?
Solved

OWA Security

Posted on 2005-05-10
9
Medium Priority
?
740 Views
Last Modified: 2010-04-10
I need help with OWA.  I'm running Exchange 2000 on Windows 2000 Server. I need help with security or a way to disable OWA until I can figure out how to fix.  The problem is a user can pull up other people's email by logging in as themselves and this is not acceptable in our organization.  Is there a way to limit security so that a user can only log into their email and is required to enter a username and password each time?  The current security is set to basic authentication and integrated windows.  If there is no way to fix this, how do I disable OWA temporarily? Thanks!
0
Comment
Question by:AdminBWC
  • 4
  • 3
  • 2
9 Comments
 
LVL 1

Expert Comment

by:BBG-BBGM
ID: 13969286
I have not heard of an issue whereas a user can access other user's email via OWA.  Is OWA running on the main mail server, or do you have a Front-End / Back-End server configuration?  Have you ensured that ALL Exchange service packs and security roll-ups are installed?
0
 
LVL 1

Expert Comment

by:BBG-BBGM
ID: 13969443
In addition to my previous post, if you have not already, you may also want to take a look at "How To Configure IIS 5.0 Web Site Authentication in Windows 2000" from TechNet.
http://support.microsoft.com/default.aspx?scid=kb;en-us;q310344&sd=tech

If after the service packs and rollups you still have the same issue, the problem might be in your Exchange server's security configuration but we can get to that once I know you have already taken care of these steps.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13969698
i believe the problem isn't with OWA, but rather with secuirty in general on your exchange server.  The problem has just been exposed via OWA, but im willing to bet that users can setup any outlook client to view others' email boxes as well.  I'm assuming that when users go to mail.domain.com\username they can simply put in anothers username and open their mail? if so this is a system wide problem and just just in OWA.  what you need to do is open active directory users and computers for a user and go to the "exchange advanced" tab, on that you will need to press "mailbox rights" and check to see which groups have read  full mailbox rights.  apparently someone has messed with the security rights and given everyone the rights to everyone's mailboxes.  This security problem is just been found by users using OWA, but it can be used no matter what client method is used to check email.

FYI,,  you will have to have the exchange management tools installed on the machine you do this on AND enable viewing of the "advanced features" in ADUC in order to see the exchange advanced tab.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13969716
correction:

mail.domain.com\username  should be mail.domain.com/exchange/username in the above post.
0
 

Author Comment

by:AdminBWC
ID: 13970009
Ok, when I look at the mailbox rights for a user in AD, Everyone has Read access - not full rights.  We are experiencing the problem you mentioned above.  A user can enter server/exchange/username and are asked to enter their username and password - it doesn't matter what username they enter - if they authenticate on the server, they are allowed access.  Now, they can read the mail, but are not allowed to reply, forward, etc. - that is another issue I am working on as well.  My main priority is to fix the security hole first.  Should I remove the Everyone group since there is one listed as SELF?    

Thanks for your help!
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13970621
do you mean that the everyone group has "read permissions"  that is ok and is the default,,, just as the name implies it just gives everyone the right to read permissions, not read email. everyone should ONLY have the "read permissions" right.  Self should have "read permissions" and "full mailbox access".  are you sure there's not another group in there?  Ive seen this exact same problem before but it was 2 years ago so i dont remember which exact permission was incorrect.  
0
 

Author Comment

by:AdminBWC
ID: 13970729
Below are the mailbox permissions:

Administrator - Full Access
Domain Admins - Full Access
Enterprise Admins - Deny Full Access
Everyone - Read Permissions
Exchange Domain Servers - Full Access
Servername$ - Full Access
SELF - Full Mailbox Access - Read Permissions

Do any of these seem out of place?

0
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 500 total points
ID: 13971132
usually NO group would have full access to anyone's individual mailbox.  In you case the domain admins have full rights which means that anyone in the domain admin group could read anyone's mail (not good, i doubt execs know about this). The only "person" IE user that should have full mailbox access is the person's whos mailbox it is (the self group will also).  Is it possible that every user is in the domain admin group??  that would explain why they could read the mail.
0
 

Author Comment

by:AdminBWC
ID: 13971502
Mystery Solved!!  Thank you so much mikeleebrla!  I am a domain user as well as the other IT user able to access other's mailboxes.  I tried logging onto my mailbox as another user and it was denied.  Sheww!! Thanks again for your help!
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question