Forum Discussion

pete11's avatar
pete11
Level 3
14 years ago
Solved

Private emails can be retrieved from vault

Hi folks,

Our customer has become aware of a potential security issue with the archive vault. If a user grants delegate rights of their mailbox to a user that has also been granted full mailbox access in Exchange, that person can search and retrieve emails from the vault that have been marked "Private".

They have an EV 8.0 SP4/Exchange 2007 infrastructure.

I cannot find any posts with users experiencing a similar problem. The post below is the reverse solution. I have confirmed that the following key is not in place

DelegateCanSeePrivateItems=1

http://www.symantec.com/business/support/index?page=content&id=TECH57636&actp=search&viewlocale=en_US&searchid=1328864300695eople

Many thanks

 

 

 

  • Confirmed by Symantec support that it is a flaw with Exchange:

     

    "Microsoft Exchange uses Exchange Management Console (EMC) to provide Full Mailbox access (FMA). If FMA is assigned to specific users, and the users add a second user mailbox through the

    account settings, private sensitive items by default are not shown. However, if a separate profile for this user is created and the profile is loaded then the users that have FMA will see the entire mailbox and have full functionality of that mailbox. Including send as/receive as, archiving, private sensitive items etc.

    Enterprise Vault sees all users that are assigned FMA as separate users thus permissions are then propagated down to the archive by default, the result is, any user that is assigned FMA will see all private items as well as have full access to all functions assigned to the user including access to all items including sensitive items, send as, receiving as, and deleting and modifying. This is obviously a flaw within Exchange and how FMA assigns rights to the users. Great care and consideration should be given before a user is assigned FMA to another user's mailbox."

  • Yes I can reproduce the issue, and once I remove full mailbox access rights on Exchange I can no longer see the Private mail in the vault.  I take it Symantec support is the next step?

  • Yes Pete that would be my suggestion.

     

    (FWIW I'm sure I've seen this in the past)

  • As a matter of interest..  How are you doing this?

     

    I just opened a secondary mailbox, which had an item marked as 'private' in the sent items folder.  I can't see that item in Outlook... whether it's archived or not.

     

    Further when I search for an item which is private, with a subject that I know, I get no hits.  (Using Integrated Search)

     

    Same for Archive Explorer.

  • If you give a User A delegates right to your mailbox, and User A adds your mailbox in Outlook. Yes he cannot see your private mail in Outlook.

    However if you then if give User A  Full Mailbox rights in Exchange (2007), then User A searches the vaults again your private items appear and can be opened.

  • pete1, have you been able to come to a conclusion for this issue with support?

  • Confirmed by Symantec support that it is a flaw with Exchange:

     

    "Microsoft Exchange uses Exchange Management Console (EMC) to provide Full Mailbox access (FMA). If FMA is assigned to specific users, and the users add a second user mailbox through the

    account settings, private sensitive items by default are not shown. However, if a separate profile for this user is created and the profile is loaded then the users that have FMA will see the entire mailbox and have full functionality of that mailbox. Including send as/receive as, archiving, private sensitive items etc.

    Enterprise Vault sees all users that are assigned FMA as separate users thus permissions are then propagated down to the archive by default, the result is, any user that is assigned FMA will see all private items as well as have full access to all functions assigned to the user including access to all items including sensitive items, send as, receiving as, and deleting and modifying. This is obviously a flaw within Exchange and how FMA assigns rights to the users. Great care and consideration should be given before a user is assigned FMA to another user's mailbox."