As my title describes, a user can override an admins global/Per-Domain sender policy rule allowing through potentially admin unwanted emails to the recipient. https://campus.barra...GiArq2ViCF&so=1 Per support this is a setting unique to ESS the hardware equivalent ESG allows admin policies to take precedence over user created. A sender that was marked as a spam account and blocked by admin at the global sender policies was allowed through to the user because for what ever reason the user had an exempt for that account. This is a blatant security risk and I don't understand the rational behind allowing this practice.
Per-User Exemption/Block Settings Override Global, Per-Domain Policiessecurity sender policies Global Per-User Settings
Posted 19 November 2019 - 02:35 PM
We recently deployed BESS and prior to their selection I specifically asked this question and was told global policy took precedent over user policy. Apparently not. I agree with you that the global policy should take precedence over the user policy. Allowing the user to circumvent the security policies of the admins is a recipe for disaster.
Posted 19 November 2019 - 03:03 PM
I feel your pain, I too was told the same thing when in product selection/implementing. Now Im told that this is only a feature of the hardware appliance. Has me considering other options honestly. Hopefully this is seen and upvoted as it needs addressed NOW.
Posted 19 November 2019 - 04:05 PM
For right now we have the option to allow users to exempt senders turned off. I'm not sure if that's an option for you, but it might help. If users want to exempt a sender, they have to bring that request to IT.
Posted 19 November 2019 - 05:34 PM
We may have to do that but that's not ideal, as you said it then requires IT to service whitelists/blacklists for quarantines and makes I would guess makes the global policy area quite messy over time or with a large amount of users and makes extra work for an already busy IT department. These tools are purchased with email security in mind and having policies like this can negate everything we put in place, putting the security of the company even more in the hands of end users is scary. I have asked for a rational for the current hierarchy and the support rep couldn't give me one and agrees that this isn't right.