Solved

OWA Restricting Access

Posted on 2002-03-22
10
426 Views
Last Modified: 2013-12-17
Hi,
We've set up Exchange 2000 and OWA is running nicely. The problem is that users can access anyones e-mail by simply changing the mail box name in the address bar.

How do I restrict access so that users can access only there own mailbox?

Cheers
CJ Windsor
0
Comment
Question by:cjwinks
  • 2
  • 2
  • 2
  • +1
10 Comments
 
LVL 15

Expert Comment

by:samri
ID: 6892077
Im' not quite familiar with OWA.  Perhaps there should be some kind of security option where each users must be authenticated before the can open a mailbox.  Check the OWA (I hope OWA is some kind of web based email system), documentation on how to enable such authentication.

just a thought.
0
 
LVL 5

Accepted Solution

by:
markt9 earned 25 total points
ID: 6895622
Outlook Web Access (OWA)

Have you read the Planning and Deploying Outlook Web Access 5.5 from Microsoft?  try http://www.microsoft.com/exchange/techinfo/planning/55/OutlookWebaccess.asp

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q236811
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263236
http://www.swynk.com/friends/janssen/OWA_Security.asp
http://www.slipstick.com/exs/owa.htm

of course you should consider installing Linux, sendmail, and neomail instead....
0
 

Author Comment

by:cjwinks
ID: 6896352

Ta for the advice.
However,
I've set the Exchange directory security to basic level authentication. This prompts for a log on, but once a user is logged on he/she can still access anyones mail box by just changing the URL.

For example...
  -log on to "servername/Exchange", Enter name & password
  -This gets them into there own inbox
  -They can however just change the URL to "servername/Exchange/userx" (where userx is name another user). This lets em read userx's mail.

How can I restrict this sort of access?



0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:cjwinks
ID: 6896355

Ta for the advice.
However,
I've set the Exchange directory security to basic level authentication. This prompts for a log on, but once a user is logged on he/she can still access anyones mail box by just changing the URL.

For example...
  -log on to "servername/Exchange", Enter name & password
  -This gets them into there own inbox
  -They can however just change the URL to "servername/Exchange/userx" (where userx is name another user). This lets em read userx's mail.

How can I restrict this sort of access?



0
 
LVL 5

Expert Comment

by:markt9
ID: 6898058
hehe....tell you users not to change the url to someone elses name....hehe.  Being the open source fan of Sendmail and linux in general, it is kind of humerous to hear how to defeat a OWL server.....but i'm sure it was your higherups that decided on exchange server....

Are you running OWA on a seperate machine from the exchange server?  Maybe you need to check both machines for permissions.

If you added a new user on just one machine does that automaticly give you access to the other?  Don't add that user to any groups to start your test and find the minimum permissions to get just the mail.

Did you modify the OWA program?  Did you mess up the global.asa in the process.

Did you pay for support from Microsoft when you went with Exchange?
0
 
LVL 24

Assisted Solution

by:SunBow
SunBow earned 25 total points
ID: 6949233
Secure it up while you are at it

a) Upgrade each and every MS component
b) run https (not http) to url
c) install root CA certificate to browser

noting -
> -They can however just change the URL to "servername/Exchange/userx"

If I am logged in to it, using my ID in place of userx yields the 404: "The page cannot be found"

user browse mode should be disabled
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6949238
(revision, error should be HTTP/1.1 401 Unauthorized where userx is internet EM ID, not Exchange/MS ID)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now