Solved

Outlook Webmail Security Exploit

Posted on 2009-04-01
8
1,095 Views
Last Modified: 2012-05-06
John goes to http://webmail.domain.com
John then authenticates with username and password (User Name: JohnD)
John is then redirected to http://webmail.domain.com/exchange
John has a crush on his coworker, Jane
John found out that he can type http://webmail.domain.com/exchange/JaneD to access Jane's Exchange mailbox on OWA.
John hates his boss, Walter
John found out that he can also type http://webmail.domain.com/exchange/WalterC to access Walter's Exchange mailbox on OWA too.
Being John is incharge of the Exchange/OWA webmail, this is a great concern for him.
John is afraid of a lawsuit and would like the help of E-E.
John puts 500 points down and steps back waiting for an answer.

Exchange Server 2003 hosted on own domain controller.  Server OS is Windows Server 2003 Std.

More can be provided!

Thanks in advance.
0
Comment
Question by:MrMintanet
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 3

Expert Comment

by:nskurs
Comment Utility
Normally by default no one except SELF can access their own mailbox.  

If John could access all the mailboxes just by typing the alias then his account must have Full Mailbox Access over the store, or they are a member of a custom group which has these permissions.

As I say, if you still can't do this with a generic administrative account, then there will be some permissions set up somewhere which will be allowing/denying this.

- Cheers!

0
 
LVL 5

Expert Comment

by:LinkNJ
Comment Utility
I am more of a Small Business Server guy, but your scenario above is the same at a clients where the mailbox rights give the boss's username full mailbox access.  So if I log in as the boss, I can then change mailboxs right in the url exchange/user.  I have tested this on standard installations and it does not happen so I really think it is something do to with Mailbox rights.
Domain admins have full mailbox access so are you a member of the domain admins group?  If so, I think that is your answer.  If not, check the mailbox rights for your users and figure out what group you are a member of that has Full mailbox access allowed.
Good luck, Rob.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
The behaviour you are seeing above is not normal.
The response above about domain admins having access to all mailboxes is also incorrect. By default Administrators and Domain Admins are blocked from having full mailbox access.
Therefore you need to find out how the permission is being granted.
There are two ways.

Full Mailbox Access
A combination of Send As/Receive As.

You will need to look a the permissions of a user to see what group has been granted those permissions. Send As/Receive As is set on the Security tab. If you cannot see the security tab in ADUC then choose View, Advanced Options and then look again.
If the permission is greyed out, then it is being inherited somewhere.

What usually happens is that the permission is granted to a group for some reason, and then that group is added to another group. It can also be done because people want to share calendars and do not realise the full implications of the permission setting.

Simon.
0
 
LVL 5

Expert Comment

by:LinkNJ
Comment Utility
Mestha/MrMintanet, my apologies for the poor wording (it was late here and I was ready for bed) in my example about domain admins but my answer remains the same, it is a user rights issue you need to hunt down.  It should have read "For instance, If Domain Admins..." as I have found some admins have changed this or some other groups permissions in the past, I do not.
By default, the deny column is ticked for enterprise admins as well as administrator and domain admins on a SBS install.  So my answer is still the same, as I believe Mestha reiterated in not so few words, it is a mailbox rights issue as I recreated your exact scenario by providing a user with full mailbox access in the mailbox rights.  Good luck, Rob.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 8

Author Comment

by:MrMintanet
Comment Utility
Link, thanks for clarifying.  I think I should clarify too.

All users have the ability to alter the URL to gain access to another user's acct.  Is it possible that simple mailbox folder permissions could be causing this to happen?

Mestha, I think you're definately on the right track, but the instructions are a tad cryptic for me.  Could you perhaps rephrase, if you don't mind?  Sorry about that.

Thanks to you both for the help.  The situation still remains a mystrey.  The main concern that I have is that with my present problem with the in-house spamming that I've posted in another question.  Thanks for the help!
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
OWA is no different to Outlook. If you can open the mailbox in OWA then you should be able to open it in Outlook as well. (If you cannot, then the IIS configuration has been played around with in a way that I would recommend getting Microsoft or an experienced Exchange consultant involved in).

You need to find how the permission is being granted. I don't know what more I can say other than what I have posted above.

Simon.
0
 
LVL 5

Accepted Solution

by:
LinkNJ earned 500 total points
Comment Utility
If you are looking for more specific instructions on how to change mailbox rights, perhaps the following article will help:
http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm
I hate providing links to outside sites but this one has some great screen shots, etc. that should help you along.  Good luck, Rob.
0
 
LVL 8

Author Closing Comment

by:MrMintanet
Comment Utility
The link was the answer.  Thank you.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Sometimes Outlook might have problems sending a message. There may be various causes- corrupted PST, AV scanner etc. The message, instead of going to the Sent Items folder, sits in the Outbox indefinitely. To remove it you can use a free tool cal…
Outlook Free & Paid Tools
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now