?
Solved

Exchange 2000 Server & OWA - Insecure ?

Posted on 2004-11-09
3
Medium Priority
?
296 Views
Last Modified: 2010-05-18
Hi,

I'm running a win2kAS (SP4) with Exchange 2k (SP2).

I've just noticed (after running OWA over HTTPS for many months) that if I log into our server as me, ie:

https://url.to.my.server/exchange/me

and then authenticate with the server, once in i can then change /me to /anyone else and I have access to all users mailboxes!!

I thought it might just be because i'm admin; So I asked a user for their password, logged in as them from a seperate machine to ensure there was no cache at work, authenticated, then tried to access my own mailbox - it worked (!!!!) without asking for my pw.

Needless to say, i've now disabled OWA until I can sort this, and i'm likely overlooking something obvious.

Any help is appreciated.

Steve
0
Comment
Question by:shandscomb
  • 2
3 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 12536168
That is almost certainly caused by a permissions change. Something has been altered to allow all users access to all mailboxes - it certainly isn't by design - if it was I think we would have heard about it by now.

This article explains how to do it:
http://support.microsoft.com/?kbid=262054
That may give you an idea on what to look for.

You should also look at authentication on your OWA server.
Has something happened to IIS that may have changed things from the default? Take a look at this article:
http://support.microsoft.com/?kbid=290341

Finally, verify that authentication is set correctly on the Exchange virtual folders using IIS manager.

/exchange
/exadmin
/public
/exchweb

They should be basic and integrated ONLY, with /exchweb also having anonymous access.

Simon.
0
 
LVL 1

Author Comment

by:shandscomb
ID: 12536635
Hi,

I've check all that you say;  The only thing that was differing was the /exchweb but that has now been rectified.

It's certainly permissions based, that's for sure.

I shall continue to work on this, but any further comments are ever-so welcome :)

Regards

Steve
0
 
LVL 1

Author Comment

by:shandscomb
ID: 12542104
After about an hour, the permissions reset or somesuch, and now the PW prompt comes up if you attempt to log into someone elses' mail.

Strangely, as admin, I can *still* view other peoples mail once I've authenticated, despite the KB's.

This I can work on over time, as I'm not bothered by that - I dont have enough time to read my own mail, let alone a load of other insignificants ;-)

Many thanks for the speedy response.

Best wishes

Steve
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question