SOBO Sending of Behalf Of

[clancyfan]

Hello, I recently discovered that any user on my current network can send on behalf of any other user. This is a big security risk and no such permissions have been set that I can find to allow this.

Running Exchange 2000 on Windows 2000 Server.

 

[billieT]

This may be a stupid question, but I hope your domain users are not members of the domain or exchange admins groups? I'd definitely check group membership

 

[clancyfan]

Good question, but no they are not members of the Domain or Exchange admins. I will review group membership. I wasn't the one who originally setup the server so there are probably some memberships or groups that I am not aware of yet.

 

[clancyfan]

Looks like the account in question was a member of the Domain Admins security group. I didn't realize, and still don't understand, how that was giving him permission to send on behalf of any user in the domain. I will have to do a bit more research to find out if that is the way 2K Server sets things up.

 

[billieT]

Exactly.

It's related to mailbox perms. In ADUC, User Properties, Exchange Advanced, you'll see Mailbox Rights. Domain Admins, by default, have Delete, Read, Change, Take Ownership, (Deny Full Mailbox Access).

Always a good reason to *strictly limit* membership of Domain Admins....

 

[clancyfan]

Great, thanks for the info billie T.

 

[clancyfan]

In my ADUC, user properties I don't have an exchange advanced. Only exchange general and exchange tasks.

??

 

[Zelandakh]

Under View, show advanced.

<signature sold subject to contract>

 

[clancyfan]

Got it, thanks again for the help.