Solved

OWA Restricting Access

Posted on 2002-03-22
10
425 Views
Last Modified: 2013-12-17
Hi,
We've set up Exchange 2000 and OWA is running nicely. The problem is that users can access anyones e-mail by simply changing the mail box name in the address bar.

How do I restrict access so that users can access only there own mailbox?

Cheers
CJ Windsor
0
Comment
Question by:cjwinks
  • 2
  • 2
  • 2
  • +1
10 Comments
 
LVL 15

Expert Comment

by:samri
Comment Utility
Im' not quite familiar with OWA.  Perhaps there should be some kind of security option where each users must be authenticated before the can open a mailbox.  Check the OWA (I hope OWA is some kind of web based email system), documentation on how to enable such authentication.

just a thought.
0
 
LVL 5

Accepted Solution

by:
markt9 earned 25 total points
Comment Utility
Outlook Web Access (OWA)

Have you read the Planning and Deploying Outlook Web Access 5.5 from Microsoft?  try http://www.microsoft.com/exchange/techinfo/planning/55/OutlookWebaccess.asp

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q236811
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263236
http://www.swynk.com/friends/janssen/OWA_Security.asp
http://www.slipstick.com/exs/owa.htm

of course you should consider installing Linux, sendmail, and neomail instead....
0
 

Author Comment

by:cjwinks
Comment Utility

Ta for the advice.
However,
I've set the Exchange directory security to basic level authentication. This prompts for a log on, but once a user is logged on he/she can still access anyones mail box by just changing the URL.

For example...
  -log on to "servername/Exchange", Enter name & password
  -This gets them into there own inbox
  -They can however just change the URL to "servername/Exchange/userx" (where userx is name another user). This lets em read userx's mail.

How can I restrict this sort of access?



0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:cjwinks
Comment Utility

Ta for the advice.
However,
I've set the Exchange directory security to basic level authentication. This prompts for a log on, but once a user is logged on he/she can still access anyones mail box by just changing the URL.

For example...
  -log on to "servername/Exchange", Enter name & password
  -This gets them into there own inbox
  -They can however just change the URL to "servername/Exchange/userx" (where userx is name another user). This lets em read userx's mail.

How can I restrict this sort of access?



0
 
LVL 5

Expert Comment

by:markt9
Comment Utility
hehe....tell you users not to change the url to someone elses name....hehe.  Being the open source fan of Sendmail and linux in general, it is kind of humerous to hear how to defeat a OWL server.....but i'm sure it was your higherups that decided on exchange server....

Are you running OWA on a seperate machine from the exchange server?  Maybe you need to check both machines for permissions.

If you added a new user on just one machine does that automaticly give you access to the other?  Don't add that user to any groups to start your test and find the minimum permissions to get just the mail.

Did you modify the OWA program?  Did you mess up the global.asa in the process.

Did you pay for support from Microsoft when you went with Exchange?
0
 
LVL 24

Assisted Solution

by:SunBow
SunBow earned 25 total points
Comment Utility
Secure it up while you are at it

a) Upgrade each and every MS component
b) run https (not http) to url
c) install root CA certificate to browser

noting -
> -They can however just change the URL to "servername/Exchange/userx"

If I am logged in to it, using my ID in place of userx yields the 404: "The page cannot be found"

user browse mode should be disabled
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
(revision, error should be HTTP/1.1 401 Unauthorized where userx is internet EM ID, not Exchange/MS ID)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Microsoft has released various new features which are capable of handling various tasks. One of these tasks is ‘Migration from pop3 to Exchange Server’. Pop3 data stores various data along mailboxes like contacts, tasks, etc. So, it becomes the need…
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now