Exchange & Outlook UPDATE, Exchange Edition, December 4, 2003

1. Commentary

- OWA Security Patch

2. Announcements

- 2004 Dates Announced: Windows & .NET Magazine Connections

- Order Windows & .NET Magazine and the Article Archive CD at One Low Rate!

3. Instant Poll

- Results of Previous Poll: Exchange Clusters

- New Instant Poll: Hotfix Deployment

4. Resources

- Exchange 2003 and Outlook Web Access Issue

- Featured Thread: Improving Performance Over a Groupwise Connector

- Outlook Tip: Applying Rules to Sent Tasks

5. Event

- Receive a Free Identity Management White Paper!

6. New and Improved

- Recover Passwords

- Tell Us About a Hot Product and Get a T-Shirt!

7. Contact Us

- See this section for a list of ways to contact us.

~~~~ Sponsor: Esker Software ~~~~

One solution seamlessly integrates fax with Exchange and standardizes desktop fax across the enterprise. Esker Fax enables high-performance desktop fax for local and remote users throughout your organization, with clustered and load-balanced implementation support for maximum availability and scalability, least cost routing to cut fax transmission costs, advanced inbound routing technology to speed document delivery and protect sensitive content, centralized management of enterprise fax delivery traffic, and more. Bred in the world of high-volume fax, Esker Fax also automates high-volume production faxing from host-based enterprise applications - without requiring application programming changes. Get your FREE Esker Fax information kit:

http://www.esker.com/exchange103

==== 1. Commentary: OWA Security Patch ==== by Paul Robichaux, News Editor, [email protected]

On November 14, the NTBugTraq mailing list carried an announcement of a major security flaw in Outlook Web Access (OWA) 2003. However, the announcement contained little detail about the alleged flaw, reporting that “When you log in with your own credentials you may be logged into another user's mailbox at random and has \[sic\] full access to this user's mailbox.” Several news sites took this initial report and ran with it, announcing the existence of the flaw without describing it in detail, so many administrators were unclear about whether the problem was real and what caused it.

The vulnerability is real and occurs when you install Windows SharePoint Services (SPS) on an Exchange 2003 back-end server. SPS is a Windows Server 2003 component, so the vulnerability appears only on Windows 2003 servers. Let’s look at the problem in more detail to see how you can fix it--and whether the vulnerability is a serious one.

One of Exchange 2003’s key security changes is its support for end-to-end use of Kerberos authentication. Kerberos is the native authentication protocol for Windows 2003 and Windows 2000 Server and is designed to provide cryptographically secured strong authentication over untrusted networks. Kerberos is designed specifically to protect against attacks that can be mounted against other authentication methods, including man-in-the-middle attacks (in which an attacker sits between client and server, impersonating each to the other) and replay attacks (in which an attacker records credentials and “replays” them to gain access).

Installing SPS turns off Kerberos authentication for Microsoft IIS and enables Integrated Windows Authentication (IWA). This design is reasonable for a standalone SPS server because SPS users probably will use Web browsers to authenticate and because enabling Kerberos for use with IIS requires extra steps (as the Microsoft article “HOW TO: Configure Windows SharePoint Services to Use Kerberos Authentication” at http://support.microsoft.com/?id=832769 explains). However, the design introduces a new problem when you add Exchange to the mix.

As the Microsoft article "How to Disable HTTP Connection Reuse on a Microsoft Exchange Server 2003 Front-End Server" ( http://support.microsoft.com/?id=832749 ) explains, front-end servers can reuse connections to back-end servers. This ability improves the end-user experience by providing better performance but can lead to a situation in which two users, each connecting to the same front-end server, end up with sessions that use the same connection to the back-end server. That situation is fine when Kerberos authentication is in use but can lead to the problem that the NTBugTraq posting described when Kerberos is disabled.

Interestingly, the Exchange front-end code logs event ID 1000 from the ExProx service when it detects that Kerberos isn’t working properly. You might want to add that event to your monitoring regime to help you catch other circumstances in which Kerberos stops functioning (e.g., when an administrator explicitly disables it).

Is the vulnerability a huge threat? No. The flaw is worrisome in the sense that it arises from an unexpected (and, presumably, untested-for) interaction between two supported Microsoft products. However, Microsoft recommends that you keep running Exchange on dedicated servers on which you’ve disabled all services that aren’t necessary to Exchange, so sites that follow that recommendation have nothing to fear from this flaw. Moving forward, it’s probably safe to say that the executives who oversee the Windows and Exchange teams have vigorously reminded those teams of the importance of testing procedures--hopefully avoiding similar situations in the future.

~~~~ Sponsor: Neverfail ~~~~

Free white paper: Has your Exchange server ever failed? Has your business suffered a loss of communications at critical moments because your Exchange server was down? Neverfail for Exchange is a software solution that ensures true application availability. It's easy to install and use. To learn how Neverfail can help your business save IT dollars and resources access a free white paper or register for a free online seminar at:

http://us.neverfailgroup.com/default.asp?target=exadmineo

==== 2. Announcements ==== (from Windows & .NET Magazine and its partners)

2004 Dates Announced: Windows & .NET Magazine Connections

Windows & .NET Magazine Connections will be held April 4 to 7, 2004, in Las Vegas at the new Hyatt Lake Las Vegas Resort. Be sure to save these dates on your calendar. Early registrants will receive the greatest possible discount. For more information, call 203-268-3204 or 800-505-1201 or go online at

http://www.winconnections.com

Order Windows & .NET Magazine and the Article Archive CD at One Low Rate!

What's better than Windows & .NET Magazine? Try Windows & .NET Magazine and the Windows & .NET Magazine Article Archive CD at one super low rate. Read Windows & .NET Magazine in the office. Take the Article Archive CD with you on the road. Subscribe now!

http://www.winnetmag.com/rd.cfm?code=wcep203xcc

~~~~ Hot Release: eIQnetworks ~~~~

FREE webinar on "Understanding Exchange Server Environment in Planning and Prioritizing for Exchange 2000 / 2003 Migration" Learn the importance of knowing mail server resource utilization can help save significant licensing and storage costs, while reducing system administration costs.

http://www.eiqnetworks.com/eIQwebinars_list.shtml

==== 3. Instant Poll ====

Results of Previous Poll: Exchange Clusters

The voting has ended in the Windows & .NET Magazine Exchange & Outlook Web page's nonscientific Instant Poll for the question "What's your approach to Exchange Server clusters?" Here are the results from the 84 votes:

- 4% We run Exchange Server 5.5 clusters

- 20% We run Exchange 2000 Server clusters

- 7% We run Exchange Server 2003 clusters

- 17% We don't cluster Exchange but would like to do so

- 52% We don't cluster Exchange and see no reason to do so

New Instant Poll: Hotfix Deployment

The next Exchange Instant Poll question is "How do you handle hotfix deployment?" Go to the Exchange & Outlook Web page and submit your vote for a) We use Automatic Updates, b) We roll out fixes the day they come out, c) We roll out fixes within 1 week, d) We roll out fixes within 1 month, or e) We roll out fixes more than 1 month after they come out.

http://www.winnetmag.com/microsoftexchangeoutlook

==== 4. Resources ====

Exchange 2003 and Outlook Web Access Issue

Microsoft has offered an official description of the recently discovered Outlook Web Access (OWA) flaw, as well as information about how to fix it.

http://www.microsoft.com/exchange/support/e2k3owa.asp

Featured Thread: Improving Performance Over a Groupwise Connector

A forum reader is migrating from Groupwise 5.5 to Exchange 2000 Server and wants to improve performance for pulling free/busy calendar information through the Microsoft Connector for Novell Groupwise. To offer your advice or join the discussion, go to the following URL:

http://www.winnetmag.com/forums/rd.cfm?cid=40&tid=65754

Outlook Tip: Applying Rules to Sent Tasks by Sue Mosher, [email protected]

Q: I want to copy all the tasks and email messages that I've sent to a specific person to a separate folder. Can I apply rules to sent tasks?

A: When you create a rule to copy all items you've sent to a specific person, that rule operates on task and meeting requests, as well as email messages. However, because the rule copies the task request, not the original task, this approach might not be the solution you're looking for.

If you haven't already, consider using the Activities feature of Outlook Contacts. Outlook collects and displays related tasks, messages, and other items for each contact on the Activities tab. To set up new activity groups, open the Contacts folder's Properties dialog box and click the Activities tab. See the Windows & .NET Magazine Exchange & Outlook Web page for more great tips from Sue Mosher.

http://www.winnetmag.com/microsoftexchangeoutlook

==== 5. Event ==== (brought to you by Windows & .NET Magazine)

Receive a Free Identity Management White Paper!

Are your existing identity-management and access-control solutions fragmented, duplicated, and inefficient? Attend this free Web seminar and discover how to automate and simplify identity creation, administration, and access control. Leverage your investment in Microsoft technologies and benefit from greater security, improved productivity, and better manageability. Register now!

http://www.winnetmag.com/seminars/identity

==== 6. New and Improved ==== by Carolyn Mader, [email protected]

Recover Passwords

Passware released Passware Kit Enterprise 6.0, software that protects your company when employees lose passwords. The product gives you access to employees’ password-protected documents and files and works with all versions of Microsoft Office, including the Office 2003 versions of Microsoft Access, Excel, Outlook, and Word. A single Passware Kit Enterprise license costs $595. Contact Passware at [email protected].

http://www.lostpassword.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Sponsored Links ====

Sybari Software

Free! "Admins Shortcut Guide to Email Protection" from Sybari

http://ad.doubleclick.net/clk;6574227;8214395;q?http://www.sybari.com/ebook

Microsoft(R) Security Readiness Kit

Get your free kit for creating an enhanced risk-management plan.

http://ad.doubleclick.net/clk;6600432;8214395;e?http://ad.doubleclick.net/clk;6576037;8608804;t?http://www.microsoftsecuritysolutions.com/Default.asp?id=ros

==== 7. Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.winnetmag.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring UPDATE -- [email protected]