IIS 5 security issue
CDO is installed on web server

Scenario:

In an asp page users are authenticated throug the integrated windows method

a connection is made to a remote exchange server

"strProfileInfo = strServer & vblf & strMailbox
Set objSession = Server.CreateObject("MAPI.Session")
objSession.Logon , , , False, , True, strProfileInfo
Set objInfoStores = objSession.InfoStores"


Problem: this will only work if users are member of the Power User or
Administator groups on the web server.

I am not very pleased with that, so may this be avoided?

On Jun 10, 12:29 pm, hjpal <h... [at] post.tele.dk> wrote:
> IIS 5 security issue
> CDO is installed on web server
>
> Scenario:
>
> In an asp page users are authenticated throug the integrated windows method
>
> a connection is made to a remote exchange server
>
> "strProfileInfo = strServer & vblf & strMailbox
> Set objSession = Server.CreateObject("MAPI.Session")
> objSession.Logon , , , False, , True, strProfileInfo
> Set objInfoStores = objSession.InfoStores"
>
> Problem: this will only work if users are member of the Power User or
> Administator groups on the web server.
>
> I am not very pleased with that, so may this be avoided?


This does not look like an issue with IIS and not really a security
issue. Maybe the strProfileInfo access is restricted and you need to
look through documentation of MAPI.Session to determine requirements.

What if you run the script code on the commandline with an interactive
logged-in user. Does that user need to be Power User/Administrator or
not?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//