Serious Exchange Configuration Trap!!!!

TheMSsForum.com: The Microsoft Software Forum

Hi all,

today I discovered the following issue, that can occur,
when you configure your exchange server 2000 or 2003:
When the guest account is enabled, everyone can use
the "auth login" command when connecting to virtual
server to logon to this server. This is, because the
default setting on the virtal server is:
"Allow all computers, wich successfully authenticate to
relay, regardless of the list above":

The following is a transcript of a SMTP-Session with a
server, where the guest-account was enabled:

220 test.test.de Microsoft ESMTP MAIL Service, Version:
6.0.3790.0 ready at
Thu, 28 Aug 2003 00:20:42 +0200
ehlo
250-test.test.de.de Hello [127.0.0.1]
250-TURN
250-SIZE 4194304
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
auth login
334 VXNlcm5hbWU6
aaa
334 UGFzc3dvcmQ6
aaa
235 2.7.0 Authentication successful.
mail from:bla@bla.de
250 2.1.0 bla@bla.de....Sender OK
rcpt to:test@spam.org
250 2.1.5 test@spam.org
data
354 Start mail input; end with <CRLF>.<CRLF>
Test
.
250 2.6.0 <TestFOAmEaJswFCHO0000001c@testtest.de Queued
mail for delivery


As you can see, though I used only the user and
password "aaa" (This account does not exist in the
organisation!) to log in, the server considered me to be
authenticated, which enabled me to send spam.

Sincerly,

Manfred Schmitten
Top

Re: Serious Exchange Configuration Trap!!!! by Joe

Joe
Wed Aug 27 20:36:22 CDT 2003

That is why the first thing anyone with any knowledge does is disabled the
guest account and lock it out.

"Manfred Schmitten" <MSchmitten@corporate-education.de> wrote in message
news:081a01c36ceb$0b866fa0$a101280a@phx.gbl...
> Hi all,
>
> today I discovered the following issue, that can occur,
> when you configure your exchange server 2000 or 2003:
> When the guest account is enabled, everyone can use
> the "auth login" command when connecting to virtual
> server to logon to this server. This is, because the
> default setting on the virtal server is:
> "Allow all computers, wich successfully authenticate to
> relay, regardless of the list above":
>
> The following is a transcript of a SMTP-Session with a
> server, where the guest-account was enabled:
>
> 220 test.test.de Microsoft ESMTP MAIL Service, Version:
> 6.0.3790.0 ready at
> Thu, 28 Aug 2003 00:20:42 +0200
> ehlo
> 250-test.test.de.de Hello [127.0.0.1]
> 250-TURN
> 250-SIZE 4194304
> 250-ETRN
> 250-PIPELINING
> 250-DSN
> 250-ENHANCEDSTATUSCODES
> 250-8bitmime
> 250-BINARYMIME
> 250-CHUNKING
> 250-VRFY
> 250-X-EXPS GSSAPI NTLM LOGIN
> 250-X-EXPS=LOGIN
> 250-AUTH GSSAPI NTLM LOGIN
> 250-AUTH=LOGIN
> 250-X-LINK2STATE
> 250-XEXCH50
> 250 OK
> auth login
> 334 VXNlcm5hbWU6
> aaa
> 334 UGFzc3dvcmQ6
> aaa
> 235 2.7.0 Authentication successful.
> mail from:bla@bla.de
> 250 2.1.0 bla@bla.de....Sender OK
> rcpt to:test@spam.org
> 250 2.1.5 test@spam.org
> data
> 354 Start mail input; end with <CRLF>.<CRLF>
> Test
> .
> 250 2.6.0 <TestFOAmEaJswFCHO0000001c@testtest.de Queued
> mail for delivery
>
>
> As you can see, though I used only the user and
> password "aaa" (This account does not exist in the
> organisation!) to log in, the server considered me to be
> authenticated, which enabled me to send spam.
>
> Sincerly,
>
> Manfred Schmitten


Top

Re: Serious Exchange Configuration Trap!!!! by Manfred

Manfred
Thu Aug 28 04:37:57 CDT 2003

You are right, Joe, but what if the customer wants it
that way? Enabling the guest account is a risk, but the
consequences are surprising for Exchnage are
nevertheless, because MS didn't tell anyone about the
fact, that you can relay mail, if the guest account is
enabled.

Manfred
>-----Original Message-----
>That is why the first thing anyone with any knowledge
does is disabled the
>guest account and lock it out.
>
>"Manfred Schmitten" <MSchmitten@corporate-education.de>
wrote in message
>news:081a01c36ceb$0b866fa0$a101280a@phx.gbl...
>> Hi all,
>>
>> today I discovered the following issue, that can occur,
>> when you configure your exchange server 2000 or 2003:
>> When the guest account is enabled, everyone can use
>> the "auth login" command when connecting to virtual
>> server to logon to this server. This is, because the
>> default setting on the virtal server is:
>> "Allow all computers, wich successfully authenticate to
>> relay, regardless of the list above":
>>
>> The following is a transcript of a SMTP-Session with a
>> server, where the guest-account was enabled:
>>
>> 220 test.test.de Microsoft ESMTP MAIL Service, Version:
>> 6.0.3790.0 ready at
>> Thu, 28 Aug 2003 00:20:42 +0200
>> ehlo
>> 250-test.test.de.de Hello [127.0.0.1]
>> 250-TURN
>> 250-SIZE 4194304
>> 250-ETRN
>> 250-PIPELINING
>> 250-DSN
>> 250-ENHANCEDSTATUSCODES
>> 250-8bitmime
>> 250-BINARYMIME
>> 250-CHUNKING
>> 250-VRFY
>> 250-X-EXPS GSSAPI NTLM LOGIN
>> 250-X-EXPS=LOGIN
>> 250-AUTH GSSAPI NTLM LOGIN
>> 250-AUTH=LOGIN
>> 250-X-LINK2STATE
>> 250-XEXCH50
>> 250 OK
>> auth login
>> 334 VXNlcm5hbWU6
>> aaa
>> 334 UGFzc3dvcmQ6
>> aaa
>> 235 2.7.0 Authentication successful.
>> mail from:bla@bla.de
>> 250 2.1.0 bla@bla.de....Sender OK
>> rcpt to:test@spam.org
>> 250 2.1.5 test@spam.org
>> data
>> 354 Start mail input; end with <CRLF>.<CRLF>
>> Test
>> .
>> 250 2.6.0 <TestFOAmEaJswFCHO0000001c@testtest.de Queued
>> mail for delivery
>>
>>
>> As you can see, though I used only the user and
>> password "aaa" (This account does not exist in the
>> organisation!) to log in, the server considered me to
be
>> authenticated, which enabled me to send spam.
>>
>> Sincerly,
>>
>> Manfred Schmitten
>
>
>.
>
Top

Re: Serious Exchange Configuration Trap!!!! by Karl

Karl
Thu Aug 28 05:03:51 CDT 2003

You could be right that Microsoft might want to document this, but note that
AFAIK the guest account is disabled by default.

The customer can always create their own Guest user, such as Guest2. Anyone
who enables the Guest account probably isn't too worried about security.


"Manfred Schmitten" <Manfred@schmitten.net> wrote in message
news:0bb701c36d48$10500b60$a301280a@phx.gbl...
> You are right, Joe, but what if the customer wants it
> that way? Enabling the guest account is a risk, but the
> consequences are surprising for Exchnage are
> nevertheless, because MS didn't tell anyone about the
> fact, that you can relay mail, if the guest account is
> enabled.
>
> Manfred
> >-----Original Message-----
> >That is why the first thing anyone with any knowledge
> does is disabled the
> >guest account and lock it out.
> >
> >"Manfred Schmitten" <MSchmitten@corporate-education.de>
> wrote in message
> >news:081a01c36ceb$0b866fa0$a101280a@phx.gbl...
> >> Hi all,
> >>
> >> today I discovered the following issue, that can occur,
> >> when you configure your exchange server 2000 or 2003:
> >> When the guest account is enabled, everyone can use
> >> the "auth login" command when connecting to virtual
> >> server to logon to this server. This is, because the
> >> default setting on the virtal server is:
> >> "Allow all computers, wich successfully authenticate to
> >> relay, regardless of the list above":
> >>
> >> The following is a transcript of a SMTP-Session with a
> >> server, where the guest-account was enabled:
> >>
> >> 220 test.test.de Microsoft ESMTP MAIL Service, Version:
> >> 6.0.3790.0 ready at
> >> Thu, 28 Aug 2003 00:20:42 +0200
> >> ehlo
> >> 250-test.test.de.de Hello [127.0.0.1]
> >> 250-TURN
> >> 250-SIZE 4194304
> >> 250-ETRN
> >> 250-PIPELINING
> >> 250-DSN
> >> 250-ENHANCEDSTATUSCODES
> >> 250-8bitmime
> >> 250-BINARYMIME
> >> 250-CHUNKING
> >> 250-VRFY
> >> 250-X-EXPS GSSAPI NTLM LOGIN
> >> 250-X-EXPS=LOGIN
> >> 250-AUTH GSSAPI NTLM LOGIN
> >> 250-AUTH=LOGIN
> >> 250-X-LINK2STATE
> >> 250-XEXCH50
> >> 250 OK
> >> auth login
> >> 334 VXNlcm5hbWU6
> >> aaa
> >> 334 UGFzc3dvcmQ6
> >> aaa
> >> 235 2.7.0 Authentication successful.
> >> mail from:bla@bla.de
> >> 250 2.1.0 bla@bla.de....Sender OK
> >> rcpt to:test@spam.org
> >> 250 2.1.5 test@spam.org
> >> data
> >> 354 Start mail input; end with <CRLF>.<CRLF>
> >> Test
> >> .
> >> 250 2.6.0 <TestFOAmEaJswFCHO0000001c@testtest.de Queued
> >> mail for delivery
> >>
> >>
> >> As you can see, though I used only the user and
> >> password "aaa" (This account does not exist in the
> >> organisation!) to log in, the server considered me to
> be
> >> authenticated, which enabled me to send spam.
> >>
> >> Sincerly,
> >>
> >> Manfred Schmitten
> >
> >
> >.
> >


Top

Re: Serious Exchange Configuration Trap!!!! by Lanwench

Lanwench
Thu Aug 28 11:31:24 CDT 2003

If I'm brought in as a technical consultant, one of my responsibilities is
to explain to the client why it would be irresponsible to do something like
enabling Guest. If they won't listen to me, they need to find someone else -
clearly they don't respect my advice, and I will not find them easy to work
with.

Manfred Schmitten wrote:
> You are right, Joe, but what if the customer wants it
> that way? Enabling the guest account is a risk, but the
> consequences are surprising for Exchnage are
> nevertheless, because MS didn't tell anyone about the
> fact, that you can relay mail, if the guest account is
> enabled.
>
> Manfred
>> -----Original Message-----
>> That is why the first thing anyone with any knowledge does is
>> disabled the guest account and lock it out.
>>
>> "Manfred Schmitten" <MSchmitten@corporate-education.de> wrote in
>> message news:081a01c36ceb$0b866fa0$a101280a@phx.gbl...
>>> Hi all,
>>>
>>> today I discovered the following issue, that can occur,
>>> when you configure your exchange server 2000 or 2003:
>>> When the guest account is enabled, everyone can use
>>> the "auth login" command when connecting to virtual
>>> server to logon to this server. This is, because the
>>> default setting on the virtal server is:
>>> "Allow all computers, wich successfully authenticate to
>>> relay, regardless of the list above":
>>>
>>> The following is a transcript of a SMTP-Session with a
>>> server, where the guest-account was enabled:
>>>
>>> 220 test.test.de Microsoft ESMTP MAIL Service, Version:
>>> 6.0.3790.0 ready at
>>> Thu, 28 Aug 2003 00:20:42 +0200
>>> ehlo
>>> 250-test.test.de.de Hello [127.0.0.1]
>>> 250-TURN
>>> 250-SIZE 4194304
>>> 250-ETRN
>>> 250-PIPELINING
>>> 250-DSN
>>> 250-ENHANCEDSTATUSCODES
>>> 250-8bitmime
>>> 250-BINARYMIME
>>> 250-CHUNKING
>>> 250-VRFY
>>> 250-X-EXPS GSSAPI NTLM LOGIN
>>> 250-X-EXPS=LOGIN
>>> 250-AUTH GSSAPI NTLM LOGIN
>>> 250-AUTH=LOGIN
>>> 250-X-LINK2STATE
>>> 250-XEXCH50
>>> 250 OK
>>> auth login
>>> 334 VXNlcm5hbWU6
>>> aaa
>>> 334 UGFzc3dvcmQ6
>>> aaa
>>> 235 2.7.0 Authentication successful.
>>> mail from:bla@bla.de
>>> 250 2.1.0 bla@bla.de....Sender OK
>>> rcpt to:test@spam.org
>>> 250 2.1.5 test@spam.org
>>> data
>>> 354 Start mail input; end with <CRLF>.<CRLF>
>>> Test
>>> .
>>> 250 2.6.0 <TestFOAmEaJswFCHO0000001c@testtest.de Queued
>>> mail for delivery
>>>
>>>
>>> As you can see, though I used only the user and
>>> password "aaa" (This account does not exist in the
>>> organisation!) to log in, the server considered me to be
>>> authenticated, which enabled me to send spam.
>>>
>>> Sincerly,
>>>
>>> Manfred Schmitten
>>
>>
>> .


Top