RE: Exchange Security

From: Headley, Kevin (kevin.headley@csfb.com)
Date: 02/22/02 

From: "Headley, Kevin" <kevin.headley@csfb.com>
To: "'Starks, Brad'" <BStarks@co.marin.ca.us>, "'Morrow, Jason'" <jmorrow@aegonusa.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Fri, 22 Feb 2002 18:02:43 +0100

Do you have ordinary users as a part of your mail domain?
If they belong to an NT group that also has permissions in Exchange (or that affects any of your Directory Servers) then that's the problem....

-----Original Message-----
From: Starks, Brad [mailto:BStarks@co.marin.ca.us]
Sent: Thursday, February 21, 2002 7:13 PM
To: 'Morrow, Jason'; 'focus-ms@securityfocus.com'
Subject: RE: Exchange Security

The inherited permissions check out OK. I only added the Everyone group
as a test. It has since been removed since it did not provide me with
any additional info.

Still digging,
Brad

-----Original Message-----
From: Morrow, Jason [mailto:jmorrow@aegonusa.com]
Sent: Thursday, February 21, 2002 12:31 PM
To: Starks, Brad; 'focus-ms@securityfocus.com'
Subject: RE: Exchange Security

Double check the permissions the distribution lists is inheriting. The
'Everyone' should not have any permission whatsoever to any object or
container within Exchange unless it is to be globally shared without
permission. Even then use something like 'Domain User'. Granting the Search
permission to the 'Everyone' group at say the Organization or Site level
would allow anyone to attach and view another persons exchange folders.

The only inherited permissions the DL's should have are your service
accounts and exchange administration accounts.

-----Original Message-----
From: Starks, Brad [mailto:BStarks@co.marin.ca.us]
Sent: Wednesday, February 20, 2002 6:47 PM
To: 'focus-ms@securityfocus.com'
Subject: Exchange Security

Hello everyone,

I'm semi-new to the list and semi-new to security. :)

I've got a question that hopefully someone can answer. The answer should
be easy, but nothing I try seems to work.

Here's the scenario:

I've got a global distribution list that I want to lock down. Right now,
anyone
on the distribution list can add/remove other members to/from it. This
recently became a problem when it was reduced from 2000 members to
400 because someone was doing something they shouldn't be.

Obviously, only those people that we designate should have this power.
I've added the permissions tab to the list through Exchange administrator,
and according to the permissions on the DL, no one other than those
listed should have any modification rights whatsoever to it. But, that
doesn't
work. I've even added the everyone group and removed all of their rights
except the ability to search, but they can still add and remove members
at will just by calling up the DL within their Outlook client.

So, is there another place to look to accomplish this task?

Thanks in advance,

Brad

This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you are not the intended recipient, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. CREDIT SUISSE GROUP and each legal entity in the CREDIT SUISSE FIRST BOSTON or CREDIT SUISSE ASSET MANAGEMENT business units of CREDIT SUISSE FIRST BOSTON reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation.

Relevant Pages

  • Re: distribution lists and exchange 2003
    ... That would affect you since distribution lists in exchange 5.5 that are used ... universal distribution groups which can't be used for this purpose. ... So in short you will loose all permissions assigned in exchange. ...
    (microsoft.public.exchange2000.setup.installation)
  • Re: Problems installing Exch 2003
    ... Normally when running forestprep you assign permissions for a user account ... to install Exchange 2003 servers. ... > Directory has not replicated all the necessary permissions for the deleted ... > modify Exchange components and that replication is complete before running ...
    (microsoft.public.exchange2000.setup.installation)
  • RE: Exchange Security
    ... Double check the permissions the distribution lists is inheriting. ... 'Everyone' should not have any permission whatsoever to any object or ... would allow anyone to attach and view another persons exchange folders. ...
    (Focus-Microsoft)
  • Re: Unable to add mailbox
    ... This is a regular exchange 2003 install, and no, I have not lately done a dr ... december, and another backup dc in Feb (which was the old mail server, but I ... Authenticated User has Read and Special Permissions, the under advanced, the ... make sure that box is checked on the user's account as well. ...
    (microsoft.public.exchange.admin)
  • RE: Access Denied on Exchange Message tracking center
    ... the error occurs when Exchange permissions are not ... Check the Anonymous Logon settings on Exchange. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)