Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OWA access to everyones INBOX 2

Status
Not open for further replies.
achilleus

achilleus

IS-IT--Management
Oct 3, 2001
351
US
Hi all...Just discovered a HUGE hole in my OWA security...It seems that if you log into OWA as yourself, you can then change the name in the address field to some other user and view ALL of their email!...What am I missing that gives everyone access to this?...Is it Exchange or ISS permision?

Any help would be great!...This is a pretty serious security hole...

Thanks! AJ
SA
HS
 
Sort by date Sort by votes
Also, if it matters, I have a front-end server for OWA access...So maybe its something on there... AJ
SA
HS
 
Upvote 0 Downvote
Are you logging on as a normal 'domain user' account or as your account with elevated permissions? [smurf]
01101000011000010110010001110011
 
Upvote 0 Downvote
This was reported by a user with normal (ie non admin) rights...I had someone else with domain user rights test it also, and once he logged in to OWA as himself, he could change to any inbox...So its not a admin right issue...

I really need to figure this out before word gets around the office that you can see other peoples email... AJ
SA
HS
 
Upvote 0 Downvote
Sounds like the permissions are messed up. Go to system manager and find the server in question under Administrative Groups. Right click the server name and choose properties. Select the Security tab. What permissions are set for everyone? Also, are there any groups in there that might contain user objects? What permissions are set for them (if any). Also, are the permissions showing as inherited (ie grayed out).
 
Upvote 0 Downvote
Can any user open any other users mailbox through Outlook or any other mail client other than OWA?

ChrisP ---------------------------------------
If someone's post was helpful to you, please click the box "Click here to mark this post as a helpful or expert post".
 
Upvote 0 Downvote
Eeeep...Yep...Even from Outlook you can open anyones Inbox...My permissions must be way off...I'll take a look at the permissions in system manager... AJ
SA
HS
 
Upvote 0 Downvote
If the Security tab isn't showing in SM, take a look at this...


XADM: Security Tab Not Available on All Objects in System Manager (Q259221)


I would imagine that the Security tab is already showing because it sounds like somebody has already gotten to it...


ChrisP ---------------------------------------
If someone's post was helpful to you, please click the box "Click here to mark this post as a helpful or expert post".
 
Upvote 0 Downvote
Ok...Here are the permisssions under the Exchange server security tab in the system manager:

Authenticated users: None
Domain Admins: Everything but send and recieve as
Everyone: Create Named Properties in the IS

Ok...Wait...the company group has Full Control...Everyone is a member of that one!...What control should that have?...

Am I missing someone?...Like authenticated users?... AJ
SA
HS
 
Upvote 0 Downvote
What is the "company group"? Is that Domain Users? ---------------------------------------
If someone's post was helpful to you, please click the box "Click here to mark this post as a helpful or expert post".
 
Upvote 0 Downvote
Yep...Just a group I created with everyone in it...Guess that would be the Domain Users... AJ
SA
HS
 
Upvote 0 Downvote
Just remove the group from the ACL. You don't need to grant everybody any kind of access to the entire Exchange server, unless there is a special requirement for it. The default permissions are okay, so you can remove this group.

ChrisP ---------------------------------------
If someone's post was helpful to you, please click the box "Click here to mark this post as a helpful or expert post".
 
Upvote 0 Downvote
Do you think I need to restart the IS service after removing that group? AJ
SA
HS
 
Upvote 0 Downvote
No, you don't have to. Remove it and let me know if it works. Did you add this group yourself? ---------------------------------------
If someone's post was helpful to you, please click the box "Click here to mark this post as a helpful or expert post".
 
Upvote 0 Downvote
Wait, was this group added here or is it being inherited from somewhere higher up?
 
Upvote 0 Downvote
It let me remove it, so I assume it was added there specifically...I removed it....Seemed to do the trick...Now when you try to open another users inbox it says "Unable to display the folder, the Inbox could not be found"...Then if I try it in OWA, it asks for the user name and password...

So seems to be ok now...

THANK YOU SO MUCH!!!!!!! AJ
SA
HS
 
Upvote 0 Downvote
I have the same problem, but for only 1 user in my own IT group. It only occurs in OWA. if I try to get into her mailbox from Outlook 2002, it says access denied. Thanks!! Rlee@ncdoi.net
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
2K
microsGuy16
microsGuy16
T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
1K
DrB0b
DrB0b
PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
1K
PatrickRoggers
PatrickRoggers
Satishkumar007
  • Locked
  • Question
Help needed to recover after complete site failure
Replies
0
Views
1K
Satishkumar007
Satishkumar007
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
1K
ComputersUnlimited
ComputersUnlimited

Part and Inventory Search

Sponsor

Back
Top