Wednesday, September 23, 2009

Update on Exchange 2010 and AdminSDHolder

The Microsoft Exchange Team recently blogged on the ACEs being applied by Exchange 2010, that I discussed previously.

“[A]s some have correctly pointed out, that enables an elevation of privilege scenario that is unacceptable in any environment.  Microsoft agrees with this assessment and concurs that Exchange 2010 cannot ship with the permissions assigned to the AdminSDHolder role that allow for Active Directory forest privilege elevation.”

It’s great to see, especially this close to the planned release, that Microsoft realized what a critical controls issue this would have been, and is correcting the problem.


No comments:

Post a Comment