When Exchange 2000 was released one of the goals was to allow third-party developers to write custom applications that they could use to automate mailing, CDO for Exchange was build into Exchange 2000, and CDOSYS was distributed with Windows. These were fairly simple to implement and to make them even easier they were built to be able to discover where the SMTP server was that would ultimately send the message. This discoverability was based on “Everyone” having read access to the IIS metabase. When SendUsingPickup was used CDO for Exchange or CDOSYS would find out where the SMTP Pickup directory was by reading the IIS metabase.
In Exchange 2000 SP3 “Everyone” was removed from having read access to the IIS metabase. While we saw this as important to making Windows and Exchange servers more secure, we also realized that this has the potential of affecting thousands of customers. So a hunt was on to find the best way to help customers who would be affected by this change.
One thing that there is no lack of here at Microsoft is an opinion on what is the best way to help our customers. In this case we knew of several ways to resolve this problem, and after a few hallway meetings we determined that we should present the problem as well as both administrative and programming ways to work around it.
What followed is one example of the Product Group, Product Support Services and Exchange Partners working together to mitigate the storm we saw building on the horizon. In collaboration the Exchange Team and PSS wrote instructions detailing the problem and outlined the workarounds. We shared this with the Exchange Development Partners and took their feedback to improve the instructions. More discussions ultimately led to the creation of a script that we provided to make it easier for customers to grant the proper rights to accounts that needed access to the metabase. Finally we published a KB article, which went through a further revision after it was released to the public.
The final result is this KB article, http://support.microsoft.com/default.aspx?scid=kb;EN-US;816789 which I am happy to say resulted in easing the problem, making it easier for our customers to implement the new security rules, and decreased support costs for both Microsoft and our customers. This is just one example of what can happen when a problem is recognized, and teams work together to solve it before the problem becomes widespread.
- Ed Beck