Private emails can be retrieved from vault
Updated: 27 Feb 2012 | 9 comments
This issue has been solved. See solution.
Hi folks,
Our customer has become aware of a potential security issue with the archive vault. If a user grants delegate rights of their mailbox to a user that has also been granted full mailbox access in Exchange, that person can search and retrieve emails from the vault that have been marked "Private".
They have an EV 8.0 SP4/Exchange 2007 infrastructure.
I cannot find any posts with users experiencing a similar problem. The post below is the reverse solution. I have confirmed that the following key is not in place
DelegateCanSeePrivateItems=1
Many thanks
Discussion Filed Under:
Comments
Have you reproduced the
Have you reproduced the issue, or contacted Symantec Support?
Yes I can reproduce the
Yes I can reproduce the issue, and once I remove full mailbox access rights on Exchange I can no longer see the Private mail in the vault. I take it Symantec support is the next step?
Yes Pete that would be my
Yes Pete that would be my suggestion.
(FWIW I'm sure I've seen this in the past)
on it now, thanks Rob.
on it now, thanks Rob.
As a matter of interest..
As a matter of interest.. How are you doing this?
I just opened a secondary mailbox, which had an item marked as 'private' in the sent items folder. I can't see that item in Outlook... whether it's archived or not.
Further when I search for an item which is private, with a subject that I know, I get no hits. (Using Integrated Search)
Same for Archive Explorer.
If you give a User A
If you give a User A delegates right to your mailbox, and User A adds your mailbox in Outlook. Yes he cannot see your private mail in Outlook.
However if you then if give User A Full Mailbox rights in Exchange (2007), then User A searches the vaults again your private items appear and can be opened.
pete1, have you been able to
pete1, have you been able to come to a conclusion for this issue with support?
Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner | www.trace3.com
Hi Andy, not as yet. The
Hi Andy, not as yet. The support engineer is replicating the issue in a lab. Meanwhile I have removed full mailbox access from Exchange mailboxes and advised users to use delegates rights instead.
It maybe a issue with Exchange:
http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/thread/69cfcd0d-bc25-4e20-8afe-6aa263a7ecdf
Thanks, Pete
Confirmed by Symantec support
Confirmed by Symantec support that it is a flaw with Exchange:
"Microsoft Exchange uses Exchange Management Console (EMC) to provide Full Mailbox access (FMA). If FMA is assigned to specific users, and the users add a second user mailbox through the
account settings, private sensitive items by default are not shown. However, if a separate profile for this user is created and the profile is loaded then the users that have FMA will see the entire mailbox and have full functionality of that mailbox. Including send as/receive as, archiving, private sensitive items etc.
Enterprise Vault sees all users that are assigned FMA as separate users thus permissions are then propagated down to the archive by default, the result is, any user that is assigned FMA will see all private items as well as have full access to all functions assigned to the user including access to all items including sensitive items, send as, receiving as, and deleting and modifying. This is obviously a flaw within Exchange and how FMA assigns rights to the users. Great care and consideration should be given before a user is assigned FMA to another user's mailbox."
Would you like to reply?
Login or Register to post your comment.