Not an OWA thing I don't believe. Bet they can do the same from Outlook..file open other users folder. Somewhere along the line someone gave 'everyone' control over the mailboxes. Or a group with odd perms on all the mailboxes....Time to go into Exchange Manger and review mailbox/sever/store perms.
From: Ed Stahr [mailto:est...@pinksneakers.net] Sent: Tuesday, May 19, 2009 11:40 AM To: MS-Exchange Admin Issues Subject: OWA security config problem I have OWA running (Exchange 2003 on Server 2003R2) and everything seems to be working, but I have one big security hole that I am sure is caused by an incorrect setting on my part. Once users authenticate into their account, they can access any other account they wish by changing the URL. Example: You authenticate to this address for OWA: https://exch.mydomain.com/ You then go into your mailbox at: https://exch.mydomain.com/exchange if you add anyone elses username to the end of that URL, you can see their email account, example: https://exch.mydomain.com/exchange/bsmith would show you bsmith's account. I am sure this is something very basic I am missing. Thanks, Ed ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~