if you act quickly you may find a replica elsewhere you can use rather than have to go back to your backups...
The more I think about this scenario of denying a user access immediately, the more interesting it becomes as it reveals the differences between Domino and Exchange. But it also makes me wonder about other systems - how many other applications using Active Directory or other centralised LDAP systems are going to behave this way?
How easy is it for someone in a position of power to remove valuable data even after the business believes they have had their access disabled, due to this kind of caching?
How many businesses are aware of these issues, and have the procedures - or staff with the wherewithal - to deal with them?
And when Domino gets LDAP Directory Integration in Release 9 or Release 10, will we still be able to list and drop those users like normal Domino/Notes users?
So many questions...
And you'd have thought removing someone's access should be just a tick in a box, that took immediate effect!
Comments: 6
COMMENT: PETER SMITH
DEC 1, 2008 - 05:05:05 PM
So pessimistic, Phil. This will be in the 8.5 codestream, surely. «
COMMENT: PHILIP STORRY
DEC 2, 2008 - 06:57:31
We're not going to run it here for a while anyway, so I've not yet made time to have a look...
«
COMMENT: DAVID KILLINGSWORTH
DEC 2, 2008 - 07:02:06 AM
Realistically, if it's such an urgent manner that you are going through a manual process, you will also go through a manual process of replicating the Domino directory across the domain, and replicating their mailboxes between any Domino mail servers and any Domino Web Access servers (if different) as well. «
COMMENT: PHILIP STORRY
DEC 2, 2008 - 09:01:25
I purposefully left off the "amend ACL" strategy, partly because it only addresses one DB (and only one instance until it's replicated!), and partly because I wanted to take a wider view about how directory services affected the process.
But at my workplace, if you come to me and say that you want someone to not access their mail, then within five minutes they'll have no access on their home server. And within ten, no access anywhere!
But I wanted what I said about Domino to be realistic, even pessimistic. I wanted to give Exchange a fair report, as otherwise I'll lose sight of my wider points and just rip into Exchange's deficiencies...
(Which would make the blog entry seven times longer, for starters!)
I'm trying to be as fair as possible at this point, and if that means under-representing Domino/Notes then so be it. I'm at a stage where I'd rather be "corrected" by the community as they show how much better Domino/Notes is than compromise my own attempts at impartiality...
But you've made good points there about how to cut down the times for removing access - you're doing much what I'd do, and I'll probably use your points as a springboard into a follow-up entry today.
Thanks! «
COMMENT: NATHAN T. FREEMAN
DEC 2, 2008 - 06:53:13 PM
Not in 8.5.0. The schedule slipped (because the problem is extremely difficult)
@Philip,
You didn't mention my favorite way to disable access, which is on the Administration tab of the Person document. You can change Check password to "Lockout ID" in addition to adding the person to a Deny Access group. I *think* that takes effect a little quicker than the group membership, but I'm not 100% sure. «
COMMENT: PHILIP STORRY
DEC 3, 2008 - 12:41:45
The Administration tab is a very useful way - it's my preferred one in most environments.
I've been in environments where servers check both certificates and ID file passwords, and there the preferred way was to replace both of the appropriate fields with "Elvis has left the building".
Crude, but effective.
«