Article

Specific Exchange configuration exposes OWA

Michael S. Mimoso, Editorial Director

Microsoft has identified the specific configuration that opens a gaping security hole in Outlook Web Access, a component of Exchange Server 2003 that enables users to access their mailboxes online.

A network administrator who requested anonymity reported last week

    Requires Free Membership to View

that users were gaining random access to mailboxes that were not their own via OWA. Microsoft was immediately informed and, late last week, produced two Knowledge Base articles that detail the problem and advise on remediation.

"At worst, this issue could result in access to mailboxes at random and only to an authenticated Exchange user in the same organization, on the same network," a Microsoft spokesman told SearchSecurity.com.

Microsoft said the vulnerability surfaces when Windows SharePoint Services 2.0 is installed on a computer running both Exchange Server 2003 and Windows Server 2003. Administrators should note that their systems are at risk only if they have deployed front-end Exchange 2003 servers and have installed SharePoint Services on Exchange 2003 back-end servers, Microsoft said.

"The deployment causes Kerberos authentication to be disabled in Internet Information Services (IIS) [Web servers] and can result in the incorrect handling of Outlook Web Access requests to an Exchange Server," the spokesman said.

Microsoft points out that only this specific configuration causes the problem to surface, and it does not affect users who have deployed a version of Exchange 2003 in conjunction with Windows Small Business Server 2003.

"It's important to note that not all Exchange 2003 customers using Windows SharePoint Services are affected by this. It is a very specific configuration," the spokesman said.

Windows Server 2003 ships with Kerberos enabled by default, and Microsoft recommends leaving it enabled in IIS. Kerberos is a secure method for authenticating a request for a network service.

Microsoft provided a patch to the administrator who reported the flaw, and services have been returned to administrator's users without incident.

It is unknown whether Microsoft will include a fix for this hole in its monthly patch release, which is due next week.

This could be the first major security flaw in Exchange Server 2003, which was made available to the general public Oct. 21. Previous versions have recently been the center of security issues. In October, Microsoft released the first of its new monthly patch releases, and the release included a patch for a critical buffer overflow vulnerability in Exchange Server 2000. That flaw could enable remote execution of code. On the same day, a less serious denial-of-service flaw was found in Exchange Server 5.5.

Earlier this month, a Harvard University student published a white paper that detailed a flaw in Exchange Server 5.5 and Exchange Server 2000. The flaw could be used by spammers to send bulk e-mail messages anonymously. The researcher said that, even if all security features were updated on the servers, spammers could use it to send spam through a guest account.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: