How private are private items in Exchange

How private are private items in Exchange

We sometimes get asked how private are private items?

The short answer is not very…  private items is an Outlook and OWA concept and NOT an Exchange concept.  Exchange has no item level security model, only mailbox and folder level.

So what does this mean?

This means that unless you can force people to only access your mailbox via Outlook and OWA, then do NOT delegate your mailbox/folders if you expect private items to be 100% private.  Other methods like WebDAV, EWS, ActiveSync and any myriad of other mail access methods will NOT honour private items.  Instead they will be downloaded just like any other message.

Oh no!  So what else can you do?

Using encryption like S/MIME or AD RMS will prevent others from reading your mail, as long as they don’t have the private key to your certificate in the case of S/MIME, and as long as they can’t hijack your email address in the case of AD RMS (and the correct RMS template was used to prevent others from reading)

The proof…

Right so we’ve created two users TwanBoss and TwanDelegate.

TwanBoss delegates his mailbox to TwanDelegate

TwanBoss delegates to TwanDelegate

TwanBoss delegates to TwanDelegate

TwanBoss then creates some private items, I’ve used calendar item and task, but it doesn’t really matter what the item type is.

TwanBoss creates a private task

TwanBoss creates a private task

TwanBoss creates a private appointment

TwanBoss creates a private appointment

Now in Outlook all is well, TwanDelegate sees the calendar item marked as ‘Private Appointment’ but cannot open it.  Also with MFCMapi or OutlookSpy you can’t see any protected content.  However some simple PowerShell scripting (and using only the Delegate’s credentials) we get the whole appointment…

PS C:\Users\Twan> $MailboxName = "TwanBoss@nbcmt.neroblanco.co.uk"
PS C:\Users\Twan> $StartDate = new-object System.DateTime(2015, 08, 10)
PS C:\Users\Twan> $EndDate = new-object System.DateTime(2015, 08, 13)
PS C:\Users\Twan>
PS C:\Users\Twan> $dllpath = "C:\Program Files\Microsoft\Exchange\Web Services\2.2\Microsoft.Exchange.WebServices.dll"
PS C:\Users\Twan> [void][Reflection.Assembly]::LoadFile($dllpath)
PS C:\Users\Twan> $service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServi
ces.Data.ExchangeVersion]::Exchange2007_SP1)
PS C:\Users\Twan>
PS C:\Users\Twan> $service.credentials = New-Object System.Net.NetworkCredential( "TwanDelegate@nbcmt.neroblanco.co.uk",
"*********" )
PS C:\Users\Twan>
PS C:\Users\Twan>
PS C:\Users\Twan> $service.AutodiscoverUrl($MailboxName)
PS C:\Users\Twan>
PS C:\Users\Twan> $folderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.D
ata.WellKnownFolderName]::Calendar,$MailboxName)
PS C:\Users\Twan> $CalendarFolder = [Microsoft.Exchange.WebServices.Data.CalendarFolder]::Bind($service,$folderid)
PS C:\Users\Twan> $cvCalendarview = new-object Microsoft.Exchange.WebServices.Data.CalendarView($StartDate,$EndDate,2000
)
PS C:\Users\Twan> $cvCalendarview.PropertySet = new-object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Ex
change.WebServices.Data.BasePropertySet]::FirstClassProperties)
PS C:\Users\Twan> $frCalendarResult = $CalendarFolder.FindAppointments($cvCalendarview)
PS C:\Users\Twan>
PS C:\Users\Twan> foreach ($apApointment in $frCalendarResult.Items){
>> $psPropset = new-object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Exchange.WebServices.Data.Bas
ePropertySet]::FirstClassProperties)
>> $apApointment.load($psPropset)
>> $apApointment | fl
>> }
>>
Start : 10/08/2015 08:00:00
End : 10/08/2015 08:30:00
OriginalStart :
IsAllDayEvent : False
LegacyFreeBusyStatus : Busy
Location :
When :
IsMeeting : False
IsCancelled : False
IsRecurring : False
MeetingRequestWasSent : False
IsResponseRequested : True
AppointmentType : Single
MyResponseType : Unknown
Organizer : TwanBoss <SMTP:TwanBoss@NBCMT.neroblanco.co.uk>
RequiredAttendees : {TwanBoss}
OptionalAttendees : {}
Resources : {}
ConflictingMeetingCount :
AdjacentMeetingCount :
ConflictingMeetings :
AdjacentMeetings :
Duration : 00:30:00
TimeZone : (UTC) Dublin, Edinburgh, Lisbon, London
AppointmentReplyTime :
AppointmentSequenceNumber : 0
AppointmentState : 0
Recurrence :
FirstOccurrence :
LastOccurrence :
ModifiedOccurrences :
DeletedOccurrences :
StartTimeZone :
EndTimeZone :
ConferenceType : 0
AllowNewTimeProposal : True
IsOnlineMeeting :
MeetingWorkspaceUrl :
NetShowUrl :
ICalUid : 040000008200E00074C5B7101A82E00800000000300798244DD3D001000000000000000010000000EFB2C00E
742D0F428B8E3CD4742A0969
ICalRecurrenceId :
ICalDateTimeStamp : 10/08/2015 10:04:50
EnhancedLocation :
JoinOnlineMeetingUrl :
OnlineMeetingSettings :
IsAttachment : False
IsNew : False
Id : AQMkADViY2UxMDc2LWNmZTUtNDg1OS1hYjU0LWQyMGRlZGQAMTBmOWMARgAAAycY3EhvWmBNvsnINJSFUBwHAFug
dGnAXllKhQSVSg8yw7QAAAIBDQAAAFugdGnAXllKhQSVSg8yw7QAAAINOAAAAA==
MimeContent :
ParentFolderId : AQMkADViY2UxMDc2LWNmZTUtNDg1OS1hYjU0LWQyMGRlZGQAMTBmOWMALgAAAycY3EhvWmBNvsnINJSFUBwBAFug
dGnAXllKhQSVSg8yw7QAAAIBDQAAAA==
Sensitivity : Private
Attachments : {}
DateTimeReceived : 10/08/2015 09:15:47
Size : 7316
Categories : {}
Culture : en-GB
Importance : Normal
InReplyTo :
IsSubmitted : False
IsAssociated :
IsDraft : False
IsFromMe : False
IsResend : False
IsUnmodified : False
InternetMessageHeaders :
DateTimeSent : 10/08/2015 09:15:47
DateTimeCreated : 10/08/2015 09:15:56
AllowedResponseActions : Forward
ReminderDueBy : 10/08/2015 08:00:00
IsReminderSet : False
ReminderMinutesBeforeStart : 15
DisplayCc :
DisplayTo : TwanBoss
HasAttachments : False
Body : <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px
solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>This is my private appointment</div>
<div>&nbsp;</div>
</span></font>
</body>
</html>

ItemClass : IPM.Appointment
Subject : Boss Private Appointment
WebClientReadFormQueryString :
WebClientEditFormQueryString :
ExtendedProperties : {}
EffectiveRights : Read
LastModifiedName : TwanBoss
LastModifiedTime : 10/08/2015 10:04:50
ConversationId :
UniqueBody :
StoreEntryId :
InstanceKey :
Flag :
NormalizedBody :
EntityExtractionResult :
PolicyTag :
ArchiveTag :
RetentionDate :
Preview :
TextBody :
IconIndex :
Schema : {MimeContent, Id, ParentFolderId, ItemClass...}
Service : Microsoft.Exchange.WebServices.Data.ExchangeService
IsDirty : False

PS C:\Users\Twan>