RE: Exchange Security

From: Morrow, Jason (jmorrow@aegonusa.com)
Date: 02/21/02 

From: "Morrow, Jason" <jmorrow@aegonusa.com>
To: "'Starks, Brad'" <BStarks@co.marin.ca.us>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Thu, 21 Feb 2002 14:31:17 -0600

Double check the permissions the distribution lists is inheriting. The
'Everyone' should not have any permission whatsoever to any object or
container within Exchange unless it is to be globally shared without
permission. Even then use something like 'Domain User'. Granting the Search
permission to the 'Everyone' group at say the Organization or Site level
would allow anyone to attach and view another persons exchange folders.

The only inherited permissions the DL's should have are your service
accounts and exchange administration accounts.

-----Original Message-----
From: Starks, Brad [mailto:BStarks@co.marin.ca.us]
Sent: Wednesday, February 20, 2002 6:47 PM
To: 'focus-ms@securityfocus.com'
Subject: Exchange Security

Hello everyone,

I'm semi-new to the list and semi-new to security. :)

I've got a question that hopefully someone can answer. The answer should
be easy, but nothing I try seems to work.

Here's the scenario:

I've got a global distribution list that I want to lock down. Right now,
anyone
on the distribution list can add/remove other members to/from it. This
recently became a problem when it was reduced from 2000 members to
400 because someone was doing something they shouldn't be.

Obviously, only those people that we designate should have this power.
I've added the permissions tab to the list through Exchange administrator,
and according to the permissions on the DL, no one other than those
listed should have any modification rights whatsoever to it. But, that
doesn't
work. I've even added the everyone group and removed all of their rights
except the ability to search, but they can still add and remove members
at will just by calling up the DL within their Outlook client.

So, is there another place to look to accomplish this task?

Thanks in advance,

Brad

Relevant Pages

  • Re: distribution lists and exchange 2003
    ... That would affect you since distribution lists in exchange 5.5 that are used ... universal distribution groups which can't be used for this purpose. ... So in short you will loose all permissions assigned in exchange. ...
    (microsoft.public.exchange2000.setup.installation)
  • RE: Exchange Security
    ... If they belong to an NT group that also has permissions in Exchange then that's the problem.... ... Subject: Exchange Security ... Double check the permissions the distribution lists is inheriting. ...
    (Focus-Microsoft)
  • RE: Exchange Security
    ... there was a group inside one of the inherited permissions groups ... Subject: Exchange Security ... The inherited permissions check out OK. ... Double check the permissions the distribution lists is inheriting. ...
    (Focus-Microsoft)
  • RE: Exchange Security
    ... Subject: Exchange Security ... Double check the permissions the distribution lists is inheriting. ... The only inherited permissions the DL's should have are your service ...
    (Focus-Microsoft)
  • Access a calendar on Exchange 2003/AD from an NT/Exchange 5.5 user
    ... We are in the middle of our migration from NT/5.5 to AD/2003. ... The Exchange 2003 servers are members of the 5.5 site. ... or distribution lists out of the GAL and give permissions (say, ... permissions) to an item - lets say their calendar. ...
    (microsoft.public.exchange.admin)