OWA security config problem
I have OWA running (Exchange 2003 on Server 2003R2) and everything seems to be working, but I have one big security hole that I am sure is caused by an incorrect setting on my part. Once users authenticate into their account, they can access any other account they wish by changing the URL. Example: You authenticate to this address for OWA: https://exch.mydomain.com/ You then go into your mailbox at: https://exch.mydomain.com/exchange if you add anyone elses username to the end of that URL, you can see their email account, example: https://exch.mydomain.com/exchange/bsmith would show you bsmith's account. I am sure this is something very basic I am missing. Thanks, Ed ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: OWA security config problem
Not an OWA thing I don't believe. Bet they can do the same from Outlook..file open other users folder. Somewhere along the line someone gave 'everyone' control over the mailboxes. Or a group with odd perms on all the mailboxesTime to go into Exchange Manger and review mailbox/sever/store perms. From: Ed Stahr [mailto:est...@pinksneakers.net] Sent: Tuesday, May 19, 2009 11:40 AM To: MS-Exchange Admin Issues Subject: OWA security config problem I have OWA running (Exchange 2003 on Server 2003R2) and everything seems to be working, but I have one big security hole that I am sure is caused by an incorrect setting on my part. Once users authenticate into their account, they can access any other account they wish by changing the URL. Example: You authenticate to this address for OWA: https://exch.mydomain.com/ You then go into your mailbox at: https://exch.mydomain.com/exchange if you add anyone elses username to the end of that URL, you can see their email account, example: https://exch.mydomain.com/exchange/bsmith would show you bsmith's account. I am sure this is something very basic I am missing. Thanks, Ed ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: OWA security config problem
Are these the permissions in AdminGroup\Server\Servername and the mailboxstore? Both show Authenticated Users have permissions to Read, Execute, Delete, and Read Permissions. Also, in AD Authenticated Users are shown to have full mailbox access. Any help in changing these setting would be greatly appreciated. Thanks, Ed EDSTAHRINFRASTRUCTURE MANAGER PINKSNEAKERSPRODUCTIONS 1000 COLOUR PLACE APOPKA FLORIDA 32703 P: 407.464.2088 F: 407.464.2081 www.pinksneakers.net From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, May 19, 2009 1:51 PM To: MS-Exchange Admin Issues Subject: RE: OWA security config problem Not an OWA thing I don't believe. Bet they can do the same from Outlook..file open other users folder. Somewhere along the line someone gave 'everyone' control over the mailboxes. Or a group with odd perms on all the mailboxesTime to go into Exchange Manger and review mailbox/sever/store perms. From: Ed Stahr [mailto:est...@pinksneakers.net] Sent: Tuesday, May 19, 2009 11:40 AM To: MS-Exchange Admin Issues Subject: OWA security config problem I have OWA running (Exchange 2003 on Server 2003R2) and everything seems to be working, but I have one big security hole that I am sure is caused by an incorrect setting on my part. Once users authenticate into their account, they can access any other account they wish by changing the URL. Example: You authenticate to this address for OWA: https://exch.mydomain.com/ You then go into your mailbox at: https://exch.mydomain.com/exchange if you add anyone elses username to the end of that URL, you can see their email account, example: https://exch.mydomain.com/exchange/bsmith would show you bsmith's account. I am sure this is something very basic I am missing. Thanks, Ed No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.339 / Virus Database: 270.12.34/2122 - Release Date: 05/19/09 06:21:00 ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
