RE: Exchange Security

From: Starks, Brad (BStarks@co.marin.ca.us)
Date: 02/22/02 

From: "Starks, Brad" <BStarks@co.marin.ca.us>
To: "'Morrow, Jason'" <jmorrow@aegonusa.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Thu, 21 Feb 2002 16:12:32 -0800

The inherited permissions check out OK. I only added the Everyone group
as a test. It has since been removed since it did not provide me with
any additional info.

Still digging,
Brad

-----Original Message-----
From: Morrow, Jason [mailto:jmorrow@aegonusa.com]
Sent: Thursday, February 21, 2002 12:31 PM
To: Starks, Brad; 'focus-ms@securityfocus.com'
Subject: RE: Exchange Security

Double check the permissions the distribution lists is inheriting. The
'Everyone' should not have any permission whatsoever to any object or
container within Exchange unless it is to be globally shared without
permission. Even then use something like 'Domain User'. Granting the Search
permission to the 'Everyone' group at say the Organization or Site level
would allow anyone to attach and view another persons exchange folders.

The only inherited permissions the DL's should have are your service
accounts and exchange administration accounts.

-----Original Message-----
From: Starks, Brad [mailto:BStarks@co.marin.ca.us]
Sent: Wednesday, February 20, 2002 6:47 PM
To: 'focus-ms@securityfocus.com'
Subject: Exchange Security

Hello everyone,

I'm semi-new to the list and semi-new to security. :)

I've got a question that hopefully someone can answer. The answer should
be easy, but nothing I try seems to work.

Here's the scenario:

I've got a global distribution list that I want to lock down. Right now,
anyone
on the distribution list can add/remove other members to/from it. This
recently became a problem when it was reduced from 2000 members to
400 because someone was doing something they shouldn't be.

Obviously, only those people that we designate should have this power.
I've added the permissions tab to the list through Exchange administrator,
and according to the permissions on the DL, no one other than those
listed should have any modification rights whatsoever to it. But, that
doesn't
work. I've even added the everyone group and removed all of their rights
except the ability to search, but they can still add and remove members
at will just by calling up the DL within their Outlook client.

So, is there another place to look to accomplish this task?

Thanks in advance,

Brad

Relevant Pages

  • Re: distribution lists and exchange 2003
    ... That would affect you since distribution lists in exchange 5.5 that are used ... universal distribution groups which can't be used for this purpose. ... So in short you will loose all permissions assigned in exchange. ...
    (microsoft.public.exchange2000.setup.installation)
  • Re: Problems installing Exch 2003
    ... Normally when running forestprep you assign permissions for a user account ... to install Exchange 2003 servers. ... > Directory has not replicated all the necessary permissions for the deleted ... > modify Exchange components and that replication is complete before running ...
    (microsoft.public.exchange2000.setup.installation)
  • RE: Exchange Security
    ... Double check the permissions the distribution lists is inheriting. ... 'Everyone' should not have any permission whatsoever to any object or ... would allow anyone to attach and view another persons exchange folders. ...
    (Focus-Microsoft)
  • Re: Unable to add mailbox
    ... This is a regular exchange 2003 install, and no, I have not lately done a dr ... december, and another backup dc in Feb (which was the old mail server, but I ... Authenticated User has Read and Special Permissions, the under advanced, the ... make sure that box is checked on the user's account as well. ...
    (microsoft.public.exchange.admin)
  • RE: Exchange Security
    ... If they belong to an NT group that also has permissions in Exchange then that's the problem.... ... Subject: Exchange Security ... Double check the permissions the distribution lists is inheriting. ...
    (Focus-Microsoft)