OWA Security

I need help with OWA.  I'm running Exchange 2000 on Windows 2000 Server. I need help with security or a way to disable OWA until I can figure out how to fix.  The problem is a user can pull up other people's email by logging in as themselves and this is not acceptable in our organization.  Is there a way to limit security so that a user can only log into their email and is required to enter a username and password each time?  The current security is set to basic authentication and integrated windows.  If there is no way to fix this, how do I disable OWA temporarily? Thanks!
AdminBWCAsked:
Who is Participating?
 
mikeleebrlaConnect With a Mentor Commented:
usually NO group would have full access to anyone's individual mailbox.  In you case the domain admins have full rights which means that anyone in the domain admin group could read anyone's mail (not good, i doubt execs know about this). The only "person" IE user that should have full mailbox access is the person's whos mailbox it is (the self group will also).  Is it possible that every user is in the domain admin group??  that would explain why they could read the mail.
0
 
BBG-BBGMCommented:
I have not heard of an issue whereas a user can access other user's email via OWA.  Is OWA running on the main mail server, or do you have a Front-End / Back-End server configuration?  Have you ensured that ALL Exchange service packs and security roll-ups are installed?
0
 
BBG-BBGMCommented:
In addition to my previous post, if you have not already, you may also want to take a look at "How To Configure IIS 5.0 Web Site Authentication in Windows 2000" from TechNet.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q310344&sd=tech

If after the service packs and rollups you still have the same issue, the problem might be in your Exchange server's security configuration but we can get to that once I know you have already taken care of these steps.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
mikeleebrlaCommented:
i believe the problem isn't with OWA, but rather with secuirty in general on your exchange server.  The problem has just been exposed via OWA, but im willing to bet that users can setup any outlook client to view others' email boxes as well.  I'm assuming that when users go to mail.domain.com\username they can simply put in anothers username and open their mail? if so this is a system wide problem and just just in OWA.  what you need to do is open active directory users and computers for a user and go to the "exchange advanced" tab, on that you will need to press "mailbox rights" and check to see which groups have read  full mailbox rights.  apparently someone has messed with the security rights and given everyone the rights to everyone's mailboxes.  This security problem is just been found by users using OWA, but it can be used no matter what client method is used to check email.

FYI,,  you will have to have the exchange management tools installed on the machine you do this on AND enable viewing of the "advanced features" in ADUC in order to see the exchange advanced tab.
0
 
mikeleebrlaCommented:
correction:

mail.domain.com\username  should be mail.domain.com/exchange/username in the above post.
0
 
AdminBWCAuthor Commented:
Ok, when I look at the mailbox rights for a user in AD, Everyone has Read access - not full rights.  We are experiencing the problem you mentioned above.  A user can enter server/exchange/username and are asked to enter their username and password - it doesn't matter what username they enter - if they authenticate on the server, they are allowed access.  Now, they can read the mail, but are not allowed to reply, forward, etc. - that is another issue I am working on as well.  My main priority is to fix the security hole first.  Should I remove the Everyone group since there is one listed as SELF?    

Thanks for your help!
0
 
mikeleebrlaCommented:
do you mean that the everyone group has "read permissions"  that is ok and is the default,,, just as the name implies it just gives everyone the right to read permissions, not read email. everyone should ONLY have the "read permissions" right.  Self should have "read permissions" and "full mailbox access".  are you sure there's not another group in there?  Ive seen this exact same problem before but it was 2 years ago so i dont remember which exact permission was incorrect.  
0
 
AdminBWCAuthor Commented:
Below are the mailbox permissions:

Administrator - Full Access
Domain Admins - Full Access
Enterprise Admins - Deny Full Access
Everyone - Read Permissions
Exchange Domain Servers - Full Access
Servername$ - Full Access
SELF - Full Mailbox Access - Read Permissions

Do any of these seem out of place?

0
 
AdminBWCAuthor Commented:
Mystery Solved!!  Thank you so much mikeleebrla!  I am a domain user as well as the other IT user able to access other's mailboxes.  I tried logging onto my mailbox as another user and it was denied.  Sheww!! Thanks again for your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.