ME020184 - INF: What are the IME_ADMIN and IME_USER accounts?


SUMMARY

Accounts that are created when MailEnable is installed and their associated privileges.

DETAIL

The MailEnable installation creates the IME_ADMIN and IME_USER accounts. MailEnable creates/requires the accounts IME_ADMIN and IME_USER, in order to provide web mail and web administration functionality.

The purpose of each account is outlined below:

IME_USER: This account is used as the proxy account for MailEnable IIS Web Applications. This account is granted read access to the BIN\WEBMAIL and BIN\WEBADMIN directories to allow them to be published via IIS. This account is required because it is a more secure approach than relying on using other accounts as IIS proxy accounts.

IME_ADMIN: This account is used to provide the security context of COM+ applications used by MailEnable's web mail and web admin. The MailEnable COM libraries registered under COM+ run with the identity of the IME_ADMIN account (again, for security purposes).

The IME_ADMIN account needs to have full control over all MailEnable directories (and sub directories). As mentioned above, both web mail and web admin use the IME_ADMIN account as a Proxy account for the respective COM+ packages. Therefore, when you change the password for the IME_ADMIN account, both the web admin and web mail COM+ Packages need to be updated to use the same password (because the same underlying Windows Account is used for the COM+ Identity). There are no (or minor) security issues associated with these accounts (so long as the password is long enough to not be guessed).

These accounts are system service accounts only, the password is not communicated to any other server, and as such a 'hacker' would need to compromise the security database in order to obtain the passwords for these accounts. Furthermore the file system permissions for these accounts are set explicitly against the directories under the MailEnable directories and are very specific. In summary, IME_USER only has read access to directories containing IIS Web Pages. Because it only has read access to specific directories, the exposure is very low. The IME_ADMIN account has write access to the MailEnable repository (ie: where messages are stored) as well the Queues directory. It has read access to all other MailEnable directories (including the BIN directory).

MORE INFORMATION

Using the MailEnable MEInstaller.exe utility: Article ME020314



Product:MailEnable (All Versions)
Module:General
Keywords:IME_ADMIN IME_USER users accounts
Class:INF: Product Information
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable