LearnItFirst User Forum

Welcome Guest

Exchange Server Forums » Exchange Server » Exchange Server Administration » Not so secure critical security patch - Must Read!

Not so secure critical security patch - Must Read!

Options

Previous Topic · Next Topic

ekoeller

Posted: Thursday, November 01, 2007 6:22:11 PM

Rank: Newbie

Joined: 11/1/2007
Posts: 1
Points: 3
Where do you live?: St. Louis, MO

KB931832

Exchange accounts used to bounce and NDR email sent to an exchange account attached to a disabled AD account. This patch causes exchange accounts to recieve email even though their AD account is disabled.

This causes the following problems for our company (15,000 users):

1. Major security concern!! Before a person leaves the company, they can set up a rule to forward email to an external address (say their personal yahoo.com address). When that person leaves the company and their AD account is disabled, the system will continue to forward their email to the external address. This is in violation of many compliance standards, including but definately not limited to SOX. Think about someone who recieves knowledge about the companies financials.

2. Loss productivity. In larger corporations (or any for that matter) it is imperative the sender of an email knows that the recipient cannot receive the message. After this patch, an email sent to a disabled user account of an employee who is no longer with the company will NOT NDR and the sender will think the message was recieved. Use your imagination for possible problems related to this scenario. It comes down to loss productivity until the sender finally figures out that the recipient is no longer with the company.

In my opinion, the sole purpose of NDR messages is to let the sender know their email message was not able to be read by the recipient. Since no one can log into a disabled account and review the email messages, the message was essentially "not recieved" because it cannot be read by the recipient. Therefore, a NDR needs to be returned to the sender.

The workaround? None found yet that covers all issues.
We currently automatically disable domain accounts based upon the employees status in our HR system. We do not have the resources for a manual workaround.

Recommended manual workarounds that don't work:
1. Hide the mailbox from the GAL - doesn't help if the people who often send email to this person has the recipients name in their local outlook cache and doesn't select it out of the GAL.

2. Remove all secondary smtp address and rename the primary to disabled"old smptaddress".com - doesn't help with the rule forwarding security issue.

3. Set the mailbox to be over quota (quota=0) - this will send an NDR to the sender, but they will receive a "mailbox over limit" NDR message that doesn't let them know the recipient is no longer with the company and the account is disabled.

Microsofts response?

Our tech support rep asked us to use one of our support incidents. The rep said he had a conversation with a member of the Microsoft exchange team who did not think there was a good chance our business case would be accepted. We're going to try.

It doesn't give me a warm and fuzzy to know we found a security problem with one of Microsofts patches and they want us to pay them for reporting it to them.

I'm hoping to get the word out and hopefully other companies can put pressure on Microsoft to fix this problem. It's also a heads up because we did not find out about this until our Internal Auditors approched us with an audit finding. They had a summer intern who put a rule in place to foward all email to her school email account. She continued to receive email after her internship was over and her account was disabled.

Users browsing this topic

Guest

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.