Boy, you just gotta love the tight ship Micr$oft runs

  • Thread starter Duke
  • 5 comments
  • 411 views
Duke

Duke

Keep 'em separated
Staff Emeritus
24,344
United States
Midlantic Area
GTP_Duke
I got this among dozens of other security bulletins our M$ account handler sends...

Administrators of e-mail systems based on Microsoft's Exchange might
have spammers using their servers to send unsolicited bulk e-mail
under their noses, a consultant warned this week.
Aaron Greenspan, a Harvard University junior and president of
consulting company Think Computer, published a white paper Thursday
detailing the problem, discovered when a client's server was found to
be sending spam. Greenspan's research concluded that Exchange 5.5 and
2000 can be used by spammers to send anonymous e-mail. He says even
though software Microsoft provides on its site certifies that the
server is secure, it's not.
"If the guest account is enabled (on Exchange 5.5 and 2000), even if
your login fails, you can send mail, because the guest account is
there as a catchall," he said. "Even if you think you've done
everything (to secure the server), you are still open to spammers."

The guest account is a way for administrators to let visitors use a
mail server anonymously, but because of security issues, the feature
is generally not enabled. Exchange servers that had been infected by
the Code Red worm and subsequently cleaned will still have the guest
account enabled, Greenspan said.
There are dozens of messages--with subject lines such as "Open relay
problem" and "We are sending spam?"--on Microsoft's Exchange
Administration newsgroup, sent by information system managers who
haven't been able to staunch the flow of spam from their servers.
Microsoft, however, said the problem is relatively minor and that the
company hasn't had many complaints.
"This particular method of sending spam relies on specifically
configured servers or is leveraging weaknesses in the protocol
itself," the software giant said in a statement issued in response to
questions from CNET News.com. "The fact is that Microsoft has not
received a lot of calls from customers that have experienced problems
detailed by Think Computer."
Moreover, the company said the issue doesn't affect the latest
version of the software, Exchange Server 2003.
Greenspan, however, argued that the problem has accounted for a large
amount of unsolicited e-mail. He estimates that at least 100,000
messages spammers in China sent went through his client's server
before he stopped the problem. He added that the issue is causing
headaches for Exchange administrators.
"It is really inexcusable for a company that claims security is its
top priority," he said.
Click to expand...
 
So it's Microsoft's fault that servers have the guest account enabled, when this is disabled on install, and any security practice worthy of the name has the account disabled?

It's time people started taking responsibility for running their systems, rather than expecting the vendor to do everything for them.
 
Exchange servers that had been infected by
the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.
Click to expand...
The cleaning protocol should either turn Guest Accounts off, or it should at the very least prompt you to make the decision whether or not to do it. Regardless, if this feature creates such vulnerability,and is so easy to exploit, there should be changes made in the way it is implemented, which it appears that they have addressed finally in the latest version. But most MXS I've seen ar running older versions because it's difficult to migrate.

Stop defending such a lousy operating system.
 
You would think that with the amount of bugs that are coming to their attention they'd actually put some effort into making a better OS?

I'll support Microsoft by copying my friends copy of XP Pro 👍 But we're not to talk about that.
 
My contention is still valid. If the system operators were doing a proper job, then the security breach would have been cleared. Where's the periodic security review that these companies are running?

If you were hit with something like Code Red, wouldn't you carry out a proper audit of your security? Just blindly patching the vulnerability is only half of the solution.

I don't think it's fair for the operators to blame the vendor when their own inattentiveness costs them time/money. It's like a driver blaming the car for allowing them to blithely run into the back of the car in front of them. Or fixing a major frontal impact and then "forgetting" to check that the newly-repaired brakes worked.

I think that a lot of people are blaming Microsoft when they should be looking a little closer to home. I personally ran 30 NT/2000 servers through the Code Red outbreak, and wasn't affected. At all. This is because I was running a tight ship that worked properly, even though I was overworked and underbudgeted. It's a little too easy to point the finger at a large faceless corporation, and overlook the fact that a well-run Microsoft system can bring enterprise-class functionality to a small business, with significantly lower cost overheads. It does need to be well-run, but then so does any system to perform, and you don't need to pay £50k to UNIX gurus who lack social skills.

Finally, in the global e-mail market, where is the credible alternative to the Active Directory/Exchange/Outlook combination? Lotus Notes is imploding under the pressure of internal politics, and is generally so heavily customised that IT departments are unwilling or unable to upgrade. Novell GroupWise is an excellent product on the server side, but is let down by a woeful client interface. With v6.5 of GroupWise comes support for Outlook, but Novell have shot themselves in the foot with a half-assed implementation of a server GUI, or a resource-hungry "e-Directory", which is no more than a management layer over the top of Microsoft 200x Server. I see that Apple bundles SMTP/POP/IMAP services with OS X Server, but that seems to offer little in the way of management and almost no collaborative features, particularly in task and calendar management.

Microsoft make excellent products. But like most things in life, you get out what you put in. It's never normally acceptable to blame the vendor for one's own negligence, why is it so when the vendor is Microsoft?
 
Originally posted by GilesGuthrie
My contention is still valid. If the system operators were doing a proper job, then the security breach would have been cleared. Where's the periodic security review that these companies are running?

If you were hit with something like Code Red, wouldn't you carry out a proper audit of your security? Just blindly patching the vulnerability is only half of the solution.

I don't think it's fair for the operators to blame the vendor when their own inattentiveness costs them time/money. It's like a driver blaming the car for allowing them to blithely run into the back of the car in front of them. Or fixing a major frontal impact and then "forgetting" to check that the newly-repaired brakes worked.

I think that a lot of people are blaming Microsoft when they should be looking a little closer to home. I personally ran 30 NT/2000 servers through the Code Red outbreak, and wasn't affected. At all. This is because I was running a tight ship that worked properly, even though I was overworked and underbudgeted. It's a little too easy to point the finger at a large faceless corporation, and overlook the fact that a well-run Microsoft system can bring enterprise-class functionality to a small business, with significantly lower cost overheads. It does need to be well-run, but then so does any system to perform, and you don't need to pay £50k to UNIX gurus who lack social skills.

Finally, in the global e-mail market, where is the credible alternative to the Active Directory/Exchange/Outlook combination? Lotus Notes is imploding under the pressure of internal politics, and is generally so heavily customised that IT departments are unwilling or unable to upgrade. Novell GroupWise is an excellent product on the server side, but is let down by a woeful client interface. With v6.5 of GroupWise comes support for Outlook, but Novell have shot themselves in the foot with a half-assed implementation of a server GUI, or a resource-hungry "e-Directory", which is no more than a management layer over the top of Microsoft 200x Server. I see that Apple bundles SMTP/POP/IMAP services with OS X Server, but that seems to offer little in the way of management and almost no collaborative features, particularly in task and calendar management.

Microsoft make excellent products. But like most things in life, you get out what you put in. It's never normally acceptable to blame the vendor for one's own negligence, why is it so when the vendor is Microsoft?
Click to expand...

You make some valid points, Giles, especially when you talk about small businesses benefiting from a well-run MS system. My uncle has started to profit big on his investment in both time and money, by running an MS system and keeping it well oiled.

I do, however, have to agree with neon_duke on the lousy OS statement. Microsoft has failed to publicly release knowledge of serious exploits/vulnerabilities on the majority of their products. Now, the user has to have some knowledge in what he is using, but I'm positive that the Guest Account vulerability was not the only vulnerability on that system, and even if it had been disabled, the spammers still could have taken advantage of the system.

Well that's my two cents, anyway.
 

Similar threads

Davidies
2/3 of the web open to eavesdropping, according to researchers
Replies
3
Views
553
acascianelli
A
Pebb
  • Locked
Spam Trojan Installs Own Anti-Virus Scanner - Funny
Replies
9
Views
689
GT4_Rule
GT4_Rule
Grimlock213
  • Locked
Just to keep you all informed about psn
Replies
4
Views
2K
Scaff
Scaff
Obelisk
Shadow Racers
Replies
4
Views
1K
Obelisk
Obelisk
George Jakob
My final goodbye to GT Sport (A GT Sport retrospective) .
Replies
4
Views
2K
George Jakob
George Jakob

Latest Posts

Back