Permissions? What permissions?

Permissions? What permissions?

Post by Mark Danne » Thu, 08 Jul 1999 04:00:00



Help!  I have Exchange 5.5 sp2 installed.  I just found out that any user
can open any other user's mail box!  I tested this and was quite surprised
that a login with only one group membership (nothing administrative) can
read the administrator's email!

The installation has not been tweaked.  Permissions have not been modified,
but obviously need to be.  Please point me to any white papers, KB articles,
etc.  I really want to get this resolved quickly.

No accounts have been delegated.

--
Mark Danner
Network Administrator
Mukogawa Fort Wright Institute
Spokane, WA

 
 
 

Permissions? What permissions?

Post by Amiri Jon » Fri, 09 Jul 1999 04:00:00




Quote:>Help!  I have Exchange 5.5 sp2 installed.  I just found out that any
>user can open any other user's mail box!  I tested this and was quite
>surprised that a login with only one group membership (nothing
>administrative) can read the administrator's email!

>The installation has not been tweaked.  Permissions have not been
>modified, but obviously need to be.  Please point me to any white
>papers, KB articles, etc.  I really want to get this resolved quickly.

        Check the permissions on the Organization, Site, Configuration, and
Recipients containers.  The ONLY account that should be listed there with
Service Account Admin permissions is the service account.  NO ACCOUNT
should be listed on any of these containers (especially Recipients
containers) with User permissions.  Somewhere, somebody is logging onto
Exchange with an account that either has Service Account Admin or User
permissions on the Recipients container(s).  With either of these roles, a
user can open every mailbox in that container.

 
 
 

Permissions? What permissions?

Post by Mark Danne » Fri, 09 Jul 1999 04:00:00


Bingo!  Thanks!  All containers were fine except the Recipients container.
It had Everyone/User set on the service account.  YIKES!

Mark




> >Help!  I have Exchange 5.5 sp2 installed.  I just found out that any
> >user can open any other user's mail box!  I tested this and was quite
> >surprised that a login with only one group membership (nothing
> >administrative) can read the administrator's email!

> >The installation has not been tweaked.  Permissions have not been
> >modified, but obviously need to be.  Please point me to any white
> >papers, KB articles, etc.  I really want to get this resolved quickly.

>     Check the permissions on the Organization, Site, Configuration, and
> Recipients containers.  The ONLY account that should be listed there with
> Service Account Admin permissions is the service account.  NO ACCOUNT
> should be listed on any of these containers (especially Recipients
> containers) with User permissions.  Somewhere, somebody is logging onto
> Exchange with an account that either has Service Account Admin or User
> permissions on the Recipients container(s).  With either of these roles, a
> user can open every mailbox in that container.

 
 
 

Permissions? What permissions?

Post by Joseph Greenber » Fri, 09 Jul 1999 04:00:00


I don't understand... didn't people have passwords? How were they opening
the mailboxes, thru what client?
  Joe


Quote:> Help!  I have Exchange 5.5 sp2 installed.  I just found out that any user
> can open any other user's mail box!  I tested this and was quite surprised
> that a login with only one group membership (nothing administrative) can
> read the administrator's email!

> The installation has not been tweaked.  Permissions have not been
modified,
> but obviously need to be.  Please point me to any white papers, KB
articles,
> etc.  I really want to get this resolved quickly.

> No accounts have been delegated.

> --
> Mark Danner
> Network Administrator
> Mukogawa Fort Wright Institute
> Spokane, WA

 
 
 

Permissions? What permissions?

Post by Amiri Jon » Sat, 10 Jul 1999 04:00:00




Quote:>Bingo!  Thanks!  All containers were fine except the Recipients
>container. It had Everyone/User set on the service account.  YIKES!

        YIKES indeed!  It's amazing what people do when they set up Exchange
servers... you aren't the first person to describe such a setup.
 
 
 

Permissions? What permissions?

Post by Amiri Jon » Sat, 10 Jul 1999 04:00:00




Quote:>I don't understand... didn't people have passwords? How were they
>opening the mailboxes, thru what client?

        All accounts had been given User rights on the recipients container,
which gave them User rights, or the ability to open the mailbox, on all
mailboxes within that container.
 
 
 

Permissions? What permissions?

Post by Mark Danne » Sat, 10 Jul 1999 04:00:00


Is this a 'default' for Exchange?  I really don't remember setting the
permissions like that?

Mark




> >Bingo!  Thanks!  All containers were fine except the Recipients
> >container. It had Everyone/User set on the service account.  YIKES!

>     YIKES indeed!  It's amazing what people do when they set up Exchange
> servers... you aren't the first person to describe such a setup.

 
 
 

Permissions? What permissions?

Post by Amiri Jon » Sat, 10 Jul 1999 04:00:00




Quote:>Is this a 'default' for Exchange?  I really don't remember setting the
>permissions like that?

        No, it most certainly is not!  The only default permission in Exchange
right out of the box is that the service account has Service Account Admin
permissions on the Organization, Site, and Configuration containers.  When
you create a mailbox, the Primary NT Account will receive User permissions
on that mailbox, but that's it.  If any non-mailbox object has User
permissions on it, it's because somebody deliberately added them.
 
 
 

Permissions? What permissions?

Post by Rich Matheis » Sun, 11 Jul 1999 04:00:00



>Is this a 'default' for Exchange?  I really don't remember setting the
>permissions like that?

No, it's not. The Recipients container inherits the permissions of the
site container. If there's anything in the "Windows NT accounts with
permissions" list it was placed there explicitly, after the
installation.

------------------
Rich Matheisen
MCSE, Exchange MVP

 
 
 

Permissions? What permissions?

Post by Mark Danne » Wed, 14 Jul 1999 04:00:00


Now I remember, our server was configured by a consultant.  Me thinks I
better re-visit the configuration!

Mark



> >Is this a 'default' for Exchange?  I really don't remember setting the
> >permissions like that?

> No, it's not. The Recipients container inherits the permissions of the
> site container. If there's anything in the "Windows NT accounts with
> permissions" list it was placed there explicitly, after the
> installation.

> ------------------
> Rich Matheisen
> MCSE, Exchange MVP

 
 
 

1. Folder Permissions versus Attachment Permissions

We have a recurring problem in our Exchange Public Folders:

We have given users the rights to read and add emails to a particular Public
Folder, but not to delete or modify anything.

A user puts in a bunch of emails in said Public Folder, and they come back
later to find that they can not open the emails that have attachments.  It
appears that attachments may have different permissions than the folder /
email themselves.

Adding to the dilemma is that the problem appears to clear itself up over
time.

Has anyone else run into this?  What solutions have you found?

Thank you.

Johnmichael Monteith
Parker Smith & Feek, Inc.

2. free busy time different exchange organizations

3. permission admin cannot modify permissions on public folders

4. Exchange calendar link to access DB

5. Permissions to Change Permissions

6. Migrate.exe

7. MAPI permissions -v- Win2000 permissions

8. Internet Mail problems - No autodial & NDR for queued messages

9. Group Permissions do not work but individual permissions do??? help :(

10. DAPIStart fails when logged on user does not have Exchange permissions

11. Exchange 5.5 OL2000 - Other User Can Read Inbox without permission