Outlook Webmail Security Exploit

John goes to http://webmail.domain.com
John then authenticates with username and password (User Name: JohnD)
John is then redirected to http://webmail.domain.com/exchange
John has a crush on his coworker, Jane
John found out that he can type http://webmail.domain.com/exchange/JaneD to access Jane's Exchange mailbox on OWA.
John hates his boss, Walter
John found out that he can also type http://webmail.domain.com/exchange/WalterC to access Walter's Exchange mailbox on OWA too.
Being John is incharge of the Exchange/OWA webmail, this is a great concern for him.
John is afraid of a lawsuit and would like the help of E-E.
John puts 500 points down and steps back waiting for an answer.

Exchange Server 2003 hosted on own domain controller.  Server OS is Windows Server 2003 Std.

More can be provided!

Thanks in advance.
LVL 8
MrMintanetAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
LinkNJConnect With a Mentor Commented:
If you are looking for more specific instructions on how to change mailbox rights, perhaps the following article will help:
http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm
I hate providing links to outside sites but this one has some great screen shots, etc. that should help you along.  Good luck, Rob.
0
 
nskursCommented:
Normally by default no one except SELF can access their own mailbox.  

If John could access all the mailboxes just by typing the alias then his account must have Full Mailbox Access over the store, or they are a member of a custom group which has these permissions.

As I say, if you still can't do this with a generic administrative account, then there will be some permissions set up somewhere which will be allowing/denying this.

- Cheers!

0
 
LinkNJCommented:
I am more of a Small Business Server guy, but your scenario above is the same at a clients where the mailbox rights give the boss's username full mailbox access.  So if I log in as the boss, I can then change mailboxs right in the url exchange/user.  I have tested this on standard installations and it does not happen so I really think it is something do to with Mailbox rights.
Domain admins have full mailbox access so are you a member of the domain admins group?  If so, I think that is your answer.  If not, check the mailbox rights for your users and figure out what group you are a member of that has Full mailbox access allowed.
Good luck, Rob.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
MesthaCommented:
The behaviour you are seeing above is not normal.
The response above about domain admins having access to all mailboxes is also incorrect. By default Administrators and Domain Admins are blocked from having full mailbox access.
Therefore you need to find out how the permission is being granted.
There are two ways.

Full Mailbox Access
A combination of Send As/Receive As.

You will need to look a the permissions of a user to see what group has been granted those permissions. Send As/Receive As is set on the Security tab. If you cannot see the security tab in ADUC then choose View, Advanced Options and then look again.
If the permission is greyed out, then it is being inherited somewhere.

What usually happens is that the permission is granted to a group for some reason, and then that group is added to another group. It can also be done because people want to share calendars and do not realise the full implications of the permission setting.

Simon.
0
 
LinkNJCommented:
Mestha/MrMintanet, my apologies for the poor wording (it was late here and I was ready for bed) in my example about domain admins but my answer remains the same, it is a user rights issue you need to hunt down.  It should have read "For instance, If Domain Admins..." as I have found some admins have changed this or some other groups permissions in the past, I do not.
By default, the deny column is ticked for enterprise admins as well as administrator and domain admins on a SBS install.  So my answer is still the same, as I believe Mestha reiterated in not so few words, it is a mailbox rights issue as I recreated your exact scenario by providing a user with full mailbox access in the mailbox rights.  Good luck, Rob.
0
 
MrMintanetAuthor Commented:
Link, thanks for clarifying.  I think I should clarify too.

All users have the ability to alter the URL to gain access to another user's acct.  Is it possible that simple mailbox folder permissions could be causing this to happen?

Mestha, I think you're definately on the right track, but the instructions are a tad cryptic for me.  Could you perhaps rephrase, if you don't mind?  Sorry about that.

Thanks to you both for the help.  The situation still remains a mystrey.  The main concern that I have is that with my present problem with the in-house spamming that I've posted in another question.  Thanks for the help!
0
 
MesthaCommented:
OWA is no different to Outlook. If you can open the mailbox in OWA then you should be able to open it in Outlook as well. (If you cannot, then the IIS configuration has been played around with in a way that I would recommend getting Microsoft or an experienced Exchange consultant involved in).

You need to find how the permission is being granted. I don't know what more I can say other than what I have posted above.

Simon.
0
 
MrMintanetAuthor Commented:
The link was the answer.  Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.