CodeConnect.Net Beta


   Explore    Entry   Register  Login  
windowsxp-general
access
windows-vista-mail
windows-vista-general
windowsupdate
windowsmedia-player
access-forms
windows-live-mail-desktop
windowsxp-help_and_support
access-queries
access-modulesdaovba
access-formscoding
windows-server-sbs
windows-server-general
access-reports
windows-vista-music_pictures_video
windowsce-platbuilder
windows-live-messenger
windows-terminal_services
windows-powershell
windows-server-active_directory
access-gettingstarted
windows-mediacenter
windowsxp-hardware
windowsxp-network_web
windows-64bit-general
windows-live-sync
windows-vista-hardware_devices
windows-inetexplorer-ie6_outlookexpress
windows-group_policy
windows-server-networking
windows-vista-installation_setup
windows-vista-networking_sharing
windowsxp-basics
access-tablesdbdesign
windowsxp-perform_maintain
windows-vista-performance_maintenance
windows-networking-wireless
windows-vista-file_management
windows-inetexplorer-ie6-browser
windows-server-dns
windows-server-update_services
windows-vista-security
windows-vista-administration_accounts_passwords
windows-vista-games
windows-file_system
access-activexcontrol
windows-live-foldershare
windows-live-photogallery
access-developers-toolkitode
access-conversion




Can Reply:  No Members Can Edit: No Online: Yes
Zone: > Asp.Net Forum > windows_hosting.microsoft_solution_for_hosted_exchange Tags:
Item Type: Date Entered: 12/25/2006 3:21:43 PM Date Modified: Subscribers: 0 Subscribe Alert
Rate It:
NR
XPoints: N/A Replies: 3 Views: 62 Favorited: 0 Favorite
4 Items, 1 Pages 1 |< << Go >> >|
"vav" <>
NewsGroup User
Security issue: mailbox users from different organizations of same reseller could see all info about each other12/25/2006 3:21:43 PM

0

Hello!

I have the problem I could not explain and I affraid it is default HMC behaviour or I missed something during deployment.

Scenario:

  1. User1 from the hosted organzation Company1 sends email message to the User2 from the hosted organization Company2 (both companies are from the same reseller).
  2. User2 opens the message in Outlook client and double-clicks on sender. Outlook window opened he could see all contact info of User1 and either distribution lists User1 is included and so on.

When I've start checking the permissions on Hosting / Reseller / Customers OUs, I wondering that MPS documentation and MPS actual security do not match:

  1. In "Delegated Administration" chapter of HMC 3.5 documentation there is contradiction in chapter "ACEs for the AllCustomers@reseller Group". The text tells us about "deny List Object permissions ... for the reseller OU", but table below tells us to "Allow".
  2. Moreover, the table tells in "Apply to" column "This object only", but actual permissions on (newly created via MPS request) reseller are "This object and all child objects".

It looks like either "Allow + This object only" is better settings than MPS-performed "Allow + This object and all child objects".

Could someone check such scenario and its result? Or may be anybody had such issue before?

P.S. I use HMC3.5 FP1; Lising Object mode is On; all Deployment Tools steps are performed successfully.

P.P.S. (may be it is important) User1 is member of DistList1, User2 is member of DistList2.
"vganopa" <>
NewsGroup User
Re: Security issue: mailbox users from different organizations of same reseller could see all info about each other12/26/2006 4:05:00 PM

0

vav,

Seems like these users and distribution lists were created outside HMC, i.e. without using createUser and createGroup procedures from Managed Active Directory namespace. These procedures perform RemoveAllAuthenticatedUsersACEs_ to remove permissions granted by default for "Authenticated Users" to newly created user and group.
"DGaikovoi" <>
NewsGroup User
Re: Security issue: mailbox users from different organizations of same reseller could see all info about each other12/28/2006 6:35:57 PM

0

Hello,

I can confirm "actual permissions on (newly created via MPS request) reseller are "This object and all child objects"." I will do more research today on this issue to see how serious it is.

Meanwhile, you should contact Microsoft PSS about this issue to get official Microsoft opinion and probably solution or workaround.

Thanks,

Dmitri Gaikovoi
"DGaikovoi" <>
NewsGroup User
Re: Security issue: mailbox users from different organizations of same reseller could see all info about each other1/2/2007 11:24:41 PM

0

Greetings,

I did additional research on this issue and I would like to share what I found.

Two user from two different business organizations under same reseller can't read AD atributes of each other. Security group AllCustomers@reseller has effective permissions "List Contents" and "List Object" on any user object under any business organization. This permissions doesn't allow to read any properties (phone numbers, business info, etc) to users from different organizations. So, "List Object permissions" doesn't create described issue with security.

 

Thanks,

Dmitri Gaikovoi
4 Items, 1 Pages 1 |< << Go >> >|







Similar:

antigen enterprise manager - not a fan

add-mailboxpermission

stuck @ configure resource management for exchange mailbox store

hard drive recommendations for exchange 2007 ccr

control panel and automation framework

offline address book problem

question regarding resource manager and resource allocation

client bandwidth monitoring

"invaid customer" when tying to subscribe to hosted sharepoint

hmc 4.0: unable to create contact

create dist. list

microsoft solution for hosted messaging and collaboration version 4.0

blackberry server configuration

createbusinessuser web service

error creating mailbox from sample ui for hmc4.5

hmc 4 deployment problem

can't create mailbox after sql 2005 reinstall

public folders with org. forms

creating public folders items

mps sample ui error

what option is best to start hosting exchange 2k3?

outlook cant download oab after deleteoab / createoab

just a few questions

create public folder error

how to change the domain name through smtp when user send mail to outside

smtp iis issues

hmc 3.5 front-end exchange deployment error (dp.6)

hmc 3.5 problems removing an organization

gal time out with rpc+https without cached mode

create consumer error

load balancing the hmc with a bigip (or other hw load balancer)

how to show "from" field in the owa

dr restore for hosted exchange hmc3.6

migration all configurations from mps01 to mps02?

mpscp login timeout frequently

besaadmin "the name could not be resolved. the name could not be matched to a name in the address list"

unable to bind to destination server in dns (fe01)

hosted exchange license requirements

contacts

modifyuser bug

domain distribution list

oma credentials

access is denied.

problems with collectwmilogoninformation

mailbox size limits

exchange mobility...

ms control panel

outlook public folder... value cannot be null. parameter name: uristring

event id 1173 on exchange backend server

mps engine - how much processing power?
   
  Privacy | Contact Us
All Times Are GMT