Security is a tricky issue. The system administrator must balance the improvement of security with the convenience of the user. The recent change in mailbox access rights specifications made by Microsoft to Exchange Server 2003/2000 Server has highlighted this trade-off issue. This is because the change in access rights caused a problem in accessing the Exchange Server using the mobile terminal "BlackBerry".
Let's take a closer look at how the changes in the specifications of the Exchange Server 2003/2000 Server affected the BlackBerry Enterprise Server (BES) for Exchange. It is not sold in Japan. Therefore, the BlackBerry-related troubles discussed in this article are cases that do not occur in Japan. If you use "Outlook Mobile Access" in Japan, you can use Exchange with NTT Docomo, KDDI, and Vodaphone mobile phones. Available).
Previous Exchange Server that was vulnerable to "spoofing"
First, in Exchange 2000 and later, if you give a user "Full Mailbox Access" permission to another user's mailbox, that user is also a "sender" who sends mail as another user at the same time. Please understand that the authority of "Recipient" to receive mail as another user was also given. That is, if Alice has "full mailbox access" to Bob's mailbox, Alice will not only be able to read Bob's mail, but will also impersonate Bob and send mail (and Alice will send). The emails you send will be placed in Bob's "Sent Emails" folder).
The reason for this permission mechanism is that the permissions for Exchange Server are divided into Exchange database permissions and Active Directory (AD) permissions. In other words, "Full Mailbox Access" was an Exchange database permission, and "Sender" permission was an Active Directory permission. And, in the initial setting of Exchange Server 2003/2000 Server, if the user has "Full Mailbox Access" permission, the access right related to "Sender" is not checked. This may be reasonable for an administrator who wants to give both permissions to a user, but it's very difficult to manage for an organization that manages Exchange permissions and Active Directory separately. To do server skills list.
Mixing the two permissions in this way has two unwanted side effects. The most obvious problem is that it allows spoofing. An intruder can use a service account to send mail from a mailbox that has "Full Mailbox Access" privileges. Also, the recipient cannot distinguish between a message from the original owner of the mailbox and a message from another user who has only "full mailbox access" privileges.
Hotfix adversely affects third-party programs
To resolve this issue, Microsoft has released a hotfix for "store.exe" (the core program of Exchange Server). This applies to store.exe (version 7650.23) in Exchange 2003 Service Pack 2 (SP2) and earlier versions of store.exe included in Exchange 2003 SP1 and Exchange 2000 SP3. This hotfix changed the behavior of Exchange to explicitly check the "sender" permissions. This was a simple and sufficient change, and it actually worked for many sites using Exchange.
However, companies and organizations using software such as BES and Good Technology's "GoodLink" were affected by this fix. Third-party applications such as BES and GoodLink assumed that both permissions were granted at the same time. Users who have been granted "Full Mailbox Access" permission to their BES or GoodLink service accounts but have not been granted "Sender" permission will no longer be able to send emails on their BlackBerry.
Published a script to find accounts that need to change settings
In this regard, Microsoft has published Knowledge Base article, "On Exchange 2000 Server and Exchange Server 2003, users can't send e-mail messages from mobile devices or shared mailboxes ." This Knowledge Base provides a detailed description of the cause and remedy for the problem, but it does not seem to be understandable to all users. I was surprised to see an article posted on the Exchange team's blog last week explaining the fix in more detail. After that, the Knowledge Base was updated, and a script was introduced to identify an account that has "Full Mailbox Access" privileges but not "Sender" privileges. This script outputs a list of accounts as a tab-delimited text file. If you edit this and load it into another script, you can grant "sender" privileges to the required accounts.
Whether or not there is any other work required depends on the situation. Users using BES or GoodLink need to change the access permission settings. Work should be done before applying the hotfix to avoid service interruptions. Even if you're not using BES or GoodLink, it's a good idea to run the script. This is because you can check for careless permissions. It's not uncommon for an administrator who has taken over the management of Exchange Server to be surprised and uncomfortable with the permissions granted by his predecessor.
No comments:
Post a Comment