I have a situation with mailbox rights that I cannot figure out. I installed Exchange 2003 on Windows 2003 standard with all the defaults. I have never changed permissions on anything. For some reason, if you login via OWA using one persons account, you can then shortcut to another mailbox by typing in the address of the box! No password prompt, just straight-in to another persons account. For example:
has full access to: http://www.domainname/exchange/user2
simply by typing in "user2" at the end of the url. This is a serious security risk needless to say.
I have looked over the permissions and read other articles on EE and support.microsoft.com dealing with mailbox store permissions but am confused as to what the appropriate defaults should be. It seems that the individual Active Directory accounts are inheriting their mailbox rights from the store. They also have entries such as "Everyone" for read permissions and "authenticated users" for full access.
If I take these away by putting in Deny permissions, people can't login to their box at all. I also have reviewed the permissions of a completely different Exchange server for another company, and they have these same permissions but nobody can access eachother's mailbox. What am I missing? Does anybody have a list of the true defaults for the mailbox store and/or individual account? Thanks in advance.