OWA Restricting Access

Hi,
We've set up Exchange 2000 and OWA is running nicely. The problem is that users can access anyones e-mail by simply changing the mail box name in the address bar.

How do I restrict access so that users can access only there own mailbox?

Cheers
CJ Windsor
cjwinksAsked:
Who is Participating?
 
markt9Connect With a Mentor Commented:
Outlook Web Access (OWA)

Have you read the Planning and Deploying Outlook Web Access 5.5 from Microsoft?  try http://www.microsoft.com/exchange/techinfo/planning/55/OutlookWebaccess.asp

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q236811
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263236
http://www.swynk.com/friends/janssen/OWA_Security.asp
http://www.slipstick.com/exs/owa.htm

of course you should consider installing Linux, sendmail, and neomail instead....
0
 
samriCommented:
Im' not quite familiar with OWA.  Perhaps there should be some kind of security option where each users must be authenticated before the can open a mailbox.  Check the OWA (I hope OWA is some kind of web based email system), documentation on how to enable such authentication.

just a thought.
0
 
cjwinksAuthor Commented:

Ta for the advice.
However,
I've set the Exchange directory security to basic level authentication. This prompts for a log on, but once a user is logged on he/she can still access anyones mail box by just changing the URL.

For example...
  -log on to "servername/Exchange", Enter name & password
  -This gets them into there own inbox
  -They can however just change the URL to "servername/Exchange/userx" (where userx is name another user). This lets em read userx's mail.

How can I restrict this sort of access?



0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
cjwinksAuthor Commented:

Ta for the advice.
However,
I've set the Exchange directory security to basic level authentication. This prompts for a log on, but once a user is logged on he/she can still access anyones mail box by just changing the URL.

For example...
  -log on to "servername/Exchange", Enter name & password
  -This gets them into there own inbox
  -They can however just change the URL to "servername/Exchange/userx" (where userx is name another user). This lets em read userx's mail.

How can I restrict this sort of access?



0
 
markt9Commented:
hehe....tell you users not to change the url to someone elses name....hehe.  Being the open source fan of Sendmail and linux in general, it is kind of humerous to hear how to defeat a OWL server.....but i'm sure it was your higherups that decided on exchange server....

Are you running OWA on a seperate machine from the exchange server?  Maybe you need to check both machines for permissions.

If you added a new user on just one machine does that automaticly give you access to the other?  Don't add that user to any groups to start your test and find the minimum permissions to get just the mail.

Did you modify the OWA program?  Did you mess up the global.asa in the process.

Did you pay for support from Microsoft when you went with Exchange?
0
 
SunBowConnect With a Mentor Commented:
Secure it up while you are at it

a) Upgrade each and every MS component
b) run https (not http) to url
c) install root CA certificate to browser

noting -
> -They can however just change the URL to "servername/Exchange/userx"

If I am logged in to it, using my ID in place of userx yields the 404: "The page cannot be found"

user browse mode should be disabled
0
 
SunBowCommented:
(revision, error should be HTTP/1.1 401 Unauthorized where userx is internet EM ID, not Exchange/MS ID)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.