Category Archives: General Stuff

From this week’s Exchange UPDATE:

Attend Exchange Connections, Win a Free Vacation
Learn the latest tech tips and tricks from gurus like Tony Redmond, Sue Mosher, Paul Robichaux, and the Microsoft Exchange Team. Receive free access to concurrently running Windows & .NET Magazine Connections. Plus, you’ll have a chance to win a 5-day Las Vegas vacation with airfare for two. Register now online, or call 800-505-1201 or 203- 268-3204.

It should be a good show, and I look forward to meeting y’all there!

From a reader at a major whiskey maker (really!):

I purchased Secure Messaging with Microsoft Exchange Server 2000 at a Microsoft Windows 2003 conference in Cincinnati. The reason I purchased this book was for Chapter 14 Securing Outlook Web Access. I had been explaining to my boss that the traditional way of implementing Exchange 2000 (OWA) on a DMZ was not as secure as I would like, since you have to open several ports from the DMZ to the internal network. After explaining what I had found in your book and researching information on Microsoft’s website and others I convinced him and our corporate office this was the way to go. In June I implement your solution of Publishing OWA with ISA Server to secure our OWA server. This September we were audited by our internal auditors and they are telling us this is not as secure as the traditional way of placing Exchange 2000 (OWA) server on the DMZ. They could not give us a reason way, so I want to challenge them that this is more secure before I am force to change to the traditional way. I need information stating this method of securing Exchange OWA is more secure.

Tell your auditors to get off the glue. When you put an Exchange server of any stripe in the DMZ, you’ve created two problems. First, you’re putting a domain member in the DMZ, and if someone compromises it they may have a springboard to compromise other machines inside the perimeter. Second, to make Exchange work you’ve got to open a ton of ports. DMZ configurations can be made secure, but the whole point behind ISA is that it gives you strong security by reverse proxying so you don’t have to open anything in the DMZ.

From the sewer of misinformation and hype that is ntbugtraq, a rare factual and informative nugget:

For those interested, NGSS [David Litchfield’s outfit — PR] has just published a paper describing how to defeat the mechanism built into Windows 2003 Server to prevent exploitation of stack based buffer overflow vulnerabilities. Previous work done in this area presented methods that only worked in highly specific scenarios – the new methods presented in this paper are generic. The paper can be downloaded from http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf.

This is an interesting paper that will no doubt generate a lot of wailing, moaning, and gnashing of teeth. However, the fact remains that MS at least implemented a mechanism, and no doubt they will improve it as people (inside and outside of MS) learn how to defeat it. It’s just another small corner in the Great Security Arms Race™. I must say, though, that I’m not thrilled about Litchfield’s decision to post exploit code in the paper, but maybe I’m just an old fogey.

Tom Shinder has an excellent writeup on how to configure RPC over HTTP. It’s a highly useful supplement to the directions in the Exchange 2003 Deployment Guide, and it includes information on how to publish RPC-over-HTTP traffic through ISA Server– always handy to have.

Microsoft maintains a page of Exchange 2003 documentation here. There are some very cool things here, not least of which is the little “freshness” icon that indicates when each paper or article was revised and how long it’s valid. There’s not an impressive volume of documentation there (yet… just wait until you see what’s planned), but what is there is quite good. My current favorite is the S/MIME quick-start document.

CSO (“the magazine for the chief security officer”) has a terrific, and well-balanced, article on the difficulty, and necessity, of patch management. I highly recommend it.

I figure everyone is sick of hearing about Blaster by now. (Quick recap: 1. Apply patches. 2. Install a firewall. 3. Use up-to-date AV software). There’s another, lesser-known story out there that I think is pretty interesting: the master FTP server for GNU was compromised, and now they’re scrambling to assess the damage and repair it. It’s hard to discuss this without sounding like a fear monger, but I’ll try to explain why this is so important.
ftp.gnu.org, the machine that was compromised, is the official central repository for all FSF software. All of the other FSF distribution points (and there are many) mirror its contents. – usually automatically. If you’ve added an FSF package to your system any time in the last 6 months, chances are that it came from ftp.gnu.org or one of its mirrors. Of course, if you’ve built any Linux distro in the last 6 months, odds are that you used multiple packages from ftp.gnu.org. Heck, the gcc compiler, which all free Linux software is built with, is officially distributed from ftp.gnu.org, so one might argue all software compiled with a compiler in the last 6 months is potentially impacted. (i.e. someone put a trojan in the compiler sources, placed those sources on ftp.gnu.org. Now anyone that builds that compiler has a trojaned compiler, one which outputs only trojaned binaries).
To recap: any FSF package downloaded from any FSF mirror might have been compromised. The FSF hasn’t been cryptographically signing their packages (like Windows Update does) so there’s no way to directly verify their integrity other than taking MD5 hashes, but that in turn depends on finding an “original” version of each pacakge and recomputing the hashes. They’re going to start signing their packages, as explained here, but… well, horse, barn door, shut.
If this same compromise had happened to Microsoft, you can imagine the press firestorm that would have followed. The press reporting on this has been pretty mild; no one seems to think it’s exceptional that an important machine, presumably run by competent admins, was compromised and that no one noticed for four months.
Interestingly, the FSF says that they believe that everything on ftp.gnu.org currently is safe, but they haven’t said anything about any piece of software any time in the last 6 months. Their action thus far has been to wipe everything off of ftp.gnu.org and replace stuff that they feel confident hasn’t been tampered with. This is the right thing to do from a security standpoint, but it doesn’t inspire a lot of confidence in the security of the packages on their server and mirrors.

KB article 331834 describes how Windows 2000 SP4 switches the IIS password change mechanism over to ASP files, instead of the older (and less secure) HTR technology. That’s all well and good, except that if you have Windows 2000 on your front-end and Windows 2003 on the back-end (or vice versa), when you drop these new bits on you’ll find that things break. Fortunately, help is on the way: use the handy script (also shown below for those who won’t/can’t download .WSF files directly) to fix up the file names. Note that although this came from a pal of mine at Microsoft, it’s not an official MS tool and isn’t supported by them.

Continue reading →

Kurt Dillard of Microsoft was kind enough to let me know of the re-release of the Securing Windows 2000 Server solutions guide. This guide is a beefed-up revision of the original, released in February. It’s worth your reading time.

We’ve all heard the canards about how failure to apply critical patches costs billions and billions of dollars. Maybe, maybe not; it’s hard to use that argument in any individual setting. Here’s a better argument: Verizon failed to keep its service-level agreements because of outages during Slammer. Those outages were the result of poor patch management, so the Maine public service commission made ’em pay up. The outage period? A day.
In Massachusetts, Verizon tried, but withdrew, a similar attempt to claim that the outage wasn’t their fault. In Virginia, VZN was facing an $886,619 payback, but I don’t know whether they’ve had to pay it or not.

I’ve recently been doing a lot of research into enterprise instant messaging systems (three guesses why :). I stumbled across Instant Messaging Planet, which has a huge amount of interesting reading material. I have no idea how accurate their reports are, so I’ll have to get back to you on their reportorial quality.