AN EMERGING ISSUE WITH:
MICROSOFT EXCHANGE 2000 REMOTE REGISTRY ACCESS

SEVERITY:
Medium

DATE:
February 7, 2002

EXPOSURE:

In Windows, the registry is a vital repository of configuration
settings for the Windows Operating System and its applications. This
one location stores settings for the operating system, various
applications, and individual users. For example, registry settings are
what tell a Windows machine which applications should start
automatically when a given user logs in. Each setting in the registry
is called a registry key.


Microsoft Exchange 2000 includes a service called Microsoft Exchange
System Attendant, which performs a variety of maintenance-related
functions. For instance, this service can change a WinReg registry key
so that an administrator who is not on the premises with the Exchange
server can access it from another location, and make changes remotely.


Unfortunately, the System Attendant is too permissive with its change
and allows the "Everyone" group remote access to the registry. The
"Everyone" group allows any user access, without requiring
authentication such as a user ID or password. This could allow hackers
to view your registry settings, providing a huge assist in the
information-gathering stage of an attack by revealing information such
as the exact version of your operating system, what applications are
on your server, user names, and more. According to Microsoft's
advisory, if the software on your server has installed some registry
keys with inappropriate permissions, the hacker might also be able to
modify those keys.



SOLUTION PATH:


Download and install the Microsoft Exchange Server 2000 patch <http:
//www.microsoft.com/downloads/release.asp?ReleaseID=35462> as soon as
is practical.