+ Reply to Thread
Results 1 to 7 of 7
  1. Senior Member it2b's Avatar
    Join Date
    Apr 2007
    Posts
    117

    Certifications
    VCP5-DCV,MCSA 2012/2003/2000,MCTS:Windows 2008 Active Directory, Configuring, CompTIA A+, Network+
    #1

    Default Disabled Users Can Still Send Mail

    Our company terminated an executive recently. We disabled her account and learned through a third party she was still sending mail from her corparate email.

    Long story short we found this to be a known issue with IIS caching and resolved by resetting IIS. As long as the user has an active session in OWA or Outlook Anywhere they can continue sending mail until the cached credentials are flushed.

    I opened a ticket with Microsoft. The response was that this "perceived" vulnerability is "by design" because OWA is a large app and IIS needs to cache everything or the the perfromance is slow.

    The Exchange team has tried to raise this as an issue in the past with the IIS team, but the IIS group does not think it is a problem. And they claim this has been an issue going back several versions of Exchange.

    Microsoft gave me some other "work arounds" such as moving the mailbox to another database while simultaneously making a resgistry change on the CAS servers.

    My questions to all my fellow Exchange admins:
    1. Is this a widely known fact? I work with several people with years of Exchange experience who did not know this.

    2. What are your termination procedures? I doubt large companies are resetting IIS or bouncing their CAS servers every time someone leave the company!

    The refusal of Microsoft to acknowledge this as a probelm has really irked me, so you may see this same thread on other forums as I feel more people need to know about this!
    Reply With Quote Quote  

  2. SS -->
  3. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #2
    It's a somewhat well known issue, you'll see a lot of threads on it if you start google searching around. Depending upon how critical it is that the user be cut off immediately determines whether I do an iisreset /noforce /timeout:120 or not. Usually I'll just disable mail access protocols on the account then disable the account.
    Reply With Quote Quote  

  4. Senior Member cyberguypr's Avatar
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    5,768

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #3
    I also have seen the issue on other boards. The quickest/less disruptive solution I found to be effective without messing with IISreset was removing NT Authority\SELF from 'Manage Full Access Permission'. Even though it didn't kill the OWA connection it basically killed all functionality. Still allowed me to comply with my account retention and archiving policies.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Oct 2010
    Location
    NATTED to nowhere!
    Posts
    508

    Certifications
    S+, N+, CEH, CSSLP, CISSP, CGEIT, CCSA, CCNA, CRISC, CASP, RHCSA, RHCE, CBE, GCIH
    #4
    Quote Originally Posted by it2b View Post
    I opened a ticket with Microsoft. The response was that this "perceived" vulnerability is "by design" because OWA is a large app and IIS needs to cache everything or the the perfromance is slow.

    The refusal of Microsoft to acknowledge this as a probelm has really irked me, so you may see this same thread on other forums as I feel more people need to know about this!
    undomiel and cyberguypr are right.
    Vulnerability by design by Microsoft issues are "features". Believe it or not Microsoft used do be worse. They are getting better but there are times when they revert back to their old mentalities.
    Last edited by bigdogz; 08-10-2012 at 03:50 PM.
    Reply With Quote Quote  

  6. Senior Member it2b's Avatar
    Join Date
    Apr 2007
    Posts
    117

    Certifications
    VCP5-DCV,MCSA 2012/2003/2000,MCTS:Windows 2008 Active Directory, Configuring, CompTIA A+, Network+
    #5
    Quote Originally Posted by bigdogz View Post
    undomiel and cyberguypr are right.
    Vulnerability by design by Microsoft issues are "features".
    They were trying to tell me that cached credentials are a "feature" accross all Microsoft platforms. Drive Mappings, terminal services, Active Directory. Pretty eye opening stuff.
    Reply With Quote Quote  

  7. Senior Member Chivalry1's Avatar
    Join Date
    Mar 2005
    Location
    127.0.0.1
    Posts
    554

    Certifications
    CISSP, CICSP, MCSE, C|EH, MCSA, MCITP: EMA 2K7/2010, MCTS:Exchange 2K7/2010, Sec+, Net+, CCA-XENAPP, ITIL-V3, MCDST, MOS
    #6
    Yes this has been a known issue with Microsoft. Especially if you are using Microsoft Forefront Threat Management Gateway or ISA servers. This is the security control I put in place:

    Disabled Users were moved to a DISABLED OU in Active Directory.
    A daily automated Exchange Powershell script ran against that particular OU that:

    1.) Disabled All Mailbox Feature options: ActiveSync, OWA, POP, IMAP, MAPI
    2.) Set the "Maximum message size" to 1kb. (Effectively disabled sending any real emails)
    3.) Hide user from Address Book

    Im sure I could have done more things with the script. But this was very effective and the script was easy to write.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
    Reply With Quote Quote  

  8. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,088

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #7
    When I was managing Exchange, I disabled send and receive on the mailbox from anyone but Postmaster, and turned off access protocols.
    IT guy since 12/00

    Recent: 3/22/2017 - Passed Microsoft 70-412; 2/11/2017 - Completed VCP6-DCV (passed 2V0-621)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), more Linux, AWS Solution Architect (Associate)
    Thinking about: VCP6-CMA, MCSA 2016, Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks