RE: Exchange Security

From: Starks, Brad (BStarks@co.marin.ca.us)
Date: 02/22/02


From: "Starks, Brad" <BStarks@co.marin.ca.us>
To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Thu, 21 Feb 2002 15:09:39 -0800

Yes, it is Exchange 5.5 on an NT 4.0 box.

I didn't have the Owner field cleared. Upon testing, I've changed the owner,
cleared the owner and made myself
the owner. None of these actions has any impact - people can still alter the
DL at will.

Brad

-----Original Message-----
From: Kurt [mailto:kurtbuff@lightmail.com]
Sent: Thursday, February 21, 2002 2:07 PM
To: Starks, Brad; focus-ms@securityfocus.com
Subject: RE: Exchange Security

I'm assuming for the moment that you're using Exchange 5.5. I don't know
enough about Ex2k to tell you how to do this.

If indeed you're using Ex5.5, open the Exchange administrator, double-click
on the distlist in question, and make sure you have the 'General' tab
selected.

Underneath the fields for 'Display name' and 'Alias name' there is a field
for 'Owner', with a 'Modify' and a 'Clear' button. I'm going to guess that
the field is actually empty. Click on the 'Modify' button, and select the
single person in hte GAL who should have the ability to make changes to the
distlist.

Once you 'OK' your way back to the Exchange Administrator program, you have
protected your distlist.

HTH,

Kurt

| -----Original Message-----
| From: Starks, Brad [mailto:BStarks@co.marin.ca.us]
| Sent: Wednesday, February 20, 2002 15:47
| To: 'focus-ms@securityfocus.com'
| Subject: Exchange Security
|
|
| Hello everyone,
|
| I'm semi-new to the list and semi-new to security. :)
|
| I've got a question that hopefully someone can answer. The
| answer should
| be easy, but nothing I try seems to work.
|
| Here's the scenario:
|
| I've got a global distribution list that I want to lock down.
| Right now,
| anyone
| on the distribution list can add/remove other members to/from it. This
| recently became a problem when it was reduced from 2000 members to
| 400 because someone was doing something they shouldn't be.
|
| Obviously, only those people that we designate should have this power.
| I've added the permissions tab to the list through Exchange
| administrator,
| and according to the permissions on the DL, no one other than those
| listed should have any modification rights whatsoever to it. But, that
| doesn't
| work. I've even added the everyone group and removed all of
| their rights
| except the ability to search, but they can still add and
| remove members
| at will just by calling up the DL within their Outlook client.
|
| So, is there another place to look to accomplish this task?
|
| Thanks in advance,
|
| Brad
|