Solved

Outlook Webmail Security Exploit

Posted on 2009-04-01
8
1,104 Views
Last Modified: 2012-05-06
John goes to http://webmail.domain.com
John then authenticates with username and password (User Name: JohnD)
John is then redirected to http://webmail.domain.com/exchange
John has a crush on his coworker, Jane
John found out that he can type http://webmail.domain.com/exchange/JaneD to access Jane's Exchange mailbox on OWA.
John hates his boss, Walter
John found out that he can also type http://webmail.domain.com/exchange/WalterC to access Walter's Exchange mailbox on OWA too.
Being John is incharge of the Exchange/OWA webmail, this is a great concern for him.
John is afraid of a lawsuit and would like the help of E-E.
John puts 500 points down and steps back waiting for an answer.

Exchange Server 2003 hosted on own domain controller.  Server OS is Windows Server 2003 Std.

More can be provided!

Thanks in advance.
0
Comment
Question by:MrMintanet
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 3

Expert Comment

by:nskurs
ID: 24046619
Normally by default no one except SELF can access their own mailbox.  

If John could access all the mailboxes just by typing the alias then his account must have Full Mailbox Access over the store, or they are a member of a custom group which has these permissions.

As I say, if you still can't do this with a generic administrative account, then there will be some permissions set up somewhere which will be allowing/denying this.

- Cheers!

0
 
LVL 5

Expert Comment

by:LinkNJ
ID: 24046803
I am more of a Small Business Server guy, but your scenario above is the same at a clients where the mailbox rights give the boss's username full mailbox access.  So if I log in as the boss, I can then change mailboxs right in the url exchange/user.  I have tested this on standard installations and it does not happen so I really think it is something do to with Mailbox rights.
Domain admins have full mailbox access so are you a member of the domain admins group?  If so, I think that is your answer.  If not, check the mailbox rights for your users and figure out what group you are a member of that has Full mailbox access allowed.
Good luck, Rob.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24048884
The behaviour you are seeing above is not normal.
The response above about domain admins having access to all mailboxes is also incorrect. By default Administrators and Domain Admins are blocked from having full mailbox access.
Therefore you need to find out how the permission is being granted.
There are two ways.

Full Mailbox Access
A combination of Send As/Receive As.

You will need to look a the permissions of a user to see what group has been granted those permissions. Send As/Receive As is set on the Security tab. If you cannot see the security tab in ADUC then choose View, Advanced Options and then look again.
If the permission is greyed out, then it is being inherited somewhere.

What usually happens is that the permission is granted to a group for some reason, and then that group is added to another group. It can also be done because people want to share calendars and do not realise the full implications of the permission setting.

Simon.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 5

Expert Comment

by:LinkNJ
ID: 24049529
Mestha/MrMintanet, my apologies for the poor wording (it was late here and I was ready for bed) in my example about domain admins but my answer remains the same, it is a user rights issue you need to hunt down.  It should have read "For instance, If Domain Admins..." as I have found some admins have changed this or some other groups permissions in the past, I do not.
By default, the deny column is ticked for enterprise admins as well as administrator and domain admins on a SBS install.  So my answer is still the same, as I believe Mestha reiterated in not so few words, it is a mailbox rights issue as I recreated your exact scenario by providing a user with full mailbox access in the mailbox rights.  Good luck, Rob.
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24049920
Link, thanks for clarifying.  I think I should clarify too.

All users have the ability to alter the URL to gain access to another user's acct.  Is it possible that simple mailbox folder permissions could be causing this to happen?

Mestha, I think you're definately on the right track, but the instructions are a tad cryptic for me.  Could you perhaps rephrase, if you don't mind?  Sorry about that.

Thanks to you both for the help.  The situation still remains a mystrey.  The main concern that I have is that with my present problem with the in-house spamming that I've posted in another question.  Thanks for the help!
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24052254
OWA is no different to Outlook. If you can open the mailbox in OWA then you should be able to open it in Outlook as well. (If you cannot, then the IIS configuration has been played around with in a way that I would recommend getting Microsoft or an experienced Exchange consultant involved in).

You need to find how the permission is being granted. I don't know what more I can say other than what I have posted above.

Simon.
0
 
LVL 5

Accepted Solution

by:
LinkNJ earned 500 total points
ID: 24052597
If you are looking for more specific instructions on how to change mailbox rights, perhaps the following article will help:
http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm
I hate providing links to outside sites but this one has some great screen shots, etc. that should help you along.  Good luck, Rob.
0
 
LVL 8

Author Closing Comment

by:MrMintanet
ID: 31565644
The link was the answer.  Thank you.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
This video discusses moving either the default database or any database to a new volume.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question