Wide open permissions on exchange 2003

  • Thread starter AndyTC@community.nospam
  • Start date Views 2,395
A

AndyTC@community.nospam

Hello,

I have recently taken over an exchange 2003 environment. There has been

some security concerns about who can access who's mailbox.

I ran the exchange delegate wizard and removed all user accounts, and

then added enterprise admins at the room.

Now here is what I have found - ANY user, plain jane user, can open up

ANYONES e-mail box from outlook. (going to advanced, add mailbox).

They are able to read the e-mail without any problems.

Where is this permission coming from???

I used the admodify tool and did a permissions dump - these two

permissions stuck out at me

LDAP://CN=Aaron Jones,OU=IE,DC=hq,DC=***,DC=com

NT AUTHORITY\ANONYMOUS LOGON ACE_MB_READ_PERMISSIONS|Allowed

NT AUTHORITY\SELF ACE_MB_FULL_ACCESS|Allowed ACE_MB_READ_PERMISSIONS|Allowed

LDAP://CN=Aaron Jones,OU=IE,DC=hq,DC=***,DC=com

Everyone ACE_MB_READ_PERMISSIONS|Allowed

NT AUTHORITY\SELF ACE_MB_FULL_ACCESS|Allowed ACE_MB_READ_PERMISSIONS|Allowed
 
S

Susan

sounds like inappropriate permissions may have been granted to the

"Everyone" group...?

Susan Conkey [MVP]

<AndyTC@community.nospam> wrote in message

news:umq4rKVCKHA.4004@TK2MSFTNGP05.phx.gbl...
> Hello,

> I have recently taken over an exchange 2003 environment. There has been
> some security concerns about who can access who's mailbox.

> I ran the exchange delegate wizard and removed all user accounts, and then
> added enterprise admins at the room.

> Now here is what I have found - ANY user, plain jane user, can open up
> ANYONES e-mail box from outlook. (going to advanced, add mailbox).

> They are able to read the e-mail without any problems.

> Where is this permission coming from???

> I used the admodify tool and did a permissions dump - these two
> permissions stuck out at me

> LDAP://CN=Aaron Jones,OU=IE,DC=hq,DC=***,DC=com NT AUTHORITY\ANONYMOUS
> LOGON ACE_MB_READ_PERMISSIONS|Allowed NT AUTHORITY\SELF
> ACE_MB_FULL_ACCESS|Allowed ACE_MB_READ_PERMISSIONS|Allowed

> LDAP://CN=Aaron Jones,OU=IE,DC=hq,DC=***,DC=com Everyone
> ACE_MB_READ_PERMISSIONS|Allowed NT AUTHORITY\SELF
> ACE_MB_FULL_ACCESS|Allowed ACE_MB_READ_PERMISSIONS|Allowed
 
A

AndyTC@community.nospam

Susan wrote:
> sounds like inappropriate permissions may have been granted to the
> "Everyone" group...?
>


Where?

When I goto the security settings for the mail server, in the exchange

system manager, everyone is shown there, but as inherited, so it will

not let me remove them. So where is it inheriting from?
 
S

Susan

you'll have to work your way up...try looking at permissions on the Exchange

Organization...

Susan Conkey [MVP]

<AndyTC@community.nospam> wrote in message

news:OAkxpeVCKHA.3708@TK2MSFTNGP02.phx.gbl...
> Susan wrote:
> > sounds like inappropriate permissions may have been granted to the
> > "Everyone" group...?
> >


> Where?

> When I goto the security settings for the mail server, in the exchange
> system manager, everyone is shown there, but as inherited, so it will not
> let me remove them. So where is it inheriting from?
 
A

AndyTC@community.nospam

Susan wrote:
> you'll have to work your way up...try looking at permissions on the Exchange
> Organization...
>


Thanks, I was able to resolve the everyone group issue.

However, domain admins are still able to access anyones e-mail box. I

thought this was denied by default with the exchange 2003 setup.

Is there a way to set domain admins/enterprise admins back to default

permissions on the mail server?
 
S

Susan

that access is denied by default ...not sure of a way to set back to

default...you'll need to hunt for where they were applied...

Susan Conkey [MVP]

<AndyTC@community.nospam> wrote in message

news:OeGN%23IWCKHA.1336@TK2MSFTNGP05.phx.gbl...
> Susan wrote:
> > you'll have to work your way up...try looking at permissions on the
> > Exchange Organization...
> >

> Thanks, I was able to resolve the everyone group issue.

> However, domain admins are still able to access anyones e-mail box. I
> thought this was denied by default with the exchange 2003 setup.

> Is there a way to set domain admins/enterprise admins back to default
> permissions on the mail server?
 
M

Mike Shen

Hi Andy,

Please understand that by default, the Domain & Enterprise admins have

Send-As & Receive-As Deny inherited permission on Exchange organization

level to prevent member of admin groups from accessing and spoofing

mailboxes in the forest.

Please check the permission of the Exchange Organization object by using

Adsiedit.msc tool. By default, the Administrator, Domain Admins and

Enterprise Admins have Send As and Receive As Deny permission and inherited

to sub-object.

Mike
 
A

AndyTC@community.nospam

Mike Shen (MSFT) wrote:
> Hi Andy,

> Please understand that by default, the Domain & Enterprise admins have
> Send-As & Receive-As Deny inherited permission on Exchange organization
> level to prevent member of admin groups from accessing and spoofing
> mailboxes in the forest.

> Please check the permission of the Exchange Organization object by using
> Adsiedit.msc tool. By default, the Administrator, Domain Admins and
> Enterprise Admins have Send As and Receive As Deny permission and inherited
> to sub-object.

> Mike

>


thanks, big help.

Where is the actual exchange organization object?

I see CN Microsoft Exchange System Objects and OU Exchange Security Groups.

It appears the domain-admins and enterprise-admins do have the default

permissions.

However, there is a group called exchange admins granted full control

over the mail server object.

Is this a built in exchange group? Or something that was created manually?
 
J

jamestechman

That is not a build in group. Some admin probably built that group.

1. Go to start run, type adsiedit.msc

2. Expand configuration --> CN=configuration, dc=yourdomain,dc=com CN=services --> CN=Microsoft Exchange --> CN=yourexchangeorgname

3. Right click CN=yourexchangeorgname and select properties, security

tab.

4. Review who has Receive As rights. If they have this right, they can

open all mailboxes.

James Chong (MVP)

MCITP | EA | EMA; MCSE | M+, S+

Security+, Project+, ITIL

On Jul 21, 9:16 am, "And...@community.nospam"

<And...@community.nospam> wrote:
> Mike Shen (MSFT) wrote:
> > Hi Andy,

>
> > Please understand that by default, the Domain & Enterprise admins have
> > Send-As & Receive-As Deny inherited permission on Exchange organization
> > level to prevent member of admin groups from accessing and spoofing
> > mailboxes in the forest.

>
> > Please check the permission of the Exchange Organization object by using
> > Adsiedit.msc tool. By default, the Administrator, Domain Admins and
> > Enterprise Admins have Send As and Receive As Deny permission and inherited
> > to sub-object.

>
> > Mike


> thanks, big help.

> Where is the actual exchange organization object?
> I see CN Microsoft Exchange System Objects and OU Exchange Security Groups.

> It appears the domain-admins and enterprise-admins do have the default
> permissions.
> However, there is a group called exchange admins granted full control
> over the mail server object.
> Is this a built in exchange group? Or something that was created manually?-

 

Similar threads


Top