?
Solved

OWA Restricting Access

Posted on 2002-03-22
10
Medium Priority
?
444 Views
Last Modified: 2013-12-17
Hi,
We've set up Exchange 2000 and OWA is running nicely. The problem is that users can access anyones e-mail by simply changing the mail box name in the address bar.

How do I restrict access so that users can access only there own mailbox?

Cheers
CJ Windsor
0
Comment
Question by:cjwinks
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 15

Expert Comment

by:samri
ID: 6892077
Im' not quite familiar with OWA.  Perhaps there should be some kind of security option where each users must be authenticated before the can open a mailbox.  Check the OWA (I hope OWA is some kind of web based email system), documentation on how to enable such authentication.

just a thought.
0
 
LVL 5

Accepted Solution

by:
markt9 earned 100 total points
ID: 6895622
Outlook Web Access (OWA)

Have you read the Planning and Deploying Outlook Web Access 5.5 from Microsoft?  try http://www.microsoft.com/exchange/techinfo/planning/55/OutlookWebaccess.asp

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q236811
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263236
http://www.swynk.com/friends/janssen/OWA_Security.asp
http://www.slipstick.com/exs/owa.htm

of course you should consider installing Linux, sendmail, and neomail instead....
0
 

Author Comment

by:cjwinks
ID: 6896352

Ta for the advice.
However,
I've set the Exchange directory security to basic level authentication. This prompts for a log on, but once a user is logged on he/she can still access anyones mail box by just changing the URL.

For example...
  -log on to "servername/Exchange", Enter name & password
  -This gets them into there own inbox
  -They can however just change the URL to "servername/Exchange/userx" (where userx is name another user). This lets em read userx's mail.

How can I restrict this sort of access?



0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:cjwinks
ID: 6896355

Ta for the advice.
However,
I've set the Exchange directory security to basic level authentication. This prompts for a log on, but once a user is logged on he/she can still access anyones mail box by just changing the URL.

For example...
  -log on to "servername/Exchange", Enter name & password
  -This gets them into there own inbox
  -They can however just change the URL to "servername/Exchange/userx" (where userx is name another user). This lets em read userx's mail.

How can I restrict this sort of access?



0
 
LVL 5

Expert Comment

by:markt9
ID: 6898058
hehe....tell you users not to change the url to someone elses name....hehe.  Being the open source fan of Sendmail and linux in general, it is kind of humerous to hear how to defeat a OWL server.....but i'm sure it was your higherups that decided on exchange server....

Are you running OWA on a seperate machine from the exchange server?  Maybe you need to check both machines for permissions.

If you added a new user on just one machine does that automaticly give you access to the other?  Don't add that user to any groups to start your test and find the minimum permissions to get just the mail.

Did you modify the OWA program?  Did you mess up the global.asa in the process.

Did you pay for support from Microsoft when you went with Exchange?
0
 
LVL 24

Assisted Solution

by:SunBow
SunBow earned 100 total points
ID: 6949233
Secure it up while you are at it

a) Upgrade each and every MS component
b) run https (not http) to url
c) install root CA certificate to browser

noting -
> -They can however just change the URL to "servername/Exchange/userx"

If I am logged in to it, using my ID in place of userx yields the 404: "The page cannot be found"

user browse mode should be disabled
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6949238
(revision, error should be HTTP/1.1 401 Unauthorized where userx is internet EM ID, not Exchange/MS ID)
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question