Exchange 2007 Permissions - All users can open anyones mailbox in Outlook

Hello,

We are experiencing an issue at a clients site whereby any one user is able to open another users mailbox using the Add mailbox option under account settings.

This obviously poses a bit of a security risk.

I'm pretty sure the issue is likely to be permissions related but I cannot for the life of me find a permission setting that is causing the issue. (I've used ADSIEDIT and gone through the organisation structure).

Any pointers welcome!
utilizeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
In Exchange Management Console is there a group like domain users associated with Full Mailbox Access?

From the domain root in the AD environment does "domain users" have Full Access / inheritance over the domain? It is most likely an inheritance issue. I would start there first.

Select a single user in Active Directory and check the security settings tab>Advance Security. From there click the edit button and see what groups/users have been granted full access.

Once you have found this out go to the OU level of that user and see if it has been inherited. Then go to the root of the domain and check the settings again.

Will.
0
Simon Butler (Sembee)ConsultantCommented:
There are only two permissions that grant this - Full Mailbox and Receive As.
Look for who has Full Mailbox as outlined above. You will need to look at Receive As through ADUC.
I expect it will be a group, probably a regular group, which has the permissions. Domain Admins would require a lot of permission undoing (not that it cannot be done).

Simon.
0
utilizeAuthor Commented:
If I look at a user whose mailbox I can open, from a standard user, there is no non-standard permissions that I can see. The only groups with full access/receives as are as follows:

FULL  & RECEIVE:
SYSTEM
DOMAIN ADMINS
ENTERPRISE ADMINS (INHERITED)
ACCOUNT OPERATORS

The account I'm logging into to open the mailbox is not a member of any of the above groups.

Full Mailbox Access is not set through EMC for the user. (This is done on an individual basis, right?)
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Simon Butler (Sembee)ConsultantCommented:
Full Mailbox is usually set on an individual basis, but on this version of Exchange it can also be set at a database and server level.
You have to look in various locations for the permissions.

For example, if you wanted to give an account Receive As, at the server level, you would run this command:

Get-mailboxserver | add-adpermission -user "Account" -accessrights extendedRight -extendedrights Receive-As

Before you can remove the permission though you need to establish what group has it.

Simon.
0
utilizeAuthor Commented:
I have run through a bunch of the commands found here:

http://blogs.msdn.com/b/deva/archive/2012/04/16/exchange-server-2007-2010-how-to-query-user-mailboxes-its-permissions-using-exchange-powershell.aspx

Against the mailbox database/server and individual users.

There are no groups out of the ordinary that have receive-as or fullaccess for a user whose mailbox can be opened by anyone.
0
Simon Butler (Sembee)ConsultantCommented:
The two permissions I have outlined are the only way that the permission is granted, you just need to establish where and to what group.

It may mean that you have to take a user who can open any mailbox and start removing group membership until the problem goes away. The problem with doing that is Exchange caches permissions for two hours, so a change isn't effectively immediately.

The permission is there somewhere, and if it applies to all users then it has to be a group that everyone is a member of, or has been granted to Everyone or similar.

Don't just look at the mailbox for the permission, you also need to look at the databases and the server.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.