Solved

Outlook Webmail Security Exploit

Posted on 2009-04-01
8
1,111 Views
Last Modified: 2012-05-06
John goes to http://webmail.domain.com
John then authenticates with username and password (User Name: JohnD)
John is then redirected to http://webmail.domain.com/exchange
John has a crush on his coworker, Jane
John found out that he can type http://webmail.domain.com/exchange/JaneD to access Jane's Exchange mailbox on OWA.
John hates his boss, Walter
John found out that he can also type http://webmail.domain.com/exchange/WalterC to access Walter's Exchange mailbox on OWA too.
Being John is incharge of the Exchange/OWA webmail, this is a great concern for him.
John is afraid of a lawsuit and would like the help of E-E.
John puts 500 points down and steps back waiting for an answer.

Exchange Server 2003 hosted on own domain controller.  Server OS is Windows Server 2003 Std.

More can be provided!

Thanks in advance.
0
Comment
Question by:MrMintanet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 3

Expert Comment

by:nskurs
ID: 24046619
Normally by default no one except SELF can access their own mailbox.  

If John could access all the mailboxes just by typing the alias then his account must have Full Mailbox Access over the store, or they are a member of a custom group which has these permissions.

As I say, if you still can't do this with a generic administrative account, then there will be some permissions set up somewhere which will be allowing/denying this.

- Cheers!

0
 
LVL 5

Expert Comment

by:LinkNJ
ID: 24046803
I am more of a Small Business Server guy, but your scenario above is the same at a clients where the mailbox rights give the boss's username full mailbox access.  So if I log in as the boss, I can then change mailboxs right in the url exchange/user.  I have tested this on standard installations and it does not happen so I really think it is something do to with Mailbox rights.
Domain admins have full mailbox access so are you a member of the domain admins group?  If so, I think that is your answer.  If not, check the mailbox rights for your users and figure out what group you are a member of that has Full mailbox access allowed.
Good luck, Rob.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24048884
The behaviour you are seeing above is not normal.
The response above about domain admins having access to all mailboxes is also incorrect. By default Administrators and Domain Admins are blocked from having full mailbox access.
Therefore you need to find out how the permission is being granted.
There are two ways.

Full Mailbox Access
A combination of Send As/Receive As.

You will need to look a the permissions of a user to see what group has been granted those permissions. Send As/Receive As is set on the Security tab. If you cannot see the security tab in ADUC then choose View, Advanced Options and then look again.
If the permission is greyed out, then it is being inherited somewhere.

What usually happens is that the permission is granted to a group for some reason, and then that group is added to another group. It can also be done because people want to share calendars and do not realise the full implications of the permission setting.

Simon.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:LinkNJ
ID: 24049529
Mestha/MrMintanet, my apologies for the poor wording (it was late here and I was ready for bed) in my example about domain admins but my answer remains the same, it is a user rights issue you need to hunt down.  It should have read "For instance, If Domain Admins..." as I have found some admins have changed this or some other groups permissions in the past, I do not.
By default, the deny column is ticked for enterprise admins as well as administrator and domain admins on a SBS install.  So my answer is still the same, as I believe Mestha reiterated in not so few words, it is a mailbox rights issue as I recreated your exact scenario by providing a user with full mailbox access in the mailbox rights.  Good luck, Rob.
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24049920
Link, thanks for clarifying.  I think I should clarify too.

All users have the ability to alter the URL to gain access to another user's acct.  Is it possible that simple mailbox folder permissions could be causing this to happen?

Mestha, I think you're definately on the right track, but the instructions are a tad cryptic for me.  Could you perhaps rephrase, if you don't mind?  Sorry about that.

Thanks to you both for the help.  The situation still remains a mystrey.  The main concern that I have is that with my present problem with the in-house spamming that I've posted in another question.  Thanks for the help!
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24052254
OWA is no different to Outlook. If you can open the mailbox in OWA then you should be able to open it in Outlook as well. (If you cannot, then the IIS configuration has been played around with in a way that I would recommend getting Microsoft or an experienced Exchange consultant involved in).

You need to find how the permission is being granted. I don't know what more I can say other than what I have posted above.

Simon.
0
 
LVL 5

Accepted Solution

by:
LinkNJ earned 500 total points
ID: 24052597
If you are looking for more specific instructions on how to change mailbox rights, perhaps the following article will help:
http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm
I hate providing links to outside sites but this one has some great screen shots, etc. that should help you along.  Good luck, Rob.
0
 
LVL 8

Author Closing Comment

by:MrMintanet
ID: 31565644
The link was the answer.  Thank you.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Large Outlook files lead to various unwanted errors and corruption issues. Furthermore, large outlook files can also make Outlook take longer to start-up, search, navigate, and shut-down. So, In this article, i will discuss a method to make your Out…
In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question