Investigating Someone You Can’t Name
We’d like you to grant one of our investigators access to an account.
Sure. What’s the name?
We can’t tell you that.
Oh, they knew the name. But, they couldn’t share it with me. I was the team manager for the email team at a major non-profit. Actually, I was the manager for the email and SharePoint teams. But, the SharePoint guys never really got much love. Everyone wanted to talk about email.
We had just migrated from Novell Groupwise email to Microsoft Exchange. Exchange had a pretty powerful “big brother” feature. Actually, it was a suite of features. With Microsoft Exchange, the company had access to anything and everything in the system. And we could access those features without the user ever knowing about it.
The problem was that it was necessary to actually know what mailbox you needed access to in order to access it. The investigators knew this of course.
You know I have to know what makilbox to grant access to, in order to give you access, right?
Of course, but we can’t tell you the name.
Why not?
Well, someone was walking passed the office of one of our senior executives. . .you would know him if we said his name. . .and they thought they might have seen something on his computer. We want to check it out.
Without causing suspicion if it turns out to be nothing?
Exactly.
So, we had a problem, my team had the skills to grant access. They were good at their jobs. Just as the investigators were good at theirs. But, the investigators couldn’t grant access. . .and my team couldn’t know the name of the suspect.
The solution was to break some of our security protocols. Is it still a problem if you break the security protocols with the security officers?
In any case, it was the only solution I could think of.
The process was pretty simple. My engineer met with the security officer alone in an office with a laptop.
Even though you’re with security, as you know, our policy of least privilege means you don’t have access to the email access control lists.
Right.
If you’ll look at my screen I’ll show you how to grant access to Rodney’s mailbox from the list of users. Then, I’ll leave the room and you can find the person you want to investigate and grant yourself access to that mailbox.
And when we’re done?
I’ll show you how to remove your access from Rodney’s mailbox and you can then do it for the other one.
I guess I might have been concerned that security was technically investigating my mailbox too, but I wasn’t worried. As with most investigations, security was extremely close-lipped. We never found out if the person had been doing something unethical or illegal.
But, I was just happy that we’d found a way to investigate someone without actually knowing their name.
Rodney M Bliss is an author, columnist and IT Consultant. His blog updates every weekday. He lives in Pleasant Grove, UT with his lovely wife, thirteen children and grandchildren.
Follow him on
Twitter (@rodneymbliss)
Facebook (www.facebook.com/rbliss)
LinkedIn (www.LinkedIn.com/in/rbliss)
or email him at rbliss at msn dot com(c) 2018 Rodney M Bliss, all rights reserved