August 27, 2018 at 12:57Separation of administrative powers in Zimbra
In the modern world, the main threat to the information security of an enterprise is its employees. The scale of cyberattacks using so-called insiders who, out of mercenary or any other motive, use their official position to harm the enterprise, has become a real disaster for medium and large companies. Industrial espionage, gathering incriminating evidence for leadership, as well as the good old theft of money: all this can become a reality at any time if an insider is wound up in the enterprise and has enough authority.
Since almost all business correspondence in enterprises is now electronic, the mail server and collaboration platform is always a tidbit for any insider. Let's see what tools Zimbra can offer to protect against internal attacks.
The main source of potential danger, of course, is the Zimbra server administrator. Free Zimbra Open-Source Edition allows you to create any number of administrator accounts. To do this, use the following command:
This command will create an administrator account on domain.com with the qwerty password. Also, using the command, you can make the administrator of an existing user:
As you can see, creating an administrator account in Zimbra is very simple. But there is a slight nuance. All these administrator accounts will have a full set of privileges. There are no built-in tools for the separation of powers between them. This feature is especially inconvenient for SaaS providers using Zimbra under multi-tenancy conditions, as well as for companies with large IT departments. Agree that it’s pretty reckless to trust junior employees with full authority. Even if they do not turn out to be insiders, they can break everything simply because of inexperience.
That is why for those Zimbra users who need to have several administrator accounts on the server, but also need the opportunity for a clear separation of powers, Zextras has developed the Zextras Admin winterlet, which is part of the Zextras Suite. He adds to Zimbra an advanced system of managing administrator accounts, which allows you to flexibly configure the range of administrator privileges available to certain users.
All configuration is done in the Zimbra administration console, or on the command line. In the case of the graphical interface, after installing Zextras Admin on the web, a corresponding item appears there, upon transition to which you can conveniently delegate administrator privileges to other users and manage the list of administrator accounts. In the case of the command line, you need to register the command zxsuite admin doAddDelegationSettings and add the necessary parameters to it, including:
The final command may look, for example, like this:
zxsuite admin doAddDelegationSettings newadmin zimbra.server.com viewMail false adminQuota 0
You can also deprive the user of administrator privileges with one command:
zxsuite admin doRemoveDelegationSettings newadmin zimbra.server.com
It works like this: when using Zextras Admin, all users with administrator privileges will have access to the administration console, as well as full administrators, however, the range of their powers can be reduced. What this range of authority will be is decided by the global server administrator with Zimbra. In particular, you can easily and unconditionally prohibit administrator accounts from viewing the mail content of company employees, as well as prohibit making changes to the global server settings.
In addition to restricting rights, Zextras Admin adds the ability to log user actions with administrator rights. This allows you to track any suspicious activity and take preventive measures to identify potential threats. In addition, Zextras Admin has a kind of Reset button, which allows you to revoke all rights from users with administrator privileges at any time.
However, Zextras Admin may be of interest not only to SaaS providers and enterprises with a large IT department, but also to those companies that are looking for ways to increase the effectiveness of their IT infrastructure. Zextras Zimlet allows you to fine-tune various categories of users, quotas and user restrictions on domains. Thanks to this, you can achieve full control over your servers with Zimbra and, as a result, significantly increase the efficiency and security of the entire infrastructure.
For all questions related to the Zextras Suite, you can contact the representative of Zextras Katerina Triandafilidi by e-mail katerina@zextras.com
Since almost all business correspondence in enterprises is now electronic, the mail server and collaboration platform is always a tidbit for any insider. Let's see what tools Zimbra can offer to protect against internal attacks.
The main source of potential danger, of course, is the Zimbra server administrator. Free Zimbra Open-Source Edition allows you to create any number of administrator accounts. To do this, use the following command:
zmprov ca admin@domain.com qwerty zimbraIsAdminAccount TRUE
This command will create an administrator account on domain.com with the qwerty password. Also, using the command, you can make the administrator of an existing user:
zmprov ma user@domain.com zimbraIsAdminAccount TRUE
As you can see, creating an administrator account in Zimbra is very simple. But there is a slight nuance. All these administrator accounts will have a full set of privileges. There are no built-in tools for the separation of powers between them. This feature is especially inconvenient for SaaS providers using Zimbra under multi-tenancy conditions, as well as for companies with large IT departments. Agree that it’s pretty reckless to trust junior employees with full authority. Even if they do not turn out to be insiders, they can break everything simply because of inexperience.
That is why for those Zimbra users who need to have several administrator accounts on the server, but also need the opportunity for a clear separation of powers, Zextras has developed the Zextras Admin winterlet, which is part of the Zextras Suite. He adds to Zimbra an advanced system of managing administrator accounts, which allows you to flexibly configure the range of administrator privileges available to certain users.
All configuration is done in the Zimbra administration console, or on the command line. In the case of the graphical interface, after installing Zextras Admin on the web, a corresponding item appears there, upon transition to which you can conveniently delegate administrator privileges to other users and manage the list of administrator accounts. In the case of the command line, you need to register the command zxsuite admin doAddDelegationSettings and add the necessary parameters to it, including:
- account - account name
- domain - domain name
- viewMail - the ability to view mail content
- adminQuota - the ability to configure quotas for mailboxes
The final command may look, for example, like this:
zxsuite admin doAddDelegationSettings newadmin zimbra.server.com viewMail false adminQuota 0
You can also deprive the user of administrator privileges with one command:
zxsuite admin doRemoveDelegationSettings newadmin zimbra.server.com
It works like this: when using Zextras Admin, all users with administrator privileges will have access to the administration console, as well as full administrators, however, the range of their powers can be reduced. What this range of authority will be is decided by the global server administrator with Zimbra. In particular, you can easily and unconditionally prohibit administrator accounts from viewing the mail content of company employees, as well as prohibit making changes to the global server settings.
In addition to restricting rights, Zextras Admin adds the ability to log user actions with administrator rights. This allows you to track any suspicious activity and take preventive measures to identify potential threats. In addition, Zextras Admin has a kind of Reset button, which allows you to revoke all rights from users with administrator privileges at any time.
However, Zextras Admin may be of interest not only to SaaS providers and enterprises with a large IT department, but also to those companies that are looking for ways to increase the effectiveness of their IT infrastructure. Zextras Zimlet allows you to fine-tune various categories of users, quotas and user restrictions on domains. Thanks to this, you can achieve full control over your servers with Zimbra and, as a result, significantly increase the efficiency and security of the entire infrastructure.
For all questions related to the Zextras Suite, you can contact the representative of Zextras Katerina Triandafilidi by e-mail katerina@zextras.com