Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Starks, Brad (BStarksco.marin.ca.us)
Date: Thu Feb 21 2002 - 18:12:32 CST
The inherited permissions check out OK. I only added the Everyone group
as a test. It has since been removed since it did not provide me with
any additional info.
From: Morrow, Jason [mailto:jmorrowaegonusa.com]
Sent: Thursday, February 21, 2002 12:31 PM
To: Starks, Brad; 'focus-mssecurityfocus.com'
Subject: RE: Exchange Security
Double check the permissions the distribution lists is inheriting. The
'Everyone' should not have any permission whatsoever to any object or
container within Exchange unless it is to be globally shared without
permission. Even then use something like 'Domain User'. Granting the Search
permission to the 'Everyone' group at say the Organization or Site level
would allow anyone to attach and view another persons exchange folders.
The only inherited permissions the DL's should have are your service
accounts and exchange administration accounts.
From: Starks, Brad [mailto:BStarksco.marin.ca.us]
Sent: Wednesday, February 20, 2002 6:47 PM
Subject: Exchange Security
I'm semi-new to the list and semi-new to security. :)
I've got a question that hopefully someone can answer. The answer should
be easy, but nothing I try seems to work.
Here's the scenario:
I've got a global distribution list that I want to lock down. Right now,
on the distribution list can add/remove other members to/from it. This
recently became a problem when it was reduced from 2000 members to
400 because someone was doing something they shouldn't be.
Obviously, only those people that we designate should have this power.
I've added the permissions tab to the list through Exchange administrator,
and according to the permissions on the DL, no one other than those
listed should have any modification rights whatsoever to it. But, that
work. I've even added the everyone group and removed all of their rights
except the ability to search, but they can still add and remove members
at will just by calling up the DL within their Outlook client.
So, is there another place to look to accomplish this task?
Thanks in advance,