More About the Exchange 2000 Server Security Vulnerability
Jerry Cochran looks at the Exchange 2000 Security problem and Microsoft's actions to keep it from becoming a bigger problem.
December 4, 2000
The big news of the week (it wasn't a big week for Exchange Server news) is the Exchange 2000 Server security vulnerability problem. Is this vulnerability really a big deal? I'm sure Lotus is hyping it, but the matter is probably not the huge concern that some might think. Let's look at the vulnerability and the quick actions that Microsoft is taking to keep it from becoming a big problem.
First, the problem affects all versions of Exchange 2000—whether Standard or Enterprise Edition. The Exchange 2000 setup program creates the vulnerability when it adds a local machine account called EUSR_EXSTOREEVENT during setup. The account facilitates the processing of workflow and other event scripts in Exchange 5.5. During the Exchange 2000 beta, the account was left in the setup process and slipped through the cracks when the release became final. Exchange 2000 runs these scripts under the Windows system account, and as a result, this account is no longer necessary.
This vulnerability might let a malicious user log on to an Exchange 2000 server via this account. The specific damage that the user could cause depends on the type of Windows 2000 Server on which Exchange 2000 is installed. If the server is a member server, the malicious user gains only user privileges on that machine. The user could load and run code on the compromised server. If Exchange is installed on a domain controller (DC), the user might gain domain user privileges, which would let the user access other network resources and potentially cause further damage.
The severity of this concern is subject to argument. Best practices (from Microsoft and other sources) dictate that you not run Exchange 2000 on a DC. Therefore, if administrators follow those practices, the problem becomes relatively minor. However, not all organizations have the luxury of dedicating servers to specific functions such as DCs. For small businesses that run all services on one server, this matter could be more of a problem. Microsoft is acting quickly to ensure that this vulnerability won't be a major concern for anyone.
I should point out that the easiest solution is to disable or delete the account. Microsoft documents the account disabling process, and even provides a tool that deletes the account after installation. Also, Microsoft has posted a security bulletin and a support article that detail the problem and the quick and easy solutions.
Microsoft is even taking steps to ensure that the problem doesn't occur in the first place. Exchange development will release to manufacturing (RTM) a new minor version of Exchange 2000 (Rev. A) that will include the necessary fix to the setup program. The new release should be ready this week, and Microsoft will put it into the channel as soon as possible. The bulletins above also detail how to identify whether your installation is affected (most installations are) and how to correct the problem. In my humble opinion, this vulnerability isn't that big of a deal. However, Microsoft's top-notch handling of it demonstrates to me how Exchange development has made every effort to make Exchange 2000 a quality product—that's the big deal.
About the Author
You May Also Like