Mailbox permissions using OWA
I have a situation with mailbox rights that I cannot figure out. I installed Exchange 2003 on Windows 2003 standard with all the defaults. I have never changed permissions on anything. For some reason, if you login via OWA using one persons account, you can then shortcut to another mailbox by typing in the address of the box! No password prompt, just straight-in to another persons account. For example:
http://www.domainname/exchange/user1
has full access to: http://www.domainname/exchange/user2 simply by typing in "user2" at the end of the url. This is a serious security risk needless to say.
I have looked over the permissions and read other articles on EE and support.microsoft.com dealing with mailbox store permissions but am confused as to what the appropriate defaults should be. It seems that the individual Active Directory accounts are inheriting their mailbox rights from the store. They also have entries such as "Everyone" for read permissions and "authenticated users" for full access.
If I take these away by putting in Deny permissions, people can't login to their box at all. I also have reviewed the permissions of a completely different Exchange server for another company, and they have these same permissions but nobody can access eachother's mailbox. What am I missing? Does anybody have a list of the true defaults for the mailbox store and/or individual account? Thanks in advance.
http://www.domainname/exchange/user1
has full access to: http://www.domainname/exchange/user2 simply by typing in "user2" at the end of the url. This is a serious security risk needless to say.
I have looked over the permissions and read other articles on EE and support.microsoft.com dealing with mailbox store permissions but am confused as to what the appropriate defaults should be. It seems that the individual Active Directory accounts are inheriting their mailbox rights from the store. They also have entries such as "Everyone" for read permissions and "authenticated users" for full access.
If I take these away by putting in Deny permissions, people can't login to their box at all. I also have reviewed the permissions of a completely different Exchange server for another company, and they have these same permissions but nobody can access eachother's mailbox. What am I missing? Does anybody have a list of the true defaults for the mailbox store and/or individual account? Thanks in advance.
I was not able to reproduce this on my OWA server. Do you require the users to use SSL? If not, regardless of this situation you will want them to and that may in the end, solve your problem.
ASKER
Does using the ssl option require me to purchase a certificate from an authority? I am familiar with the process and installing them for website use, but do not currently have one for this particular exchange server.
No, you can set up your own on your local domain controller. start->control panel-> add/remove programs-> windows components->certificates (or something like that) You'll set this up as your enterprise root CA and it will be able to give your IIS/OWA server a certificate to use with SSL.
They will have to then type https:// instead of http:// unless you figure out the way to make it automatically redirect http to https.
They will have to then type https:// instead of http:// unless you figure out the way to make it automatically redirect http to https.
BTW, it doesn't HAVE to be a domaiin controller but in smaller organizations it normally is. It does HAVE to be a Windows Server though.
While putting an SSL certificate on to the site will increase its security, it will not help one bit with resolving this problem. All SSL does is secure the authentication details and the traffic between the server and the client. It doesn't actually change the authentication issues themselves.
If you are going to use SSL, at least do it properly and purchase a certificate. Someone like RapidSSL will do fine. Using your own certificate authority or SelfSSL doesn't really achieve anything. It generates certificate prompts which I personally thinks looks unprofessional and makes the process a waste of time.
Therefore you need to check what Lee suggested above - does this happen for all users? Create a new account to test with if you want to check - give it the same permissions and settings as a regular user - not an administrator and see whether the problem is there.
Simon.
If you are going to use SSL, at least do it properly and purchase a certificate. Someone like RapidSSL will do fine. Using your own certificate authority or SelfSSL doesn't really achieve anything. It generates certificate prompts which I personally thinks looks unprofessional and makes the process a waste of time.
Therefore you need to check what Lee suggested above - does this happen for all users? Create a new account to test with if you want to check - give it the same permissions and settings as a regular user - not an administrator and see whether the problem is there.
Simon.
ASKER
I'm not so sure I need SSL in this case. I tried Lee's suggestions to no avail. The only member of the Exhange Enterprise Servers and Exchange Domain Servers is the MAIL server itself. I've checked permissions across the board and don't see anything that should be allowing this...
Anyone have other suggestions?
Anyone have other suggestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, /anyone/ can open anyone's mailbox. I didn't try for every user, but I picked a couple of random people on the network, logged in as them, then accessed other mailboxes.
Have a look at the properties of your Mailbox Store in ESM. Click on the security tab, and review the permissions. Is there an entry that gives the Everyone group full control, or Domain Users, or anything like that? Look for any group that might contain all your users.
ASKER
Already checked them. The following people have total control: "Enterprise Admins", "Domain Admins", "MAIL" (our server name), "Exchange Domain Servers", and "Administrator". The only member of any of those groups is Administrator. "Authenticated Users" also has total control, but I don't entirely know how that works.
Everyone and Anonymous User has Create Named.... and Secial Permissions.
Noone else has explicit permissions on the store.
Everyone and Anonymous User has Create Named.... and Secial Permissions.
Noone else has explicit permissions on the store.
It is the Authenticated Users - Full Control that is the problem. It means that all your Users have Full Control throughout the Mailbox Store. Do you know how it got in there? Maybe to solve a problem some time in the past?
ASKER
The permission is being inherited from the MAIL object above the Mailbox store. I never set it like that, it was just the default as far as I know (although it's possible one of the prior admins set it up?). I'll remove the permission, wait forthe security to refresh, and see if it works. If it does, I'm going to wait a bit before accepting the answer in case I discover why that permission was placed there to begin with.
Thanks for the help!
Thanks for the help!
Sure. Make sure that everything to do with Exchange is still working, like Mailbox Access, Backups, Anti-Virus, Administration Tools, and any third-party Exchange apps you have.
ASKER
Sorry, I did not check thoroughly enough. It turns out it was not the Authenticated Users permission setting on the mailbox store, but rather Authenticated Users had full permissions on a specific user that I was testing with. I did not try enough other accounts to test if the problem was universal. The problem was only with a specific user. I removed Authenticated users permissions on that person's specific mailbox in AD and the problem was solved. Thanks for the help!
This might help:
http://support.microsoft.com/kb/q262054/
Check the membership of your Exchange Enterprise Servers, Exchange Domain Servers, and Exchange Services groups in Active Directory Users And Computers.