cancel
Showing results for 
Search instead for 
Did you mean: 

Private emails can be retrieved from vault

pete11
Level 3
Partner

Hi folks,

Our customer has become aware of a potential security issue with the archive vault. If a user grants delegate rights of their mailbox to a user that has also been granted full mailbox access in Exchange, that person can search and retrieve emails from the vault that have been marked "Private".

They have an EV 8.0 SP4/Exchange 2007 infrastructure.

I cannot find any posts with users experiencing a similar problem. The post below is the reverse solution. I have confirmed that the following key is not in place

DelegateCanSeePrivateItems=1

http://www.symantec.com/business/support/index?page=content&id=TECH57636&actp=search&viewlocale=en_U...

Many thanks

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

pete11
Level 3
Partner

Confirmed by Symantec support that it is a flaw with Exchange:

 

"Microsoft Exchange uses Exchange Management Console (EMC) to provide Full Mailbox access (FMA). If FMA is assigned to specific users, and the users add a second user mailbox through the

account settings, private sensitive items by default are not shown. However, if a separate profile for this user is created and the profile is loaded then the users that have FMA will see the entire mailbox and have full functionality of that mailbox. Including send as/receive as, archiving, private sensitive items etc.

Enterprise Vault sees all users that are assigned FMA as separate users thus permissions are then propagated down to the archive by default, the result is, any user that is assigned FMA will see all private items as well as have full access to all functions assigned to the user including access to all items including sensitive items, send as, receiving as, and deleting and modifying. This is obviously a flaw within Exchange and how FMA assigns rights to the users. Great care and consideration should be given before a user is assigned FMA to another user's mailbox."

View solution in original post

9 REPLIES 9

Rob_Wilcox1
Level 6
Partner

Have you reproduced the issue, or contacted Symantec Support?

Working for cloudficient.com

pete11
Level 3
Partner

Yes I can reproduce the issue, and once I remove full mailbox access rights on Exchange I can no longer see the Private mail in the vault.  I take it Symantec support is the next step?

Rob_Wilcox1
Level 6
Partner

Yes Pete that would be my suggestion.

 

(FWIW I'm sure I've seen this in the past)

Working for cloudficient.com

pete11
Level 3
Partner

on it now, thanks Rob.

Rob_Wilcox1
Level 6
Partner

As a matter of interest..  How are you doing this?

 

I just opened a secondary mailbox, which had an item marked as 'private' in the sent items folder.  I can't see that item in Outlook... whether it's archived or not.

 

Further when I search for an item which is private, with a subject that I know, I get no hits.  (Using Integrated Search)

 

Same for Archive Explorer.

Working for cloudficient.com

pete11
Level 3
Partner

If you give a User A delegates right to your mailbox, and User A adds your mailbox in Outlook. Yes he cannot see your private mail in Outlook.

However if you then if give User A  Full Mailbox rights in Exchange (2007), then User A searches the vaults again your private items appear and can be opened.

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

pete1, have you been able to come to a conclusion for this issue with support?

pete11
Level 3
Partner

Hi Andy, not as yet.  The support engineer is replicating the issue in a lab.  Meanwhile I have removed full mailbox access from Exchange mailboxes and advised users to use delegates rights instead.

It maybe a issue with Exchange:

http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/thread/69cfcd0d-bc25-4e2...
 

Thanks, Pete

pete11
Level 3
Partner

Confirmed by Symantec support that it is a flaw with Exchange:

 

"Microsoft Exchange uses Exchange Management Console (EMC) to provide Full Mailbox access (FMA). If FMA is assigned to specific users, and the users add a second user mailbox through the

account settings, private sensitive items by default are not shown. However, if a separate profile for this user is created and the profile is loaded then the users that have FMA will see the entire mailbox and have full functionality of that mailbox. Including send as/receive as, archiving, private sensitive items etc.

Enterprise Vault sees all users that are assigned FMA as separate users thus permissions are then propagated down to the archive by default, the result is, any user that is assigned FMA will see all private items as well as have full access to all functions assigned to the user including access to all items including sensitive items, send as, receiving as, and deleting and modifying. This is obviously a flaw within Exchange and how FMA assigns rights to the users. Great care and consideration should be given before a user is assigned FMA to another user's mailbox."