Exchange 2000 Server & OWA - Insecure ?

Posted on 2004-11-09
Last Modified: 2010-05-18

I'm running a win2kAS (SP4) with Exchange 2k (SP2).

I've just noticed (after running OWA over HTTPS for many months) that if I log into our server as me, ie:

and then authenticate with the server, once in i can then change /me to /anyone else and I have access to all users mailboxes!!

I thought it might just be because i'm admin; So I asked a user for their password, logged in as them from a seperate machine to ensure there was no cache at work, authenticated, then tried to access my own mailbox - it worked (!!!!) without asking for my pw.

Needless to say, i've now disabled OWA until I can sort this, and i'm likely overlooking something obvious.

Any help is appreciated.

Question by:shandscomb
    LVL 104

    Accepted Solution

    That is almost certainly caused by a permissions change. Something has been altered to allow all users access to all mailboxes - it certainly isn't by design - if it was I think we would have heard about it by now.

    This article explains how to do it:
    That may give you an idea on what to look for.

    You should also look at authentication on your OWA server.
    Has something happened to IIS that may have changed things from the default? Take a look at this article:

    Finally, verify that authentication is set correctly on the Exchange virtual folders using IIS manager.


    They should be basic and integrated ONLY, with /exchweb also having anonymous access.

    LVL 1

    Author Comment


    I've check all that you say;  The only thing that was differing was the /exchweb but that has now been rectified.

    It's certainly permissions based, that's for sure.

    I shall continue to work on this, but any further comments are ever-so welcome :)


    LVL 1

    Author Comment

    After about an hour, the permissions reset or somesuch, and now the PW prompt comes up if you attempt to log into someone elses' mail.

    Strangely, as admin, I can *still* view other peoples mail once I've authenticated, despite the KB's.

    This I can work on over time, as I'm not bothered by that - I dont have enough time to read my own mail, let alone a load of other insignificants ;-)

    Many thanks for the speedy response.

    Best wishes


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Too many email signature updates to deal with?

    Are you constantly visiting users’ desks making changes to email signatures? Feel like it’s taking up all of your time? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now