Critical WebDAV Vulnerability: Are Your Exchange Servers Safe?

On March 17, Microsoft released Security Bulletin MS03-007 (Unchecked Buffer In Windows Component Could Cause Web Server Compromise). This bulletin, which you can find at the first URL below, warns about a vulnerability in the Microsoft Internet Information Services (IIS) 5.0 Web Distributed Authoring and Versioning (WebDAV) component in Windows 2000. Computers running Win2K and IIS 5.0 are vulnerable; Windows Server 2003 and Windows XP systems aren't. Intruders have already used this mechanism to attack US Army computers, which is worrisome because such attacks imply that such an exploit might already be circulating in the black hat community. The vulnerability is particularly problematic for Exchange Server administrators because Exchange 2000 Server uses WebDAV for Outlook Web Access (OWA) and URL-addressable content. What should you do to protect your Exchange servers?

First, you need to understand how buffer-overflow attacks work. Network programs such as IIS store all incoming requests in a buffer. If a request fits into the block of RAM that the program allocates as the buffer, great. But if the request is too large, the request data can overflow the buffer. By building a malformed request that overflows the buffer and that contains carefully crafted attack code, an attacker can cause a target system to execute the code contained in the request. This basic trick has been at the root of almost all the major security compromises reported for Windows, Linux, and UNIX over the past couple of years.

Second, download and install the patch for the WebDAV vulnerability (you can find the patch at the second URL below). Of course, you can use Windows Update to download the patch; better still, if you've enabled Automatic Update, you probably already have the patch downloaded and ready to install. You might also consider the following measures:

- Disable or remove IIS. Obviously you can't disable or remove IIS on your Exchange servers, but you might be able to do so on other servers that don't need IIS. Doing so will help protect all your servers by reducing the number of entry points that the exploit can find on your network. See the Microsoft article "HOW TO: Disable or Remove Unnecessary IIS Services" (which you can find at the third URL below) for details.

- Disable WebDAV. You can't disable WebDAV on your Exchange 2000 servers because OWA 2000 depends on WebDAV, but disable it where you can. Disabling WebDAV is fairly simple. The Microsoft article "How to Disable WebDAV for IIS 5.0" (which you can find at the fourth URL below) explains the process.

- Download the URL Buffer Size Registry tool (from the fifth URL below) and use it to set the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW3SVCParameters registry subkey's MaxClientRequestBuffer value on your servers. Microsoft recommends limiting the buffer to 16KB but also warns that doing so might break "some programs." In my testing, a setting of 16KB didn't seem to interfere with OWA or Exchange, but your environment might have a different mix of requests. I've asked Microsoft for a definitive statement about this recommendation; in the meantime, you can use a larger value if necessary, as long as it's less than 64KB. You can use URLScan (which you can download at the sixth URL below) to find machines on which you haven't set a buffer limit. (If you aren't using URLScan on your IIS servers, you should be. URLScan is the IIS Lockdown Tool component responsible for filtering out bad requests.) If you choose to set the MaxClientRequestBuffer value, I suggest you use a Group Policy Object (GPO) to do so. You can find such a GPO at the seventh URL below.

After you've patched your systems to protect yourself against the immediate threat, the best long-term way to protect against buffer-overflow attacks is to block requests that are likely to overflow the buffer. For example, if your buffer is about 64KB, limiting the request size to 32KB is a prudent first step. The good news is that URLScan automatically performs this step (for details, see the Microsoft article "HOW TO: Configure the URLScan Tool" at the eighth URL below). Install the free IIS Lockdown Tool, which includes URLScan 2.1, then install the URLScan 2.5 update. This combination gives you the best support for Exchange. Note that URLScan might require some special care and feeding when you use it on OWA servers. See the Microsoft articles "XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment" (at the ninth URL below) and "HOW TO: Use URLScan with Exchange Outlook Web Access in Exchange Server 5.5" (at the tenth URL below) for information about using the tool with OWA 2000 and OWA 5.5, respectively.

Staying on top of patches and fixes for your servers is important. An easy, free way to do so is to use the Microsoft Baseline Security Analyzer (MBSA) to regularly scan your servers. I also suggest that you subscribe to the Microsoft Security Notification Service (at the eleventh URL below) to make sure that you get early notification of new patches.

*****

1) Security Bulletin MS03-007 (Unchecked Buffer In Windows Component Could Cause Web Server Compromise)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp

2) Windows 2000 Security Patch: IIS Remote Exploit from ntdll.dll Vulnerability http://microsoft.com/downloads/details.aspx?familyid=c9a38d45-5145-4844-b62e-c69d32ac929b&displaylang=en

3) "HOW TO: Disable or Remove Unnecessary IIS Services"

http://support.microsoft.com/?kbid=321141

4) "How to Disable WebDAV for IIS 5.0"

http://support.microsoft.com/?kbid=241520

5) Windows 2000: Registry Tool for Security Patch-Unchecked Buffer in Windows Component Could Cause Web Server Compromise

http://microsoft.com/downloads/details.aspx?familyid=48b3a74e-a4af-41d6-bdec-1b6104648647&displaylang=en

6) Urlscan Security Tool

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp

7) Windows 2000: Active Directory Group Policy for Security Patch-Unchecked buffer in Windows Component Could Cause Web Server Compromise

http://microsoft.com/downloads/details.aspx?familyid=a3b109d3-6f0e-4b1c-a723-976566fc1b53&displaylang=en

8) "HOW TO: Configure the URLScan Tool" http://support.microsoft.com/?kbid=326444

9) "XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment"

http://support.microsoft.com/?kbid=309677

10) "HOW TO: Use URLScan with Exchange Outlook Web Access in Exchange Server 5.5"

http://support.microsoft.com/?kbid=313131

11) Product Security Notification

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/notify.asp