Private emails can be retrieved from vault
Hi folks,
Our customer has become aware of a potential security issue with the archive vault. If a user grants delegate rights of their mailbox to a user that has also been granted full mailbox access in Exchange, that person can search and retrieve emails from the vault that have been marked "Private".
They have an EV 8.0 SP4/Exchange 2007 infrastructure.
I cannot find any posts with users experiencing a similar problem. The post below is the reverse solution. I have confirmed that the following key is not in place
DelegateCanSeePrivateItems=1
Many thanks
Confirmed by Symantec support that it is a flaw with Exchange:
"Microsoft Exchange uses Exchange Management Console (EMC) to provide Full Mailbox access (FMA). If FMA is assigned to specific users, and the users add a second user mailbox through the
account settings, private sensitive items by default are not shown. However, if a separate profile for this user is created and the profile is loaded then the users that have FMA will see the entire mailbox and have full functionality of that mailbox. Including send as/receive as, archiving, private sensitive items etc.
Enterprise Vault sees all users that are assigned FMA as separate users thus permissions are then propagated down to the archive by default, the result is, any user that is assigned FMA will see all private items as well as have full access to all functions assigned to the user including access to all items including sensitive items, send as, receiving as, and deleting and modifying. This is obviously a flaw within Exchange and how FMA assigns rights to the users. Great care and consideration should be given before a user is assigned FMA to another user's mailbox."