3
3ntranced
Posted in Exchange 2003 group as well .... Hope someone can help me =)
I'm a system administrator for a moderate sized restaurant chain (about
88 stores). We're
currently going through the process of migrating from outsourced POP3
to Exchange 2003.
In addition to upgrading our stores to Exchange, I'm also to add a
password protected
account for the general managers so they can receive information only
they are privy to
(in a separate e-mail profile)
For consistency's sake and to accomodate broadband out in the field
that varies from
56k frame relay to T1 I've made the decision to utilize Exchange Cached
mode. Naturally,
I'm having an issue securing the additional GM account due to the
inability to secure
an OST. I'm trying to find the best solution considering the fact that
I have to consider
the lowest common denominator in the process (a lot of managers are
used to doing it the
old way and not very technically savy).
I've made the following considerations, but defeated each for various
reasons.
1. Run the GM account in full online mode -- due to bandwidth
constraints mentioned above and
the relative instability of broadband at various sites, this is not
logical because even
if DSL/frame goes down, the GM still needs to be able to access old
e-mail.
2. Deploy the GM account as an OWA only. Despite the improved look and
feel of OWA in 2k3,
I've ruled against this for the same reasons mentioned in (1) and in
addition, the more
limited nature of the GAL would be troublesome for the "lowest common
denominators".
3. Use a local password-protected pst and have managers move e-mail to
this location once
read -- this poses several problems as it means that A) all mail will
be stored locally
and so no fault tolerance is available should the local hard drive
crash and burn,
B) managers will be forced to authenticate twice: once to access new
e-mail and once to
access "archived" e-mail, and because of (B) many managers will choose
to be lazy and
simply choose to not move e-mail to the PST, thus making it ineffective
in its purpose
of securing the manager e-mail
4. Create a separate local login for managers and create a separate
e-mail profile there.
If it were corporate users, I would deem this to be the best approach.
However, given
the fact that the office PC is also the server for the point of sale,
this is another
idea defeated by the lowest common denominators. The process of
logging off and back
on is so foreign to them that I'm certain a multitude of managers would
end up shutting
off/rebooting the PC while trying to log off and back on, thus bringing
the POS system
down. I've considered setting up security policies to prevent this
from occurring,
but the nature of the POS requires users to retain full administrator
access.
In addition, since managers are often pulled out of the office to deal
with
issues on the floor (as they should be) I'm sure a great deal of them
would end up
leaving the machine logged into the manager account, thus compromising
security. In
addition, even if this method were deployed, we are also on the brink
of deploying
a custom shell to run instead of explorer which utilizes POS login
security on top
of windows security which essentially means the ability to log off and
back onto
windows is out of the question.
Hopefully, given all the problems I've found solutions to on the
internet, I'm pretty
sure I'm not the first to deal with this sort of situation. Sorry for
the huge novel,
but I wanted to thoroughly explain my situation. That being said any
help or advice
is greatly appreciated!
Thanks,
Dennis Pang
I'm a system administrator for a moderate sized restaurant chain (about
88 stores). We're
currently going through the process of migrating from outsourced POP3
to Exchange 2003.
In addition to upgrading our stores to Exchange, I'm also to add a
password protected
account for the general managers so they can receive information only
they are privy to
(in a separate e-mail profile)
For consistency's sake and to accomodate broadband out in the field
that varies from
56k frame relay to T1 I've made the decision to utilize Exchange Cached
mode. Naturally,
I'm having an issue securing the additional GM account due to the
inability to secure
an OST. I'm trying to find the best solution considering the fact that
I have to consider
the lowest common denominator in the process (a lot of managers are
used to doing it the
old way and not very technically savy).
I've made the following considerations, but defeated each for various
reasons.
1. Run the GM account in full online mode -- due to bandwidth
constraints mentioned above and
the relative instability of broadband at various sites, this is not
logical because even
if DSL/frame goes down, the GM still needs to be able to access old
e-mail.
2. Deploy the GM account as an OWA only. Despite the improved look and
feel of OWA in 2k3,
I've ruled against this for the same reasons mentioned in (1) and in
addition, the more
limited nature of the GAL would be troublesome for the "lowest common
denominators".
3. Use a local password-protected pst and have managers move e-mail to
this location once
read -- this poses several problems as it means that A) all mail will
be stored locally
and so no fault tolerance is available should the local hard drive
crash and burn,
B) managers will be forced to authenticate twice: once to access new
e-mail and once to
access "archived" e-mail, and because of (B) many managers will choose
to be lazy and
simply choose to not move e-mail to the PST, thus making it ineffective
in its purpose
of securing the manager e-mail
4. Create a separate local login for managers and create a separate
e-mail profile there.
If it were corporate users, I would deem this to be the best approach.
However, given
the fact that the office PC is also the server for the point of sale,
this is another
idea defeated by the lowest common denominators. The process of
logging off and back
on is so foreign to them that I'm certain a multitude of managers would
end up shutting
off/rebooting the PC while trying to log off and back on, thus bringing
the POS system
down. I've considered setting up security policies to prevent this
from occurring,
but the nature of the POS requires users to retain full administrator
access.
In addition, since managers are often pulled out of the office to deal
with
issues on the floor (as they should be) I'm sure a great deal of them
would end up
leaving the machine logged into the manager account, thus compromising
security. In
addition, even if this method were deployed, we are also on the brink
of deploying
a custom shell to run instead of explorer which utilizes POS login
security on top
of windows security which essentially means the ability to log off and
back onto
windows is out of the question.
Hopefully, given all the problems I've found solutions to on the
internet, I'm pretty
sure I'm not the first to deal with this sort of situation. Sorry for
the huge novel,
but I wanted to thoroughly explain my situation. That being said any
help or advice
is greatly appreciated!
Thanks,
Dennis Pang