RE: Exchange Security
From: Starks, Brad (BStarks@co.marin.ca.us)Date: 02/26/02
- Previous message: Ralph Los: "RE: browser redirection to forward.domainname.at"
- Maybe in reply to: Starks, Brad: "Exchange Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Starks, Brad" <BStarks@co.marin.ca.us> To: "'Headley, Kevin'" <kevin.headley@csfb.com>, "'Morrow, Jason'" <jmorrow@aegonusa.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com> Date: Tue, 26 Feb 2002 10:41:04 -0800
Thanks to everyone for their insight and suggestions. As it turns out,
there was a group inside one of the inherited permissions groups
that shouldn't have been there. :)
Brad
-----Original Message-----
From: Headley, Kevin [mailto:kevin.headley@csfb.com]
Sent: Friday, February 22, 2002 9:03 AM
To: Starks, Brad; 'Morrow, Jason'; 'focus-ms@securityfocus.com'
Subject: RE: Exchange Security
Do you have ordinary users as a part of your mail domain?
If they belong to an NT group that also has permissions in Exchange (or that
affects any of your Directory Servers) then that's the problem....
-----Original Message-----
From: Starks, Brad [mailto:BStarks@co.marin.ca.us]
Sent: Thursday, February 21, 2002 7:13 PM
To: 'Morrow, Jason'; 'focus-ms@securityfocus.com'
Subject: RE: Exchange Security
The inherited permissions check out OK. I only added the Everyone group
as a test. It has since been removed since it did not provide me with
any additional info.
Still digging,
Brad
-----Original Message-----
From: Morrow, Jason [mailto:jmorrow@aegonusa.com]
Sent: Thursday, February 21, 2002 12:31 PM
To: Starks, Brad; 'focus-ms@securityfocus.com'
Subject: RE: Exchange Security
Double check the permissions the distribution lists is inheriting. The
'Everyone' should not have any permission whatsoever to any object or
container within Exchange unless it is to be globally shared without
permission. Even then use something like 'Domain User'. Granting the Search
permission to the 'Everyone' group at say the Organization or Site level
would allow anyone to attach and view another persons exchange folders.
The only inherited permissions the DL's should have are your service
accounts and exchange administration accounts.
-----Original Message-----
From: Starks, Brad [mailto:BStarks@co.marin.ca.us]
Sent: Wednesday, February 20, 2002 6:47 PM
To: 'focus-ms@securityfocus.com'
Subject: Exchange Security
Hello everyone,
I'm semi-new to the list and semi-new to security. :)
I've got a question that hopefully someone can answer. The answer should
be easy, but nothing I try seems to work.
Here's the scenario:
I've got a global distribution list that I want to lock down. Right now,
anyone
on the distribution list can add/remove other members to/from it. This
recently became a problem when it was reduced from 2000 members to
400 because someone was doing something they shouldn't be.
Obviously, only those people that we designate should have this power.
I've added the permissions tab to the list through Exchange administrator,
and according to the permissions on the DL, no one other than those
listed should have any modification rights whatsoever to it. But, that
doesn't
work. I've even added the everyone group and removed all of their rights
except the ability to search, but they can still add and remove members
at will just by calling up the DL within their Outlook client.
So, is there another place to look to accomplish this task?
Thanks in advance,
Brad
This message is for the named person's use only. It may contain sensitive
and private proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you are not the intended recipient, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. CREDIT SUISSE GROUP and each legal entity in the CREDIT SUISSE
FIRST BOSTON or CREDIT SUISSE ASSET MANAGEMENT business units of CREDIT
SUISSE FIRST BOSTON reserve the right to monitor all e-mail communications
through its networks. Any views expressed in this message are those of the
individual sender, except where the message states otherwise and the sender
is authorized to state them to be the views of any such entity.
Unless otherwise stated, any pricing information given in this message is
indicative only, is subject to change and does not constitute an offer to
deal at any price quoted. Any reference to the terms of executed
transactions should be treated as preliminary only and subject to our
formal written confirmation.
- Previous message: Ralph Los: "RE: browser redirection to forward.domainname.at"
- Maybe in reply to: Starks, Brad: "Exchange Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
