How private are private items in Exchange
We sometimes get asked how private are private items?
The short answer is not very… private items is an Outlook and OWA concept and NOT an Exchange concept. Exchange has no item level security model, only mailbox and folder level.
So what does this mean?
This means that unless you can force people to only access your mailbox via Outlook and OWA, then do NOT delegate your mailbox/folders if you expect private items to be 100% private. Other methods like WebDAV, EWS, ActiveSync and any myriad of other mail access methods will NOT honour private items. Instead they will be downloaded just like any other message.
Oh no! So what else can you do?
Using encryption like S/MIME or AD RMS will prevent others from reading your mail, as long as they don’t have the private key to your certificate in the case of S/MIME, and as long as they can’t hijack your email address in the case of AD RMS (and the correct RMS template was used to prevent others from reading)
The proof…
Right so we’ve created two users TwanBoss and TwanDelegate.
TwanBoss delegates his mailbox to TwanDelegate
TwanBoss then creates some private items, I’ve used calendar item and task, but it doesn’t really matter what the item type is.
Now in Outlook all is well, TwanDelegate sees the calendar item marked as ‘Private Appointment’ but cannot open it. Also with MFCMapi or OutlookSpy you can’t see any protected content. However some simple PowerShell scripting (and using only the Delegate’s credentials) we get the whole appointment…
PS C:\Users\Twan> $MailboxName = "TwanBoss@nbcmt.neroblanco.co.uk" PS C:\Users\Twan> $StartDate = new-object System.DateTime(2015, 08, 10) PS C:\Users\Twan> $EndDate = new-object System.DateTime(2015, 08, 13) PS C:\Users\Twan> PS C:\Users\Twan> $dllpath = "C:\Program Files\Microsoft\Exchange\Web Services\2.2\Microsoft.Exchange.WebServices.dll" PS C:\Users\Twan> [void][Reflection.Assembly]::LoadFile($dllpath) PS C:\Users\Twan> $service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServi ces.Data.ExchangeVersion]::Exchange2007_SP1) PS C:\Users\Twan> PS C:\Users\Twan> $service.credentials = New-Object System.Net.NetworkCredential( "TwanDelegate@nbcmt.neroblanco.co.uk", "*********" ) PS C:\Users\Twan> PS C:\Users\Twan> PS C:\Users\Twan> $service.AutodiscoverUrl($MailboxName) PS C:\Users\Twan> PS C:\Users\Twan> $folderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.D ata.WellKnownFolderName]::Calendar,$MailboxName) PS C:\Users\Twan> $CalendarFolder = [Microsoft.Exchange.WebServices.Data.CalendarFolder]::Bind($service,$folderid) PS C:\Users\Twan> $cvCalendarview = new-object Microsoft.Exchange.WebServices.Data.CalendarView($StartDate,$EndDate,2000 ) PS C:\Users\Twan> $cvCalendarview.PropertySet = new-object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Ex change.WebServices.Data.BasePropertySet]::FirstClassProperties) PS C:\Users\Twan> $frCalendarResult = $CalendarFolder.FindAppointments($cvCalendarview) PS C:\Users\Twan> PS C:\Users\Twan> foreach ($apApointment in $frCalendarResult.Items){ >> $psPropset = new-object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Exchange.WebServices.Data.Bas ePropertySet]::FirstClassProperties) >> $apApointment.load($psPropset) >> $apApointment | fl >> } >>
Start : 10/08/2015 08:00:00 End : 10/08/2015 08:30:00 OriginalStart : IsAllDayEvent : False LegacyFreeBusyStatus : Busy Location : When : IsMeeting : False IsCancelled : False IsRecurring : False MeetingRequestWasSent : False IsResponseRequested : True AppointmentType : Single MyResponseType : Unknown Organizer : TwanBoss <SMTP:TwanBoss@NBCMT.neroblanco.co.uk> RequiredAttendees : {TwanBoss} OptionalAttendees : {} Resources : {} ConflictingMeetingCount : AdjacentMeetingCount : ConflictingMeetings : AdjacentMeetings : Duration : 00:30:00 TimeZone : (UTC) Dublin, Edinburgh, Lisbon, London AppointmentReplyTime : AppointmentSequenceNumber : 0 AppointmentState : 0 Recurrence : FirstOccurrence : LastOccurrence : ModifiedOccurrences : DeletedOccurrences : StartTimeZone : EndTimeZone : ConferenceType : 0 AllowNewTimeProposal : True IsOnlineMeeting : MeetingWorkspaceUrl : NetShowUrl : ICalUid : 040000008200E00074C5B7101A82E00800000000300798244DD3D001000000000000000010000000EFB2C00E 742D0F428B8E3CD4742A0969 ICalRecurrenceId : ICalDateTimeStamp : 10/08/2015 10:04:50 EnhancedLocation : JoinOnlineMeetingUrl : OnlineMeetingSettings : IsAttachment : False IsNew : False Id : AQMkADViY2UxMDc2LWNmZTUtNDg1OS1hYjU0LWQyMGRlZGQAMTBmOWMARgAAAycY3EhvWmBNvsnINJSFUBwHAFug dGnAXllKhQSVSg8yw7QAAAIBDQAAAFugdGnAXllKhQSVSg8yw7QAAAINOAAAAA== MimeContent : ParentFolderId : AQMkADViY2UxMDc2LWNmZTUtNDg1OS1hYjU0LWQyMGRlZGQAMTBmOWMALgAAAycY3EhvWmBNvsnINJSFUBwBAFug dGnAXllKhQSVSg8yw7QAAAIBDQAAAA== Sensitivity : Private Attachments : {} DateTimeReceived : 10/08/2015 09:15:47 Size : 7316 Categories : {} Culture : en-GB Importance : Normal InReplyTo : IsSubmitted : False IsAssociated : IsDraft : False IsFromMe : False IsResend : False IsUnmodified : False InternetMessageHeaders : DateTimeSent : 10/08/2015 09:15:47 DateTimeCreated : 10/08/2015 09:15:56 AllowedResponseActions : Forward ReminderDueBy : 10/08/2015 08:00:00 IsReminderSet : False ReminderMinutesBeforeStart : 15 DisplayCc : DisplayTo : TwanBoss HasAttachments : False Body : <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Generator" content="Microsoft Exchange Server"> <!-- converted from rtf --> <style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style> </head> <body> <font face="Calibri" size="2"><span style="font-size:11pt;"> <div>This is my private appointment</div> <div> </div> </span></font> </body> </html> ItemClass : IPM.Appointment Subject : Boss Private Appointment WebClientReadFormQueryString : WebClientEditFormQueryString : ExtendedProperties : {} EffectiveRights : Read LastModifiedName : TwanBoss LastModifiedTime : 10/08/2015 10:04:50 ConversationId : UniqueBody : StoreEntryId : InstanceKey : Flag : NormalizedBody : EntityExtractionResult : PolicyTag : ArchiveTag : RetentionDate : Preview : TextBody : IconIndex : Schema : {MimeContent, Id, ParentFolderId, ItemClass...} Service : Microsoft.Exchange.WebServices.Data.ExchangeService IsDirty : False PS C:\Users\Twan>