Exchange & Outlook UPDATE, Exchange Edition, March 21, 2003
Paul Robichaux tells you how to protect your Exchange servers from a critical WebDAV vulnerability. Also, get information about new products.
March 20, 2003
SUBJECT LINE: Exchange & Outlook UPDATE, Exchange Edition, March 21, 2003
********************
Exchange and Outlook UPDATE, Exchange Edition--brought to you by Exchange & Outlook Administrator, a print newsletter from Windows & .NET Magazine that contains practical advice, how-to articles, tips, and techniques to help you do your job today. http://www.exchangeadmin.com
********************
~~~~ THIS ISSUE SPONSORED BY ~~~~
Esker Software http://www.esker.com/exchange103
MailWise Filter http://www.mailwise.com (below COMMENTARY)
~~~~~~~~~~~~~~~~~~~~
~~~~ SPONSOR: ESKER SOFTWARE ~~~~ Transform Exchange into a unified inbox so every user can send, receive, and manage all fax and email messages with one convenient and easily administered tool: Esker Fax, the enterprise-class fax server solution for high-performance desktop fax integrated with Exchange. Esker Fax helps you achieve unified messaging goals while improving communication efficiency throughout the enterprise, no matter how many Exchange servers you have for desktop users in various locations. Plus, Esker Fax automates faxing of key business documents directly from SAP(R), ERP, SCM, CRM, financial systems, and other host-based enterprise applications. For your FREE Esker Fax information kit, go to: http://www.esker.com/exchange103
********************
March 21, 2003 -- In this issue:
1. COMMENTARY - Critical WebDAV Vulnerability: Are Your Exchange Servers Safe?
2. ANNOUNCEMENTS - Join The HP & Microsoft Network Storage Solutions Road Show! - Get a Sample Issue of Exchange & Outlook Administrator
3. HOT RELEASES (ADVERTISEMENTS) - Improve Your Exchange Performance & Lower TCO - Ensure Performance with NetIQ MailMarshal
4. RESOURCES - MS03-007: How to Work Around the Vulnerability That Is Discussed in Microsoft Knowledge Base Article 815021 - Featured Thread: Irregular Performance in Outlook 2000
5. NEW AND IMPROVED - Use Voice-Recognition Technology to Respond to Email - Submit Top Product Ideas
6. CONTACT US See this section for a list of ways to contact us.
********************
1.
COMMENTARY
(contributed by Paul Robichaux, News Editor, [email protected])
* CRITICAL WEBDAV VULNERABILITY: ARE YOUR EXCHANGE SERVERS SAFE?
On March 17, Microsoft released Security Bulletin MS03-007 (Unchecked Buffer In Windows Component Could Cause Web Server Compromise). This bulletin, which you can find at the first URL below, warns about a vulnerability in the Microsoft Internet Information Services (IIS) 5.0 Web Distributed Authoring and Versioning (WebDAV) component in Windows 2000. Computers running Win2K and IIS 5.0 are vulnerable; Windows Server 2003 and Windows XP systems aren't. Intruders have already used this mechanism to attack US Army computers, which is worrisome because such attacks imply that such an exploit might already be circulating in the black hat community. The vulnerability is particularly problematic for Exchange Server administrators because Exchange 2000 Server uses WebDAV for Outlook Web Access (OWA) and URL-addressable content. What should you do to protect your Exchange servers?
First, you need to understand how buffer-overflow attacks work. Network programs such as IIS store all incoming requests in a buffer. If a request fits into the block of RAM that the program allocates as the buffer, great. But if the request is too large, the request data can overflow the buffer. By building a malformed request that overflows the buffer and that contains carefully crafted attack code, an attacker can cause a target system to execute the code contained in the request. This basic trick has been at the root of almost all the major security compromises reported for Windows, Linux, and UNIX over the past couple of years.
Second, download and install the patch for the WebDAV vulnerability (you can find the patch at the second URL below). Of course, you can use Windows Update to download the patch; better still, if you've enabled Automatic Update, you probably already have the patch downloaded and ready to install. You might also consider the following measures:
- Disable or remove IIS. Obviously you can't disable or remove IIS on your Exchange servers, but you might be able to do so on other servers that don't need IIS. Doing so will help protect all your servers by reducing the number of entry points that the exploit can find on your network. See the Microsoft article "HOW TO: Disable or Remove Unnecessary IIS Services" (which you can find at the third URL below) for details.
- Disable WebDAV. You can't disable WebDAV on your Exchange 2000 servers because OWA 2000 depends on WebDAV, but disable it where you can. Disabling WebDAV is fairly simple. The Microsoft article "How to Disable WebDAV for IIS 5.0" (which you can find at the fourth URL below) explains the process.
- Download the URL Buffer Size Registry tool (from the fifth URL below) and use it to set the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVCParameters registry subkey's MaxClientRequestBuffer value on your servers. Microsoft recommends limiting the buffer to 16KB but also warns that doing so might break "some programs." In my testing, a setting of 16KB didn't seem to interfere with OWA or Exchange, but your environment might have a different mix of requests. I've asked Microsoft for a definitive statement about this recommendation; in the meantime, you can use a larger value if necessary, as long as it's less than 64KB. You can use URLScan (which you can download at the sixth URL below) to find machines on which you haven't set a buffer limit. (If you aren't using URLScan on your IIS servers, you should be. URLScan is the IIS Lockdown Tool component responsible for filtering out bad requests.) If you choose to set the MaxClientRequestBuffer value, I suggest you use a Group Policy Object (GPO) to do so. You can find such a GPO at the seventh URL below.
After you've patched your systems to protect yourself against the immediate threat, the best long-term way to protect against buffer-overflow attacks is to block requests that are likely to overflow the buffer. For example, if your buffer is about 64KB, limiting the request size to 32KB is a prudent first step. The good news is that URLScan automatically performs this step (for details, see the Microsoft article "HOW TO: Configure the URLScan Tool" at the eighth URL below). Install the free IIS Lockdown Tool, which includes URLScan 2.1, then install the URLScan 2.5 update. This combination gives you the best support for Exchange. Note that URLScan might require some special care and feeding when you use it on OWA servers. See the Microsoft articles "XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment" (at the ninth URL below) and "HOW TO: Use URLScan with Exchange Outlook Web Access in Exchange Server 5.5" (at the tenth URL below) for information about using the tool with OWA 2000 and OWA 5.5, respectively.
Staying on top of patches and fixes for your servers is important. An easy, free way to do so is to use the Microsoft Baseline Security Analyzer (MBSA) to regularly scan your servers. I also suggest that you subscribe to the Microsoft Security Notification Service (at the eleventh URL below) to make sure that you get early notification of new patches.
*****
1) Security Bulletin MS03-007 (Unchecked Buffer In Windows Component Could Cause Web Server Compromise) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp
2) Windows 2000 Security Patch: IIS Remote Exploit from ntdll.dll Vulnerability http://microsoft.com/downloads/details.aspx?familyid=c9a38d45-5145-4844-b62e-c69d32ac929b&displaylang=en
3) "HOW TO: Disable or Remove Unnecessary IIS Services" http://support.microsoft.com/?kbid=321141
4) "How to Disable WebDAV for IIS 5.0" http://support.microsoft.com/?kbid=241520
5) Windows 2000: Registry Tool for Security Patch-Unchecked Buffer in Windows Component Could Cause Web Server Compromise http://microsoft.com/downloads/details.aspx?familyid=48b3a74e-a4af-41d6-bdec-1b6104648647&displaylang=en
6) Urlscan Security Tool http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp
7) Windows 2000: Active Directory Group Policy for Security Patch-Unchecked buffer in Windows Component Could Cause Web Server Compromise http://microsoft.com/downloads/details.aspx?familyid=a3b109d3-6f0e-4b1c-a723-976566fc1b53&displaylang=en
8) "HOW TO: Configure the URLScan Tool" http://support.microsoft.com/?kbid=326444
9) "XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment" http://support.microsoft.com/?kbid=309677
10) "HOW TO: Use URLScan with Exchange Outlook Web Access in Exchange Server 5.5" http://support.microsoft.com/?kbid=313131
11) Product Security Notification http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/notify.asp
********************
~~~~ SPONSOR: MAILWISE FILTER ~~~~ Tired of expensive Anti-SPAM solutions that don't work? Try MailWise Filter: - Nothing to install, maintain or upgrade - 21-day free trial, takes only 10 minutes of your time - Call us over lunch, and see Spam disappearing by dinner - Rock-solid stable solution means 100% uptime - Trap 99.7% of all Spam effortlessly - Recover Spam and valid email for up to 7 days - 50% discount on competitive upgrades until March 31st, 2003 - Millions of mailboxes trust our services For more information, call Beth at (800) 999-5412 x18 or email [email protected] http://www.mailwise.com
~~~~~~~~~~~~~~~~~~~~
2.
ANNOUNCEMENTS
(brought to you by Windows & .NET Magazine and its partners)
* JOIN THE HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW! Now is the time to start thinking of storage as a strategic weapon in your IT arsenal. Come to our 10-city Network Storage Solutions Road Show, and learn how existing and future storage solutions can save your company money--and make your job easier! There is no fee for this event, but space is limited. Register today! http://www.winnetmag.com/roadshows/nas
* GET A SAMPLE ISSUE OF EXCHANGE & OUTLOOK ADMINISTRATOR Exchange & Outlook Administrator, the monthly print newsletter from Windows & .NET Magazine, gives you the in-depth articles you need to secure, maintain, and troubleshoot your messaging environment. Try an issue of Exchange & Outlook Administrator, and discover for yourself what our expert authors know that you don't. Click here! http://www.exchangeadmin.com/rd.cfm?code=fsei233xup
3.
HOT RELEASES (ADVERTISEMENTS)
* IMPROVE YOUR EXCHANGE PERFORMANCE & LOWER TCO Make better decisions and solve Exchange problems faster! Understand utilization, mail box growth trends, PF/DL activity, mail abusers, attachment types, and recover un-used mail boxes. Allocate costs and make strategic capacity planning decisions. FREE TRIAL! http://www.eiqnetworks.com/Winnetmag_MA_Jan2003.shtml
* ENSURE PERFORMANCE WITH NETIQ MAILMARSHAL Worried that unmonitored use of company e-mail is reducing employee productivity? View a FREE flash demo of NetIQ MailMarshal products to protect confidential information, block e-mail-based viruses and enforce policies. http://www.netiq.com/shared/newsletters/marshal/marshal.htm
4.
RESOURCES
* MS03-007: HOW TO WORK AROUND THE VULNERABILITY THAT IS DISCUSSED IN MICROSOFT KNOWLEDGE BASE ARTICLE 815021 Each week, Microsoft posts several Exchange Server how-to articles to its Knowledge Base. This week, learn about several workarounds that you can use to avoid the problem described in the Microsoft article "MS03-007: Unchecked Buffer in Windows Component May Cause Web Server Compromise." http://support.microsoft.com/?kbid=816930
* FEATURED THREAD: IRREGULAR PERFORMANCE IN OUTLOOK 2000 Niamh is having trouble configuring Outlook 2000 to work with offline folders. To offer your advice or join the discussion, go to the following URL: http://www.winnetmag.com/forums/rd.cfm?cid=40&tid= 56212
5.
NEW AND IMPROVED
(contributed by Carolyn Mader, [email protected])
* USE VOICE-RECOGNITION TECHNOLOGY TO RESPOND TO EMAIL Vialto announced E2Go 3.0, a voice-driven application that lets mobile users listen and verbally respond to email messages, find and schedule appointments, and voice dial contacts from their personal address book (PAB). The server-based software supports Exchange Server and provides a customized alert and reminder system, which notifies users about important email messages or meeting changes. E2Go doesn't require voice training and uses VoiceXML, Automated Speech Recognition, and Text to Speech technologies from Nuance Communications. For pricing, contact Vialto at 408-725-7222. http://www.vialto.com
* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions to [email protected].
6.
CONTACT US
Here's how to reach us with your comments and questions:
* ABOUT THE COMMENTARY -- [email protected]
* ABOUT THE NEWSLETTER IN GENERAL -- [email protected] (please mention the newsletter name in the subject line)
* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
* PRODUCT NEWS -- [email protected]
* QUESTIONS ABOUT YOUR EXCHANGE & OUTLOOK UPDATE SUBSCRIPTION? Customer Support -- [email protected]
* WANT TO SPONSOR EXCHANGE & OUTLOOK UPDATE? -- [email protected]
********************
This email newsletter is brought to you by Exchange & Outlook Administrator, the print newsletter with practical advice, tips, and techniques covering migration, backup and restoration, security, and much more. Subscribe today! http://www.exchangeadmin.com/sub.cfm?code=neei23xxup
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email
|-+-+-+-+-+-+-+-+-+-|
Thank you for reading Exchange and Outlook UPDATE, Exchange Edition.
__________________________________________________________ Copyright 2003, Penton Media, Inc.
About the Author
You May Also Like