Hi,
We have discovered a security issue with our exchange 2007 installation.
All our mailboxes have domain user and authenticated user in the security list with full access rights.
This allows anyone to view any mailbox contents. We have just discovered this and need it urgently fixed.
Adding a deny does not help as that locks the user out. Denying just read permissions is overridden by the allow full access setting.
All these rights are inherited, but we cannot find where from. This seems to be the problem, if we can stop the inheritence we can modify the security and fix the problem. ADSI edit shows the AD rights to the information store and these are different. The problematic rights are just on the mailboxes, yet they say they are inherited.
The exchange 2003 admin tools show the same security settings on information stores as ADSIedit and ADUC mailbox rights show the same as get-mailboxpermissions in 2007 powershell.
How can we remove these inherited rights on the mailboxes?
Exchange 2007 was installed on a mixed domain that had been prepared for exch. 2003, but never installed. Mailboxes were migrated from 5.5 using the 2003 migration tool as it could read 5.5 & 2007 information stores.
The domain is now native 2003. At install exchange did not run correctly and users were given full rights at the exch. admin group level in adsiedit configuration container to allow IMAP and OWA to function. If the security settings are reset to default for this container and contents OWA & IMAP break, but outlook still works. The security is currently set to a safe and working level, but again this has no effect on the mailboxes themselves. I have tried removing and reassociating mailboxes to see if they would reset the 'inherited permissions, but this has failed. From what I can find on the web the 'inherited rights' are a snap shot of those in AD at the creation of the mailbox.
Exchange is SP1 patched up to date on 2003 R2 sp2 x64, dual xeon, 4Gb RAM Dell server.
Operating System: Windows Server 2003.
Any help welcome
Cheers
Cammy
We have discovered a security issue with our exchange 2007 installation.
All our mailboxes have domain user and authenticated user in the security list with full access rights.
This allows anyone to view any mailbox contents. We have just discovered this and need it urgently fixed.
Adding a deny does not help as that locks the user out. Denying just read permissions is overridden by the allow full access setting.
All these rights are inherited, but we cannot find where from. This seems to be the problem, if we can stop the inheritence we can modify the security and fix the problem. ADSI edit shows the AD rights to the information store and these are different. The problematic rights are just on the mailboxes, yet they say they are inherited.
The exchange 2003 admin tools show the same security settings on information stores as ADSIedit and ADUC mailbox rights show the same as get-mailboxpermissions in 2007 powershell.
How can we remove these inherited rights on the mailboxes?
Exchange 2007 was installed on a mixed domain that had been prepared for exch. 2003, but never installed. Mailboxes were migrated from 5.5 using the 2003 migration tool as it could read 5.5 & 2007 information stores.
The domain is now native 2003. At install exchange did not run correctly and users were given full rights at the exch. admin group level in adsiedit configuration container to allow IMAP and OWA to function. If the security settings are reset to default for this container and contents OWA & IMAP break, but outlook still works. The security is currently set to a safe and working level, but again this has no effect on the mailboxes themselves. I have tried removing and reassociating mailboxes to see if they would reset the 'inherited permissions, but this has failed. From what I can find on the web the 'inherited rights' are a snap shot of those in AD at the creation of the mailbox.
Exchange is SP1 patched up to date on 2003 R2 sp2 x64, dual xeon, 4Gb RAM Dell server.
Operating System: Windows Server 2003.
Any help welcome
Cheers
Cammy
