With the recent activity in mass mailer e-mail worms, we wanted to advise
you of some Exchange security best practices that you can use to improve
your security and availability.
Specifically, we wanted to let you know of some best practices around:
- Configuring attachment blocking using Microsoft Outlook
- Excluding certain directories from file-level virus scanners
- Preparing for an Exchange disaster recovery
- Closing an open relay
Configuring Attachment Blocking Using Microsoft Outlook
An effective way that most mass mailer e-mail worms can be prevented is
through the use of the Attachment Blocking capabilities in Microsoft
Outlook. By default, Attachment Blocking in Microsoft Outlook blocks the
executable attachment types that most mass mailer e-mail worms use to
propagate. Even those mass mailer e-mail worms that use attached .zip files
can be blocked by adding .zip files to the blocked attachment types.
Outlook 2003, Outlook XP and Outlook 2000 SP2
By default, Microsoft Office Outlook 2003, Outlook 2002 in Microsoft Office
XP, and Outlook 2000 SP2 provide an attachment security feature. This
security feature is designed to increase the security protection for
certain types of e-mail attachments. This feature provides explicit warning
language when attachments are opened, and you have to save the attachment
to the file system before opening it. This can help you avoid accidentally
releasing viruses that hide in certain file types.
While Microsoft does not recommend reducing e-mail client security levels,
there may be instances when an organization wants to customize or remove
the additional protections provided by Microsoft Outlook.
Best practice: You can modify default security settings for the Outlook
2003 client by using the Outlook Security template, which you install as a
form in Outlook. To install this form, read the following Knowledge Base
article:
- How to configure Outlook to block additional attachment file name
extensions -
http://support.microsoft.com/?id=837388 - Administrator Information About E-Mail Security Features -
http://support.microsoft.com/?id=290499For additional information, see:
- You Cannot Open Attachments -
http://support.microsoft.com/?id=290497 - Customizing Security Settings by Using the Outlook Security Template -
http://www.microsoft.com/office/ork/2003/three/ch12/OutG03.htm Outlook 2000 SP1, Outlook 2000, Outlook 98 and Outlook 97
Microsoft Outlook® 2000 Service Pack 1 (SP1), Outlook 2000 without service
packs, Outlook 98, and Outlook 97 do not have mechanisms to block
attachments. If you are using one of these versions, virus and worm
protection must be provided on the server running Exchange.
Best practice: Upgrade to Outlook 2000 Service Pack 2 (SP2) to protect the
client or install the appropriate e-mail security update:
- Office 2000 Update: Service Pack 3 (SP3) (Includes Outlook 2000 SR1
E-mail Security Update) -
http://www.microsoft.com/downloads/details.aspx?FamilyID=5C011C70-47D0-4306-9FA4-8E92D36332FE&displaylang=EN - Outlook 98 E-mail Security Update -
http://www.microsoft.com/downloads/details.aspx?FamilyID=48B0BC6A-B123-4F48-B27D-119078B4819F&displaylang=en - Outlook 97 Email Security Update -
http://www.microsoft.com/downloads/details.aspx?FamilyID=8dee9e59-23dc-46fc-8fc1-7b680b7e9d13&DisplayLang=en Exclude Certain Directories from File-level Virus Scanners
File-level scanners scan a file when it is used or at a scheduled interval
and can lock or quarantine an Exchange log or database file while Exchange
tries to use the file. This can cause a sever failure in Exchange Server
2003 and earlier versions and can also generate -1018 errors.
Best practice: Make sure that you exclude the following directories on all
the drives.
In Exchange 2003, exclude:
- Exchsrvr\MDBData
- SRS
In Exchange 2000 Server, exclude:
- Exchsrvr\MDBData
- SRS
Important: Do not scan the M: drive. File-level scanning of your M: drive
can cause calendar items to disappear from users' folders.
In Exchange Server 5.5, exclude:
- Exchsrvr\MDBData
- DSAData
For more information, see the following articles in the Microsoft Knowledge
Base:
- XADM: Exchange and Antivirus Software -
http://support.microsoft.com/?id=328841 - XADM: Large Number of Transaction Logs Created -
http://support.microsoft.com/?id=298551 - XADM: A "C1041737" Error and an Event ID 470 Message May Be Displayed -
http://support.microsoft.com/?id=300608 - XADM: Do Not Back Up or Scan Exchange 2000 Drive M -
http://support.microsoft.com/?id=298924 Preparing for an Exchange Disaster Recovery
When preparing for a Disaster Recovery situation, thinking through a few
key questions will help guide you to the necessary steps. Do you need to
recover data from a backup (private or public store) and have questions
about how to setup the recovery environment or the restore itself? What do
you need to setup for Active Directory® directory service and DNS? Do you
need to have the same organization, administrator group, server, and store
names as the production environment?
Best practice: Test your backup files monthly and become familiar with the
processes themselves. Should it ever become necessary to restore data to
your production environment, your familiarity with the procedure will
lessen the downtime of your servers.
For answers to your questions, see the following articles in the Knowledge
Base:
- How to Back Up and Restore an Exchange 2000 Computer -
http://support.microsoft.com/?id=258243 - Running a Disaster Recovery Setup -
http://support.microsoft.com/?id=257415 - Disaster Recovery Includes Metabase Backup and Restore -
http://support.microsoft.com/?id=241635 - Disaster Recovery of Information Store on Exchange Server -
http://support.microsoft.com/?id=313184 Also, download the following white papers from the Microsoft Download
Center:
- White Paper for Exchange 2003 Disaster Recovery -
http://www.microsoft.com/downloads/details.aspx?FamilyID=df144af6-bee5-4b35-866a-557e25fe2ba1&displaylang=en - White Paper for Exchange 2000 Disaster Recovery -
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6E55DD49-8A6C-4F30-947E-BDE95917F585 - White Paper for Exchange 5.5 Disaster Recovery -
http://www.microsoft.com/downloads/details.aspx?FamilyID=df586628-3abe-40c3-8e8f-beb4122de3d7&displaylang=en Closing an Open Relay
The top causes for open relays with Exchange include:
- The SMTP service is live on the Internet and not enforcing
authentication to relay.
- The SMTP server has accounts locally or is part of a domain that has
poor passwords or no password at all.
Best practice: The following list of known accounts have the potential of
being compromised and should either be disabled or should have a strong
password.
These accounts have been logged in past cases through the event viewer
after turning up diagnostic logging. Remember, the passwords should never
match the logon name.
- Webmaster
- Admin
- Root
- Test
- Master
- Web
- www
- administrator
- backup
- server
- data
- abc
- guest
These articles should help guide you to configuring and preventing your
Microsoft Exchange Server from becoming an open relay and how to look for
key clues in the future to ensure it doesn't relay.
- HOW TO: Prevent Exchange 2000 from Being Used as a Mail Relay in Windows
2000 -
http://support.microsoft.com/?id=310380 - HOW TO: Block open SMTP Relaying and clean up Exchange Server (article
can be used with Exchange 2000 and Small Business Server) -
http://support.microsoft.com/?id=324958 - Cannot send E-Mail Messages to a growing list of domains -
http://support.microsoft.com/?id=300580 - HOW TO: Examine relay restrictions for anonymous SMTP connections and
filter unsolicited E-mail messages in Exchange 2000 Server -
http://support.microsoft.com/?id=313395If you have any questions regarding this alert, you should contact Product
Support Services in the United States at 1-866-PCSafety (1-866-727-2338).
International customers should contact their local subsidiary.