OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Starks, Brad (BStarksco.marin.ca.us)
Date: Thu Feb 21 2002 - 18:12:32 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The inherited permissions check out OK. I only added the Everyone group
    as a test. It has since been removed since it did not provide me with
    any additional info.

    Still digging,
    Brad

    -----Original Message-----
    From: Morrow, Jason [mailto:jmorrowaegonusa.com]
    Sent: Thursday, February 21, 2002 12:31 PM
    To: Starks, Brad; 'focus-mssecurityfocus.com'
    Subject: RE: Exchange Security

    Double check the permissions the distribution lists is inheriting. The
    'Everyone' should not have any permission whatsoever to any object or
    container within Exchange unless it is to be globally shared without
    permission. Even then use something like 'Domain User'. Granting the Search
    permission to the 'Everyone' group at say the Organization or Site level
    would allow anyone to attach and view another persons exchange folders.

    The only inherited permissions the DL's should have are your service
    accounts and exchange administration accounts.

    -----Original Message-----
    From: Starks, Brad [mailto:BStarksco.marin.ca.us]
    Sent: Wednesday, February 20, 2002 6:47 PM
    To: 'focus-mssecurityfocus.com'
    Subject: Exchange Security

    Hello everyone,

    I'm semi-new to the list and semi-new to security. :)

    I've got a question that hopefully someone can answer. The answer should
    be easy, but nothing I try seems to work.

    Here's the scenario:

    I've got a global distribution list that I want to lock down. Right now,
    anyone
    on the distribution list can add/remove other members to/from it. This
    recently became a problem when it was reduced from 2000 members to
    400 because someone was doing something they shouldn't be.

    Obviously, only those people that we designate should have this power.
    I've added the permissions tab to the list through Exchange administrator,
    and according to the permissions on the DL, no one other than those
    listed should have any modification rights whatsoever to it. But, that
    doesn't
    work. I've even added the everyone group and removed all of their rights
    except the ability to search, but they can still add and remove members
    at will just by calling up the DL within their Outlook client.

    So, is there another place to look to accomplish this task?

    Thanks in advance,

    Brad