|
The default security model in Exchange Server 2003 prevents all user accounts from being able to open more than their own mailbox. A change to the default security settings is the only way this could happen.
For example, if you were to follow the steps in the Microsoft article, "How to assign service account access to all mailboxes in Exchange Server 2003," an account could be given access to all mailboxes. If you are logging on using such an account, then it might be possible to do what you have described without being prompted for a separate set of credentials.
You'll want to look at enabling forms-based authentication (FBA) on the ISA server. This will enhance the security for each logon. It will also force each session to log on with a new set of credentials.
For step-by-step instructions on configuring the listener for FBA, take a look at Outlook Web Access Server Publishing Walk-through Procedure 4: "Secure Outlook Web Access through the listener."
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Tip: Protecting Outlook Web Access from keystroke loggers
Expert Advice: Securing Exchange mailboxes from internal attacks
Administration Guide: Outlook Web Access security
Reference Center: ISA server tips and resources
|