Category Archives: Security

In a recent post to NTBugTraq, Rene points out what he calls a “problem” with Exchange 2000 and Exchange 2003: under some circumstances, Exchange will convert a distribution group to a security group.

Regular users with no rights to modify ad security groups have the ability to change a distribution list to a security group.
Steps to recreate problem.
1: User opens a mailbox with Outlook 2000 / XP / 2003
2: Navigates to mailbox permissions
3: Add distribution list from Gal access as contributor.
4: Save changes
Once the user adds the distribution list Exchange will convert the distribution list to a like security group.

As another reader correctly noted, this behavior is by design, and it’s controlled by the msExchDisableUDGConversion attribute on the Exchange organization object. In Exchange 5.5, you could apply public folder permissions by assigning DLs. That doesn’t work in Exchange 2000 and later, since a distribution group doesn’t have a SID and thus cannot be used for permission assignment. Normally this conversion only takes place during an upgrade from Exchange 5.5 (a process described in chapter 10 of the Exchange 2000 resource kit). The default attribute value of 0 lets the conversion take place at any time; a value of 1 only allows conversions requested by the store (not by clients; this setting would fix Rene’s problem). A value of 2 disallows all such conversions (but as described in this webcast, this value isn’t recommended.) Kieran McCorry has a good article that talks more about the conversion process, why it’s necessary, and how to control it.

If you’re using removable USB sticks, keys, or pen drives, you can format them as NTFS. This is handy if you want to apply permissions to the files contained thereon, as you might want to if you’re, say, an administrator. However, the default setting for removable devices is “optimize for quick removal”, meaning that write caching and NTFS formatting are turned off. If you use Device Manager to inspect the properties of the USB stick while it’s mounted, you can change that setting to “optimize for performance”, and NTFS will become available. You may be able to format sticks as NTFS from the command line, but this doesn’t work consistently across all models and drivers.
Update: of course, the biggest benefit from formatting a thumb drive with NTFS is that you can use EFS on it. I should have mentioned that in the original post.

I’ve never been much on centralized contact managers like Plaxo. Why would I want to outsource all of my contacts to some company in the naïve hope that they won’t hose me? Turns out that this may have been a legitimate concern; this describes a trivial script injection attack against Plaxo that lets an attacker 0wn your contact data. Oops. So, if you’re using Plaxo, you should probably stop.

There’s a major security vulnerability that affects practically every retail outlet in the US. See the description here.

Microsoft announced a security flaw in Exchange 2003. Basically, if you install Windows SharePoint Services (WSS) on an Exchange 2003 back-end, you may be allowing OWA users to access other users’ mailboxes. This occurs when Kerberos authentication gets turned off; to fix things, you should make sure that Kerberos is turned back on. You can also turn off connection reuse to fix the problem. The number of affected users is quite small, and it’s certainly understandable that MS didn’t test this particular configuration, but it’s still embarrassing.

I’m not normally one to post the same thing on both blogs, but this deserves double posting: Michael Howard (author of Writing Secure Code) has a blog, in which he discusses all sorts of tasty security stuff. (Too bad gotdotnet doesn’t support trackbacks.)

Tip for potential identity thieves: be careful whose identity you steal, or you may be worse off than you were before.

C|Net (and others, but I’m picking on them because their reporter should know better), are breathlessly reporting an allegedly new approach to breaking Windows passwords. The article conveniently ignores the fact that trading space for time is a well-known technique for lots of applications, and it presents without comment the claim that this is a major vuln. It’s not. Here’s why:

• The attack depends on breaking the LM hash, which is known to be weak. You don’t have to store it (read up on the NoLMHash setting); even if you have Win9x clients, you can install the directory services client and use NTLMv2. In fact, if you follow MS’ recommendation of using >15-character passphrases for critical accounts, you’ll find that no LM hash is stored for those passphrases.
• The space/time tradeoff doesn’t scale. Even if you just use upper case, numbers, and symbols, you will get somewhere around 3.37134E+14 different 8-character passwords on a standard US keyboard– you’ll get more if you include Unicode characters, which MS has been recommending for a while. Storing the hashes for that many passwords takes about 5.4 petabytes of space. Even if you manage to store that many password hashes on a disk, it is pretty unlikely that you will find a system fast enough to compare that many passwords in a matter of seconds. The problem still boils down to weak passwords, not to the fact that you can crack weak passwords in 13.6 seconds instead of 1 minute and 41 seconds. Weak passwords are still weak, regardless of how fast you can crack them.
• The only way to mount this attack is to grab the password hashes.
  • If you gain physical access to the box, the stored hashes are effectively salted by syskey, so they’re not directly vulnerable.
  • If you mount an online attack, you must either be admin or be able to get admin privileges to get the hashes from the LSA so you can attack them. If an attacker can get admin privileges, you have bigger problems than weak passwords.

Oracle has been loudly hyping the stability and security of their products with their “Unbreakable” campaign. Better people than I have already debunked the security aspects of their claims. Now this week, Orbitz suffered a major outage because of Oracle’s… (wait for it) clustering software. That’s right; the very software (called the Oracle Real Application Cluster package) that’s supposed to guarantee that their systems are 99.999% available caused a major outage. This eWeek article explores Orbitz’s solution (e.g. moving off RAC).
Fearless prediction: Orbitz is going to start looking for another database vendor. eBay dumped Oracle and Sun after their 1998 outage, and I fully expect to see it happen again. Since Orbitz’ new CIO started work on Monday, I bet this is suddenly very high on his to-do list.

Thundermain has a new RSS feed that lsts the ten most recent downloads posted in the Microsoft Download Center. This is a simple way to keep up with new white papers, documents, and patches. Check it out.
For bonus points, check out Jiri Ludvik’s list of security blogs, from which this blog is inexplicably absent. It’s still a good list. (Hat tip: Susan Bradley via NTBugTraq.)

I’m flying ATA to Seattle today, so I tried to use their web site to check in. I had some printer trouble while printing boarding passes, so I clicked the “Go Back” button on the boarding pass page. Imagine my surprise when I got someone else’s boarding pass. I immediately pegged it as a session-rollover hole, so I called ’em up and spoke to a helpful lady at their Internet service desk. I followed up with a screenshot showing the other passenger’s boarding pass, and they followed up with a call from their webmaster. It turns out that instead of including a “your session has timed out” page like, oh, 99.8% of other e-commerce sites, they throw up this fake boarding pass. It’s being fixed. I’m glad it was a placeholder and not a real security flaw, and I’m even gladder that they took prompt action to square it away. I hope their IT staff’s attitude is reflective of the flight and cabin crew’s attitude.

Microsoft has MS03-007 out. The bulletin describes a buffer overflow vulnerability in the WebDAV component of IIS 5.0 on W2K; Windows 2003 and Windows XP aren’t affected. The practical effect of this vuln is that an attacker can run code of her choice on your server (at which point it’s not really your server anymore.) The worst part is that an exploit for this problem is already circulating.
There are several ways to avoid this problem:

• If you were already running URLScan, you’re in good shape. Its whole purpose is to block malformed or bogus requests before IIS ever gets them. If you’re not running URLScan, well, why not?
• Go to the download page and download the patch. It’s a self-installing executable; after installing it, stop and restart the W3SVC service. You don’t need to reboot.
• Go to
  Windows Update and scan for the patch. The Windows Update installer may prompt you for a reboot.

• Use the Automatic Updates client to download and install the patch. Unfortunately, this route will prompt you for a reboot, although you can sneak by by killing its process and bouncing the W3SVC service.
• Disable or remove IIS. Obviously you can’t do this for your Exchange servers, but other servers may not need IIS. See KB article 321141 for details.
• Disable WebDAV only. This is easy to do.
• Download the URL Buffer Size Registry tool and use it to set the MaxClientRequestBuffer value. Microsoft recommends setting MaxClientRequestBuffer to 16K, but in the same sentence they warn that doing so may break “some programs.” In my testing, a setting of 16K didn’t seem to interfere with OWA or Exchange, but your environment may have a different mix of requests. I’ve asked MS for a definitive statement on this; in the meantime, you can either use a larger value or use URLScan, which has templates for OWA. (Side note: of course, by reading KB article 816930 you could make this change yourself, but the tool can scan multiple machines to find those that haven’t had this limit applied).
• If you choose to apply MaxClientBufferSize, you should probably also use a group policy setting to apply the registry key and you’re in business.

What about long-term solutions? Well, you should definitely be using IIS Lockdown on all your Windows 2000 servers. If you combine that tool with reasonable attention to patches, you will be in relatively good shape. You should aggressively follow up with MBSA scans to check for correct patch installation. In almost all cases, your life will be easier if you deploy the Software Update Service (SUS) to pull patches and stage them for mass installation. When I get a free minute, I’ll be writing an article here describing exactly how to use SUS.
In the meantime, if you read and follow the recommendations in chapters 6 and 14 of the book, you can relax.

Technically, this isn’t a security alert, but Microsoft has released the first post-SP3 rollup fix for Exchange 2000. KB article 813840 links to the list of fixes.
There’s a companion set of fixes for the Active Directory Connector. KB article 815452 contains its list of fixes.
UPDATE: Microsoft has pulled the downloadable update, citing mismatches between the rollup binaries and the associated symbol files. They haven’t yet provided an ETA for restoring the download, although the KB articles are still there.

Microsoft has released a terrific new white paper:

This white paper provides information about the communication that flows between components in Windows XP Professional Service Pack 1 (SP1) and sites on the Internet, and how to limit, control, or prevent that communication in an organization with many users.

In other words, this paper debunks the FUD surrounding XP’s communications with the Internet by explaining when XP connects, why, and what it sends or receives. Highly recommended.