Removing Share Permissions for the 'Everyone' Group on Exchange Servers
Occasionally we will be asked by customers about two shares that are created by default on Exchange mailbox servers. The share names are Resources$ and Address, but their file system location varies depending on the version of Exchange the server is running. In all cases, the Everyone group has been granted no NTFS permissions to the folder that is being shared. Instead, the Authenticated Users group has Read permission to the folder, so effectively 'Everyone' cannot access the folder via the share - they must be authenticated. Moreover, the data contained in these shares is basically worthless to anyone who could access them. The Address share contains DLLs that third parties use to generate proxy addresses, while the Resources$ share provides event logging information. Neither of these is likely to be useful to someone with malicious intent, even if they can reach them.
Here's a look at the Address share and the Everyone group's permissions on an Exchange 2010 server:
These shares go back to at least Exchange 4.0 and persist today in Exchange 2007. In Exchange 2010 the Resources$ share is gone, but the Address share still exists. This is apparently simply because no one has taken the time to remove them from the code. The product group has not altered them in many years and has no current plans to do so.
This question usually comes from oganizations who have a security directive that mandates that permissions cannot be granted to the Everyone group. To minimize your risk, you should be safe to remove the permissions for the Everyone group from the shares and grant Read permissions to the Authenticated Users group instead. This will not change the effective permissions and will also satisfy your audit requirements. This should also allow any 3rd party applications that access these shares to continue working.
This permissions change has not been tested and likely will not be tested by the Exchange product group, so I make no warranty that you will not have issues by doing so, but I find it extremely unlikely that you will. Best of luck!
Comments
- Anonymous
April 13, 2015
Thanks for this, have changed and no issues @ present. Give single domain here, not expecting anything. The only time I could see this causing issues is with child domains and trust relationships with other AD domains.