Exchange & Outlook UPDATE, Exchange Edition, April 8, 2004

This Issue Sponsored By

C2C: Shrink Exchange User Mailboxes by Up to 90%

Windows Scripting Solutions


1. Commentary
- The Security Bug That Wasn't 2. Instant Poll

3. Resources
- Featured Thread: SSL Certificate Error
- Outlook Tip: Segregating Messages from Strangers

4. New and Improved
- Use a Familiar Interface to Book Resources
- Tell Us About a Hot Product and Get a T-Shirt!


~~~~ Sponsor: C2C: Shrink Exchange User Mailboxes by Up to 90% ~~~~
Shrink Exchange User Mailboxes by Up to 90% with Mailbox Size Management, integrated with Exchange and Outlook from C2C. Invisibly auto-zip and archive. Over 3,000,000 users world-wide.
* Reduce storage and bandwidth use.
* Cut back-up and restore times.
* High ROI, low TCO, zero user training.
Read the White Paper and request a free 30 day trial.


==== 1. Commentary: The Security Bug That Wasn't ==== by Paul Robichaux, News Editor, [email protected]

As most regular readers know, I spend a lot of time working on various projects oriented around Exchange security, including a new book ("Secure Messaging with Microsoft Exchange Server 2003"--Microsoft Press, 2004), a security-related blog ( ), and a variety of teaching engagements. So, I'm always interested in security problems, especially when those problems have anything to do with Exchange. Thus it was with great interest that I discovered a post on the NTBugtraq mailing list, reporting just such a problem.

The poster claimed that, because of what appeared to be a bug, regular users with no special permissions were able to use Outlook to magically change distribution groups into security groups, and that this capability represents a security problem. This claim is partially true: Users can cause the described change to occur, but it isn't necessarily a security problem. In fact, this conversion ability is present by design, and you'll probably need to use it if you're upgrading from Exchange Server 5.5 to Exchange Server 2003 or Exchange 2000 Server.

First, a little background: Exchange 5.5 maintains its own directory, so Exchange 5.5 mailboxes, public folders, distribution lists (DLs), and custom recipients are maintained separately from Windows NT 4.0 user accounts. This division means that you can't use NT groups to assign permissions to Exchange 5.5 objects. Instead, you use Exchange DLs to grant permissions. You can assign a DL as the owner of a public folder, and you can grant public folder roles and permissions to DLs. So far so good.

Then came Exchange 2000, with its high (and welcome) degree of Active Directory (AD) integration. With AD came new group objects and types, including security groups (which have SIDs and thus can be used to grant permissions) and distribution groups (which are just like Exchange 5.5 DLs). Because of the division between these group types, you can't use a distribution group to assign permissions in Exchange 2003 or Exchange 2000, and all those Exchange 5.5 public folders that have DL owners and permissions will break if used with a later Exchange version.

Microsoft had to make a choice: Find some automated way to fix the problem, or make administrators manually update permissions on their public folder objects. The choice turned out to be easy. Microsoft provided a conversion mechanism: If a public folder's ACL contains an Exchange 5.5 DL, and that public folder is accessed from Exchange 2003 or Exchange 2000, the Exchange Information Store (IS) converts the DL to an AD security group.

The NTBugtraq report was concerned with another aspect of this mechanism. If you add a defined AD distribution group to a public folder's ACL, the IS also converts that distribution group to a security group. This behavior might be unexpected--although considering the distinction between distribution groups and security groups, you might argue that the behavior is predictable--but it's logical given the set of constraints I described above. If you try to use a non-security object to grant permissions, it's reasonable for Exchange to convert that object to one that can act as a security object.

Furthermore, Chapter 10 of the "Microsoft Exchange 2000 Server Resource Kit" thoroughly describes this behavior and gives you a solution if you want to change it. Look for the msExchDisableUDGConversion AD attribute, which is attached to the Exchange organization object in AD. You can use ADSI Edit or a script to set this attribute to one of the following values:

- 0 (the default) allows the distribution group-to-security group conversion to take place whenever requested.

- 1 allows distribution group-to-security group conversion only when requested by the IS. If a user uses Outlook to add a distribution group to a public folder's permissions list, the conversion fails and the user can't save the updated permissions.

- 2 turns off distribution group-to-security group conversion. Microsoft recommends against using this setting, however, because it breaks some types of Exchange 5.5 public folder access.

Several other NTBugtraq readers quickly responded to the original report and explained how the mechanism works and why it shouldn't be considered a security flaw. One moral of this episode is that you need to carefully evaluate reports of security vulnerabilities to determine whether they're credible and how the involved behaviors apply to your environment.

A great way to keep on top of security issues is to subscribe to the Windows & .NET Magazine Security UPDATE email newsletter ( ) or Security Administrator print newsletter ( ). Next week, I'll let you know another way, when I discuss Exchange and the Really Simple Syndication (RSS) standard.


~~~~ Sponsor: Windows Scripting Solutions ~~~~
Try a Sample Issue of Windows Scripting Solutions
Windows Scripting Solutions is the monthly newsletter from Windows & .NET Magazine that shows you how to automate time-consuming, administrative tasks by using our simple downloadable code and scripting techniques. Sign up for a sample issue right now, and find out how you can save both time and money. Click here!


==== Announcements ==== (from Windows & .NET Magazine and its partners)

The Windows & .NET Magazine Network VIP Web Site/Super CD Has It All!
With a VIP Web Site/Super CD subscription, you'll get online access to all of our publications, a print subscription to Windows & .NET Magazine, and a subscription to our VIP Web site, a banner-free resource loaded with articles you can't find anywhere else. Click here to find out how you can get it all:

Register Today for Microsoft Tech Ed 2004
Don't miss Tech Ed 2004 -- May 23-28, 2004 in San Diego, CA -- the definitive Microsoft conference for building, deploying, securing and managing connected solutions. You'll find 11 conference tracks and over 400 sessions. Get answers to your technical questions, meet industry experts, evaluate new products, and take advantage of extensive networking opportunities. Register today.

Enter to Win a $100 American Express Gift Card at the Secure Messaging Center
Stop wasting your valuable resources! Find out everything you need to know to secure your messaging environment including information about antigen antivirus solutions, antispam, and content filtering. Get access to FAQs, free seminars, and the latest articles. Take the Sybari survey for a chance to win a $100 gift card!


~~~~ Hot Release: Aelita Software ~~~~
In this white paper, noted Microsoft Exchange expert Kieran McCorry, from HP's Exchange consulting group, outlines the options for migrating to Exchange Server 2003. The paper discusses inter-org migrations, intra-org migrations and how to benefit from consolidation during deployment. Request this free white paper today.;6306021;7402808;y?


==== 2. Instant Poll ====

Results of Previous Poll: Remote Access to Exchange

The voting has ended in the Windows & .NET Magazine Exchange & Outlook Web page's nonscientific Instant Poll for the question "How do you provide remote access to Exchange Server?" Here are the results from the 484 votes:

- 13% IP Security (IPSec) VPN
- 8% Secure Sockets Layer (SSL) VPN
- 43% Outlook Web Access (OWA) only
- 30% Both IPSec and OWA
- 7% We don't provide remote access to email

New Instant Poll: Using RBLs

The next Exchange Instant Poll question is "Do you implement a Realtime Block List (RBL)?" Go to the Exchange & Outlook Web page and submit your vote for a) We don't use RBLs, b) We subscribe to a MAPS list, c) We subscribe to a DSBL list, d) We subscribe to a DNSRBL list, or e) We use RBLs from multiple providers.

==== 3. Resources ====

Featured Thread: SSL Certificate Error
A forum reader is getting an error when trying to use Exchange System Manger (ESM) to view a public folder's properties. The reader runs Exchange Server 2003 on Windows Server 2003 and has installed a Secure Sockets Layer (SSL) certificate for use with OWA (with forms-based authentication) only. To offer your advice or join the discussion, go to the following URL:

Outlook Tip: Segregating Messages from Strangers by Sue Mosher, [email protected]

Q: I want to move all the messages I receive from people who aren't in my Contacts folder to a folder called Junk. Will Outlook let me do that?

A: With Outlook 2002, you can construct a Rules Wizard rule to move messages from unknown senders to a Junk folder. Start by creating a blank rule that tells Outlook to check messages when they arrive. Set no conditions for the rule, and choose Yes when Outlook asks, "This rule will be applied to every message you receive. Is this correct?" Next, set up an action to move the messages to your Junk folder, and add the "stop processing more rules" action. Finally, use "except if sender is in specified Address Book" to create an exception. Click "specified" and select the contacts list that you want to check.
See the Windows & .NET Magazine Exchange & Outlook Web page for more great tips.

==== Events Central ==== (A complete Web and live events directory brought to you by Windows & .NET Magazine: )

New Web Seminar--The Spam Problem Solved: Hensel Phelps Construction Company Case Study
Find out how Hensel Phelps Construction, a multibillion-dollar national contractor, has implemented a multilayered antispam solution to increase user productivity and decrease the burden on IT staff resources, infrastructure, and budget. Sign up now for this free Web seminar!

==== 4. New and Improved ==== by Carolyn Mader, [email protected]

Use a Familiar Interface to Book Resources
Meeting Maker released Resource Scheduler for Microsoft Outlook/Exchange (RSOE), a Web-based tool for resource-scheduling needs. The RSOE module works with Resource Scheduler 7.0, software that helps solve problems associated with managing and scheduling business resources. RSOE integrates with Microsoft's calendaring software to let users employ the familiar Outlook interface to book people and resources. Resource Scheduler 7.0 starts at $90 per resource or $40 per user. RSOE is priced according to organization size. Contact Meeting Maker at 781-530-2600.

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

==== Sponsored Links ====

Comparison Paper: The Argent Guardian Easily Beats Out MOM;6480843;8214395;q?

Microsoft(R) TechNet
Microsoft(R) TechNet Webcasts: essential guidance, industry experts;7759917;8214395;c?

Find out how Enterprise Rent-A-Car eliminates spam: Free Seminar;7769422;8214395;u?


==== Contact Us ====

About the newsletter -- [email protected]
About technical questions --
About product news -- [email protected]
About your subscription -- [email protected]
About sponsoring UPDATE -- [email protected]


==== Contact Our Sponsors ====

Primary Sponsor:
C2C -- -- 1-413-739-8575

Hot Release:
Aelita Software -- -- 1-800-263-0036


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

View the Windows & .NET Magazine Privacy policy at: Windows & .NET Magazine a division of Penton Media Inc.
221 East 29th Street, Loveland, CO 80538,
Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All Rights Reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.