Exchange 2000 Server SP3 and CDOEX/CDOSYS applications

Exchange 2000 Server SP3 and CDOEX/CDOSYS applications

Post by Ed Beck [MS » Wed, 24 Jul 2002 01:50:42



My apologies if this information has already been posted.

A security modification in Microsoft? Exchange Server 2000 Service Pack 3
(SP3) removes broadly available read access to the Microsoft Internet
Information Services (IIS) metabase. As a result, a Collaboration Data
Objects for Exchange (CDOEX) or Collaboration Data Objects for Windows?
(CDOSYS) application that sends mail using Simple Mail Transport Protocol
(SMTP) could fail. Although this change may cause a disruption to some
customers, the end result is a more secure system.

Exchange and Microsoft are deeply committed to improving the security of our
products for customers. Although this access path doesn't represent a
widespread problem, it has been determined to constitute a serious enough
security vulnerability to warrant immediate closure in SP3. This paper
outlines four small and secure workarounds (each dependent on the customer's
application) and includes guidelines for secure development of similar
future applications.

The attached document describes the symptom and describes how to work with
CDOEX after Exchange 2000 SP3 has been applied. Sample code is written in
the context of an ASP page.

This information also exists in a KB article
(http://support.microsoft.com/?scid=kb;EN-US;q324037) which is referenced in
the SP3 Release Notes.  When SP3 was released the KB was active, but as of
this writing, the KB is not publicly available.  We are investigating why
this article is not publicly available, and are working to return it to the
public KB database as soon as possible.  In the mean time, the attached
document is identical to the KB article.

For those who are using an application which removes attachments, I have
included the full text of the document after my signature.

Ed Beck
Beta Lead Engineer
Microsoft Beta Technology Support

--
This posting is provided "AS IS" with no warranties, and confers no rights.

Microsoft Exchange 2000 Server Service Pack 3 Security Modification and
CDOEX/CDOSYS
Summary
A security modification in Microsoft? Exchange Server 2000 Service Pack 3
(SP3) removes broadly available read access to the Microsoft Internet
Information Services (IIS) metabase. As a result, a Collaboration Data
Objects for Exchange (CDOEX) or Collaboration Data Objects for Windows?
(CDOSYS) application that sends mail using Simple Mail Transport Protocol
(SMTP) could fail. Although this change may cause a disruption to some
customers, the end result is a more secure system.

Exchange and Microsoft are deeply committed to improving the security of our
products for customers. Although this access path doesn't represent a
widespread problem, it has been determined to constitute a serious enough
security vulnerability to warrant immediate closure in SP3. This paper
outlines four small and secure workarounds (each dependent on the customer's
application) and includes guidelines for secure development of similar
future applications.

This paper describes the symptom and describes how to work with CDOEX after
Exchange 2000 SP3 has been applied. Sample code is written in the context of
an ASP page.
More Information
CDO supports three methods for sending e-mail messages:

1.  Local SMTP service via the pickup directory (cdoSendUsingPickup); this
is the default method
2.  Remote SMTP service via port (cdoSendUsingPort)
3.  Local Exchange server via OLEDB (cdoSendUsingExchange)

When a calling program requests CDOEX to send a message via the SMTP pickup
directory, the following steps occur:

1.  CDOEX changes to the security context of the process it is running in
(by calling RevertToSelf()).
2.  CDOEX searches the IIS metabase to determine the pickup directory path
for the first active SMTP service instance.
3.  CDOEX changes back to the security context that was in effect before
Step 1 (by calling ImpersonateLoggedOnUser()).
4.  CDOEX creates a file in the pickup directory and saves the message
there.
5.  Some time later, the local SMTP service polls the pickup directory for
new files. It reads the file created by   CDOEX and routes it to the
recipients.

CDOEX is a Component Object Model (COM) library that runs in the security
context of its caller. Therefore, the calling process must have sufficient
privilege to execute Steps 2 and 4: searching the IIS metabase, and writing
a file into the pickup directory. If CDOEX is run on a server, the security
context of the caller may be anonymous, or that of a user with no privileges
on the local computer.

In both cases, the following error will be returned by CDO:

CDO.Message.1 (0x80040220)
The "SendUsing" configuration value is invalid.

To correct the situation, either a configuration or a code modification is
needed. Configuration modifications can be rolled out quickly; code
modifications should be made more deliberately and with the security of the
application and its resources in mind.

Restoring "Everyone" access to the metabase is not a viable workaround. It
reintroduces vulnerabilities that are being closed by Exchange 2000 Server
SP3, and future versions of Exchange are likely to remove the access control
entries (ACEs) again, causing a recurring administrative problem.

Affected Applications
The most common types of applications affected by this change are those that
do not require authentication, applications in which it is not important to
track the sender, or applications where the sender does not have an Exchange
account. A customer feedback application that allows a customer to access a
Web site, gathers feedback, and then uses Exchange to route the feedback to
the appropriate accounts is a good example of the type of application
effected by this change.

Applications using an ASP page and requiring authentication are also
affected by this change. Authors of such applications should be aware that
CDOEX accesses the metabase using the process security context and not the
impersonated security context of the application's end user. However, the
pickup directory is accessed using the impersonated security context.

Here is an example of Microsoft Visual Basic? Scripting Edition (VBScript)
script that worked in Exchange 2000 Server SP2, which fails with SP3:

<%@ Language=VBScript %>
<%
   Dim iMsg
   'Create the message object
   Set iMsg = CreateObject("CDO.Message")

   'Set the message to,from,subject,body properties.
   With iMsg
      .To = "packer...@adatum.com"
      .From = "mba...@adatum.com"
      .Subject = "Test message using CDOEx sent on: "  & now()
      .TextBody = "This message tests sending mail with CDOEx"
      .Send
   End With

   set iMsg = Nothing
%>

Because this script does not specify a configuration object, CDOEX defaults
to cdoSendUsingPickup. In SP3, CDOEX does not have anonymous access to the
metabase; therefore, if the code is running under an anonymous account (most
often IWAM_MachineName), it will not be able to find the pickup directory.
This results in the following error:

CDO.Message.1 (0x80040220)
The "SendUsing" configuration value is invalid.

Workarounds
There are four modifications available to continue working with CDOEX after
SP3 has been applied, two requiring an administrative modifications, and two
requiring code modifications. Only one workaround needs to be applied to
resolve the problem; however, the programmer and administrator must decide
which workaround makes more sense to implement than the others.
1.  Administrative modification
Selectively grant metabase access
With this option, the application code remains unchanged, and accounts that
require read access to the metabase are granted it. You can either grant
metabase access to the existing account that the application is running
under, or you can create a new account for that purpose.  1a and 1b describe
these methods. The scripts mbaadd.vbs, mbalist.vbs, mbadel.vbs are supplied
to grant IIS metabase access to an account (see the appendix for more
information about these scripts). Because CDO calls RevertToSelf() before
accessing the metabase, it is sufficient to add the account under which the
application process runs; for a typical ASP page, this is the
IWAM_MachineName account.

Advantages
No change to application code.
No change to the SMTP configuration.

Disadvantages
May unnecessarily grant metabase access.

1a. Grant metabase access to the existing account
The least destabilizing option is to determine what account the applications
are running under and grant that account access to the metabase. The
existing account (for example, IWAM_XXX or IUSR_XXX) may be used by other
applications, and it may introduce vulnerabilities if these applications are
granted access to the IIS metabase.

To determine what account the application is running under and grant that
account access to the IIS metabase:

1.  Save the .vbs files to a directory on your server.
2.  Using Internet Information Services, navigate to the virtual directory
containing your CDOEX application. Right-click the virtual directory and
select "Properties"
3.  On the Directory Security tab, in Anonymous access and authentication
control, click Edit.
4.  In the Authentication Methods dialog box, make sure that Anonymous
access is selected, and then, in Accounts used for anonymous access, click
Edit.
5.  In the Anonymous User Account dialog box, copy down the account name
that the application is running under.
6.  Click Cancel to close all dialog boxes.
7.  At a command prompt, navigate to the directory containing the .vbs files
you saved in Step 1.
8.  Using mbaadd.vbs, grant the account you copied in Step 5 access to the
metabase by typing the following at the command prompt:
cscript mbaadd.vbs MachineName\AccountName

In some cases it may be necessary to grant metabase access to the
IWAM_MachineName account as well.  This can be done using mbaadd.vbs:
cscript mbaadd.vbs MachineName\IWAM_MachineName

9.  Stop and restart the IIS Admin service and any dependent services.

1b. Create a new account for the application to run under
An alternative to granting metabase access to the existing account is to
create an account, grant that account access to the metabase, and then
modify the virtual directory in which the application is running to run as
that account. To do this:

1.  Save the attached .vbs files to a location on your computer.
2.  Create a machine account using Active Directory? Users and Computers
(for example, CdoExAccount). This account does not need a mailbox, and it
can be granted "User" rights.
3.  Using Internet Information Services, navigate to the virtual directory
containing your CDOEX application. Right-click the virtual directory and
click Properties.
4.  On the Directory Security tab, in Anonymous access and authentication
control, click Edit.
5.  In the Authentication Methods dialog box, make sure that Anonymous
access is selected, and then, in Accounts used for anonymous access, click
Edit.
6.  In the Anonymous User Account dialog box:
     a. Enter the name of the account you created in the Username text box.
Note: If you created a domain level account, you must enter
DomainName\AccountName. If you created a machine level account, enter
MachineName\AccountName.
     b. Click to clear the Allow IIS to control the password check box.
     c. Enter the account's password in the Password text box.
     d. Click OK and reenter the password in the resulting dialog box.
7.  Click OK to close all the dialog boxes.
8.  At a command prompt, navigate to the directory containing the .vbs files
you saved in Step 1.
Using mbaadd.vbs, grant the account you just created access to the metabase
and pickup directory by typing the following at the command prompt:

cscript mbaadd.vbs MachineName\AccountName

In some cases it may be necessary to grant metabase access to the
IWAM_MachineName account as well.  This can be done using mbaadd.vbs:

cscript mbaadd.vbs MachineName\IWAM_MachineName

9.  Stop and restart the IIS Admin service and any dependent services.

2.  Code Modification
In the case where a code modification is the preferred workaround, there are
two ways of accomplishing the modification. You can use either
cdoSendUsingPickup or cdoSendUsingPort.
2a.  cdoSendUsingPickup
Because cdoSendUsingPickup is the default value, it does not need to be
specified; however, explicitly specifying it would make your code easier to
read. The pickup directory does need to be specified.

Advantages
Greater application control of configuration.
Not restricted to first SMTP service instance.

Disadvantages
        More fragile - installation of Exchange or administration
configuration changes may cause the application to quit working because of
changes to the location of the pickup directory.
        Must configure local SMTP for relay.

Sample
The following code sample demonstrates setting cdoSendUsingPickup and the
pickup directory's location:
<%@ Language=VBScript %>
<%
   Dim iMsg
   Dim iConf
   Dim Flds
   Const cdoSendUsingPickup = 1
   'For CDOSYS, the pickup directory is located at
c:\inetpub\mailroot\pickup
   Const strPickup = "c:\Program Files\Exchsrvr\mailroot\vsi 1\Pickup"
   'Create the message object
   Set iMsg = CreateObject("CDO.Message")
   'Create the configuration object
   Set iConf = iMsg.Configuration
   With iConf.Fields
      .item( "http://schemas.microsoft.com/cdo/configuration/sendusing") =
cdoSendUsingPickup

.item("http://schemas.microsoft.com/cdo/configuration/smtpserverpickupdirect
ory") = strPickup
      .Update
   End With
   'Set the message to,from,subject,body properties.
   With iMsg
      .To = "packer...@adatum.com"
      .From = "mba...@adatum.com"
      .Subject = "Test message using CDOEx and cdoSendUsingPickup sent on: "
& now()
      .TextBody = "This is a test using CDOEx"
      .Send
   End With
   Set iMsg = Nothing
%>

2b.  cdoSendUsingPort
Instead of writing messages to the local pickup directory, write them to a
remote SMTP server over the network.

Advantages
        Lower overall resource consumption
        Immediate and detailed error information

Disadvantages
        Remote SMTP server may be unavailable, and you lose the natural
queue mechanism in the pickup directory

Sample
The following modified code works on Exchange 2000 SP3. Note the addition of
code to create and set the configuration object:
<%@ Language=VBScript %>
<%
   Dim iMsg
   Dim iConf
   Dim Flds
   Const cdoSendUsingPort = 2
   Const strSmartHost = "MySmartHostServer"
   'Create the message object
   Set iMsg = CreateObject("CDO.Message")
   'Create the configuration object
   Set iConf = iMsg.Configuration

   'Set the fields of the configuration object to send using SMTP via port
25.
   With iConf.Fields
      .item("http://schemas.microsoft.com/cdo/configuration/sendusing") =
cdoSendUsingPort
      .item("http://schemas.microsoft.com/cdo/configuration/smtpserver") =
strSmartHost
      .Update
   End With
   'Set the message to,from,subject,body properties.
   With iMsg
      .To = "packer...@adatum.com"
      .From = "mba...@adatum.com"
      .Subject = "Test message using CDOEx and cdoSendUsingPort, sent on: "
& now()
      .TextBody = "This is a test using CDOEx"
      .Send
   End With
   set iMsg = Nothing
%>

Appendix
The following VBScript scripts are provided as a tool for modifying metabase
access rights.
mbaadd.vbs
This script adds an ACE for a given account with read and enumerate rights
to all SMTP service instances. Copy the following script and save it as
mbaadd.vbs. To use this script, at a command prompt, type:
cscript mbaadd.vbs MachineName\AccountName
   Option explicit
   Dim objSMTP, objInst, objSD, objACL, objACE, objNew
   Dim sAccount
   sAccount = wscript.arguments(0)
   wscript.echo "Updating SMTP service instances..."
   Set objSMTP = GetObject("IIS://LOCALHOST/SMTPSVC")
   For Each objInst In objSMTP
      If objInst.class = "IIsSmtpServer" Then
                           wscript.echo objInst.ADSPath
         set objSD = objInst.AdminACL
         set objACL = objSD.DiscretionaryACL
         set objNew = CreateObject("AccessControlEntry")
         objNew.AccessMask = 9 ' read + enumerate
         objNew.AceType = 0 ' ADS_ACETYPE_ACCESS_ALLOWED
         objNew.AceFlags = 2 ' ADS_ACEFLAG_INHERIT_ACE
         objNew.Trustee = sAccount
         objACL.AddAce objNew
         objSD.DiscretionaryACL = objACL
         objInst.Put "adminACL", Array(objSD)
         objInst.SetInfo
      End If
   Next

mbadel.vbs
This script will delete an ACE for a given account. Copy the following
script and save it as mbadel.vbs. To use this script, at a command prompt,
type:
cscript mbadel.vbs MachineName\AccountName

Option explicit
Dim objSMTP, objInst, objSD, objACL, objACE
Dim sAccount
sAccount = lcase(wscript.arguments(0)) 'for matching
wscript.echo "Updating SMTP service instances..."
Set objSMTP = GetObject("IIS://LOCALHOST/SMTPSVC")
For Each objInst In objSMTP
   If objInst.class = "IIsSmtpServer" Then
      wscript.echo objInst.ADSPath
      set objSD = objInst.AdminACL
      set objACL = objSD.DiscretionaryACL
      For Each objACE in objACL
         If lcase(objACE.Trustee) = sAccount Then objACL.removeACE objACE
      Next
      objSD.DiscretionaryACL = objACL
      objInst.Put "adminACL", Array(objSD)
      objInst.SetInfo
   End If
Next

mbalist.vbs
This script lists who has access to all SMTP instances. Copy the following
script and save it as mbalist.vbs. To use this script, at a command prompt,
type:
cscript mbalist.vbs

Option Explicit
Dim objSMTP, objInst
wscript.echo "Listing SMTP service instances..."
Set objSMTP = GetObject("IIS://LOCALHOST/SMTPSVC")
For Each objInst In objSMTP
  If objInst.class = "IIsSmtpServer" Then
    wscript.echo objInst.ADSPath
    wscript.echo "   pickup=" & objInst.PickupDirectory
    DumpACL objInst.AdminACL
  End If
Next
Sub DumpACL(objSD)
Dim objACL, objACE
wscript.echo "   owner=" & objSD.Owner
set objACL = objSD.DiscretionaryACL
for each objACE in objACL
  wscript.echo "      " & objACE.Trustee & " " & Hex(objACE.AccessMask)
next
end sub