• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1152
  • Last Modified:

Outlook Webmail Security Exploit

John goes to http://webmail.domain.com
John then authenticates with username and password (User Name: JohnD)
John is then redirected to http://webmail.domain.com/exchange
John has a crush on his coworker, Jane
John found out that he can type http://webmail.domain.com/exchange/JaneD to access Jane's Exchange mailbox on OWA.
John hates his boss, Walter
John found out that he can also type http://webmail.domain.com/exchange/WalterC to access Walter's Exchange mailbox on OWA too.
Being John is incharge of the Exchange/OWA webmail, this is a great concern for him.
John is afraid of a lawsuit and would like the help of E-E.
John puts 500 points down and steps back waiting for an answer.

Exchange Server 2003 hosted on own domain controller.  Server OS is Windows Server 2003 Std.

More can be provided!

Thanks in advance.
0
MrMintanet
Asked:
MrMintanet
  • 3
  • 2
  • 2
  • +1
1 Solution
 
nskursCommented:
Normally by default no one except SELF can access their own mailbox.  

If John could access all the mailboxes just by typing the alias then his account must have Full Mailbox Access over the store, or they are a member of a custom group which has these permissions.

As I say, if you still can't do this with a generic administrative account, then there will be some permissions set up somewhere which will be allowing/denying this.

- Cheers!

0
 
LinkNJCommented:
I am more of a Small Business Server guy, but your scenario above is the same at a clients where the mailbox rights give the boss's username full mailbox access.  So if I log in as the boss, I can then change mailboxs right in the url exchange/user.  I have tested this on standard installations and it does not happen so I really think it is something do to with Mailbox rights.
Domain admins have full mailbox access so are you a member of the domain admins group?  If so, I think that is your answer.  If not, check the mailbox rights for your users and figure out what group you are a member of that has Full mailbox access allowed.
Good luck, Rob.
0
 
MesthaCommented:
The behaviour you are seeing above is not normal.
The response above about domain admins having access to all mailboxes is also incorrect. By default Administrators and Domain Admins are blocked from having full mailbox access.
Therefore you need to find out how the permission is being granted.
There are two ways.

Full Mailbox Access
A combination of Send As/Receive As.

You will need to look a the permissions of a user to see what group has been granted those permissions. Send As/Receive As is set on the Security tab. If you cannot see the security tab in ADUC then choose View, Advanced Options and then look again.
If the permission is greyed out, then it is being inherited somewhere.

What usually happens is that the permission is granted to a group for some reason, and then that group is added to another group. It can also be done because people want to share calendars and do not realise the full implications of the permission setting.

Simon.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
LinkNJCommented:
Mestha/MrMintanet, my apologies for the poor wording (it was late here and I was ready for bed) in my example about domain admins but my answer remains the same, it is a user rights issue you need to hunt down.  It should have read "For instance, If Domain Admins..." as I have found some admins have changed this or some other groups permissions in the past, I do not.
By default, the deny column is ticked for enterprise admins as well as administrator and domain admins on a SBS install.  So my answer is still the same, as I believe Mestha reiterated in not so few words, it is a mailbox rights issue as I recreated your exact scenario by providing a user with full mailbox access in the mailbox rights.  Good luck, Rob.
0
 
MrMintanetAuthor Commented:
Link, thanks for clarifying.  I think I should clarify too.

All users have the ability to alter the URL to gain access to another user's acct.  Is it possible that simple mailbox folder permissions could be causing this to happen?

Mestha, I think you're definately on the right track, but the instructions are a tad cryptic for me.  Could you perhaps rephrase, if you don't mind?  Sorry about that.

Thanks to you both for the help.  The situation still remains a mystrey.  The main concern that I have is that with my present problem with the in-house spamming that I've posted in another question.  Thanks for the help!
0
 
MesthaCommented:
OWA is no different to Outlook. If you can open the mailbox in OWA then you should be able to open it in Outlook as well. (If you cannot, then the IIS configuration has been played around with in a way that I would recommend getting Microsoft or an experienced Exchange consultant involved in).

You need to find how the permission is being granted. I don't know what more I can say other than what I have posted above.

Simon.
0
 
LinkNJCommented:
If you are looking for more specific instructions on how to change mailbox rights, perhaps the following article will help:
http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm
I hate providing links to outside sites but this one has some great screen shots, etc. that should help you along.  Good luck, Rob.
0
 
MrMintanetAuthor Commented:
The link was the answer.  Thank you.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now