Exchange 2000 Server & OWA - Insecure ?


I'm running a win2kAS (SP4) with Exchange 2k (SP2).

I've just noticed (after running OWA over HTTPS for many months) that if I log into our server as me, ie:

and then authenticate with the server, once in i can then change /me to /anyone else and I have access to all users mailboxes!!

I thought it might just be because i'm admin; So I asked a user for their password, logged in as them from a seperate machine to ensure there was no cache at work, authenticated, then tried to access my own mailbox - it worked (!!!!) without asking for my pw.

Needless to say, i've now disabled OWA until I can sort this, and i'm likely overlooking something obvious.

Any help is appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

That is almost certainly caused by a permissions change. Something has been altered to allow all users access to all mailboxes - it certainly isn't by design - if it was I think we would have heard about it by now.

This article explains how to do it:
That may give you an idea on what to look for.

You should also look at authentication on your OWA server.
Has something happened to IIS that may have changed things from the default? Take a look at this article:

Finally, verify that authentication is set correctly on the Exchange virtual folders using IIS manager.


They should be basic and integrated ONLY, with /exchweb also having anonymous access.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shandscombAuthor Commented:

I've check all that you say;  The only thing that was differing was the /exchweb but that has now been rectified.

It's certainly permissions based, that's for sure.

I shall continue to work on this, but any further comments are ever-so welcome :)


shandscombAuthor Commented:
After about an hour, the permissions reset or somesuch, and now the PW prompt comes up if you attempt to log into someone elses' mail.

Strangely, as admin, I can *still* view other peoples mail once I've authenticated, despite the KB's.

This I can work on over time, as I'm not bothered by that - I dont have enough time to read my own mail, let alone a load of other insignificants ;-)

Many thanks for the speedy response.

Best wishes

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.