As part of our commitment to help customers improve and maintain security, Microsoft Product Support Services works to provide proactive information that can help customers implement best security practices.
With the recent activity in mass mailer e-mail worms, we wanted to advise you of some Exchange security best practices that you can use to improve your security and availability.
Specifically, we wanted to let you know of some best practices around:
- Configuring attachment blocking using Microsoft Outlook
- Excluding certain directories from file-level virus scanners
- Preparing for an Exchange disaster recovery
- Closing an open relay
Configuring Attachment Blocking Using Microsoft Outlook
An effective way that most mass mailer e-mail worms can be prevented is through the use of the Attachment Blocking capabilities in Microsoft Outlook. By default, Attachment Blocking in Microsoft Outlook blocks the executable attachment types that most mass mailer e-mail worms use to propagate. Even those mass mailer e-mail worms that use attached .zip files can be blocked by adding .zip files to the blocked attachment types.
Outlook 2003, Outlook XP and Outlook 2000 SP2
By default, Microsoft Office Outlook 2003, Outlook 2002 in Microsoft Office XP, and Outlook 2000 SP2 provide an attachment security feature. This security feature is designed to increase the security protection for certain types of e-mail attachments. This feature provides explicit warning language when attachments are opened, and you have to save the attachment to the file system before opening it. This can help you avoid accidentally releasing viruses that hide in certain file types.
While Microsoft does not recommend reducing e-mail client security levels, there may be instances when an organization wants to customize or remove the additional protections provided by Microsoft Outlook.
Best practice: You can modify default security settings for the Outlook 2003 client by using the Outlook Security template, which you install as a form in Outlook. To install this form, read the following Knowledge Base article:
- How to configure Outlook to block additional attachment file name extensions - http://support.microsoft.com/?id=837388
- Administrator Information About E-Mail Security Features - http://support.microsoft.com/?id=290499
For additional information, see:
- You Cannot Open Attachments - http://support.microsoft.com/?id=290497
- Customizing Security Settings by Using the Outlook Security Template - http://www.microsoft.com/office/ork/2003/three/ch12/OutG03.htm
Outlook 2000 SP1, Outlook 2000, Outlook 98 and Outlook 97
Microsoft Outlook® 2000 Service Pack 1 (SP1), Outlook 2000 without service packs, Outlook 98, and Outlook 97 do not have mechanisms to block attachments. If you are using one of these versions, virus and worm protection must be provided on the server running Exchange.
Best practice: Upgrade to Outlook 2000 Service Pack 2 (SP2) to protect the client or install the appropriate e-mail security update:
- Office 2000 Update: Service Pack 3 (SP3) (Includes Outlook 2000 SR1 E-mail Security Update) - http://www.microsoft.com/downloads/details.aspx?FamilyID=5C011C70-47D0-4306-9FA4-8E92D36332FE&displaylang=EN
- Outlook 98 E-mail Security Update - http://www.microsoft.com/downloads/details.aspx?FamilyID=48B0BC6A-B123-4F48-B27D-119078B4819F&displaylang=en
- Outlook 97 Email Security Update - http://www.microsoft.com/downloads/details.aspx?FamilyID=8dee9e59-23dc-46fc-8fc1-7b680b7e9d13&DisplayLang=en
Exclude Certain Directories from File-level Virus Scanners
File-level scanners scan a file when it is used or at a scheduled interval and can lock or quarantine an Exchange log or database file while Exchange tries to use the file. This can cause a sever failure in Exchange Server 2003 and earlier versions and can also generate -1018 errors.
Best practice: Make sure that you exclude the following directories on all the drives.
In Exchange 2003, exclude:
- Exchsrvr\MDBData
- SRS
In Exchange 2000 Server, exclude:
- Exchsrvr\MDBData
- SRS
Important: Do not scan the M: drive. File-level scanning of your M: drive can cause calendar items to disappear from users’ folders.
In Exchange Server 5.5, exclude:
- Exchsrvr\MDBData
- DSAData
For more information, see the following articles in the Microsoft Knowledge Base:
- XADM: Exchange and Antivirus Software - http://support.microsoft.com/?id=328841
- XADM: Large Number of Transaction Logs Created - http://support.microsoft.com/?id=298551
- XADM: A "C1041737" Error and an Event ID 470 Message May Be Displayed - http://support.microsoft.com/?id=300608
- XADM: Do Not Back Up or Scan Exchange 2000 Drive M - http://support.microsoft.com/?id=298924
Preparing for an Exchange Disaster Recovery
When preparing for a Disaster Recovery situation, thinking through a few key questions will help guide you to the necessary steps. Do you need to recover data from a backup (private or public store) and have questions about how to setup the recovery environment or the restore itself? What do you need to setup for Active Directory® directory service and DNS? Do you need to have the same organization, administrator group, server, and store names as the production environment?
Best practice: Test your backup files monthly and become familiar with the processes themselves. Should it ever become necessary to restore data to your production environment, your familiarity with the procedure will lessen the downtime of your servers.
For answers to your questions, see the following articles in the Knowledge Base:
- How to Back Up and Restore an Exchange 2000 Computer - http://support.microsoft.com/?id=258243
- Running a Disaster Recovery Setup - http://support.microsoft.com/?id=257415
- Disaster Recovery Includes Metabase Backup and Restore - http://support.microsoft.com/?id=241635
- Disaster Recovery of Information Store on Exchange Server - http://support.microsoft.com/?id=313184
Also, download the following white papers from the Microsoft Download Center:
- White Paper for Exchange 2003 Disaster Recovery - http://www.microsoft.com/downloads/details.aspx?FamilyID=df144af6-bee5-4b35-866a-557e25fe2ba1&displaylang=en
- White Paper for Exchange 2000 Disaster Recovery - http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6E55DD49-8A6C-4F30-947E-BDE95917F585
- White Paper for Exchange 5.5 Disaster Recovery - http://www.microsoft.com/downloads/details.aspx?FamilyID=df586628-3abe-40c3-8e8f-beb4122de3d7&displaylang=en
Closing an Open Relay
The top causes for open relays with Exchange include:
- The SMTP service is live on the Internet and not enforcing authentication to relay.
- The SMTP server has accounts locally or is part of a domain that has poor passwords or no password at all.
Best practice: The following list of known accounts have the potential of being compromised and should either be disabled or should have a strong password.
These accounts have been logged in past cases through the event viewer after turning up diagnostic logging. Remember, the passwords should never match the logon name.
- Webmaster
- Admin
- Root
- Test
- Master
- Web
- www
- administrator
- backup
- server
- data
- abc
- guest
These articles should help guide you to configuring and preventing your Microsoft Exchange Server from becoming an open relay and how to look for key clues in the future to ensure it doesn’t relay.
- HOW TO: Prevent Exchange 2000 from Being Used as a Mail Relay in Windows 2000 – http://support.microsoft.com/?id=310380
- HOW TO: Block open SMTP Relaying and clean up Exchange Server (article can be used with Exchange 2000 and Small Business Server) – http://support.microsoft.com/?id=324958
- Cannot send E-Mail Messages to a growing list of domains – http://support.microsoft.com/?id=300580
- HOW TO: Examine relay restrictions for anonymous SMTP connections and filter unsolicited E-mail messages in Exchange 2000 Server – http://support.microsoft.com/?id=313395
If you have any questions regarding this alert, you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
March 9, 2004
Today Microsoft released the following Security Bulletins.
Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.
Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.
Bulletin Summaries:
Windows: http://www.microsoft.com/technet/security/Bulletin/winmar04.mspx
Office: http://www.microsoft.com/technet/security/Bulletin/offmar04.mspx
Microsoft MSN Products: http://www.microsoft.com/technet/security/Bulletin/msnmaro4.mspx
Important Bulletins:
MS04-009 - Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)
http://www.microsoft.com/technet/security/Bulletin/MS04-009.mspx
Moderate Bulletins:
MS04-008 - Vulnerability in Windows Media Services Could Allow a Denial of Service (832359)
http://www.microsoft.com/technet/security/Bulletin/MS04-008.mspx
MS04-010 - Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)
http://www.microsoft.com/technet/security/Bulletin/MS04-010.mspx
Re-Released Bulletins:
MS03-022 – Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution (822343)
http://www.microsoft.com/technet/security/Bulletin/MS03-022.mspx
This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.
If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.