RE: Interesting Observation

  • From: "Mark Fugatt" <mark@xxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 10 Jun 2004 16:11:37 -0400

I agree 100% John, it was a long flight home from Oregon (left at 2am and
got in my house an 2.30pm), and I was not really thinking clearly when I
posted :-)

Mark
-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, June 10, 2004 4:01 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Interesting Observation

http://www.MSExchange.org/

> I was teaching an Exchange 2003 support class for Symantec this week, 
> so that their gold and platinum support guys had a good understanding 
> of how Exchange really works :-), he talked about log files, and one 
> of the guys asked what would happen if you created a new log file, for 
> example, the
last
> log file is E0000001.LOG and you create E0000002.log manually.
> 
> We tried it to see, and the effect was that the Outlook clients would 
> hang when trying to send mail, until you deleted the manually created 
> log file, the other effect was when you performed an online backup the 
> backup would fail, and then dismount all the Stores in the Storage 
> Group that you were trying to backup, this then led them to ask what 
> type of security risk
this
> would be, if someone managed to create a worm that created a log file 
> manually it would bring down all the Stores when you perform a backup.

1. The worm would have to reach the server. Defense rule: All computers must
have AV installed to protect the server itself.
2. The worm would have to get past the firewall. Defense rule: All computers
must be behind a firewall.
3. The worm would have to be executed by e-mail if not through the firewall.
Defense ruleA: All incoming e-mail must be scanned for viruses,
vulnerabilities and possible malicious content, ie executable attachments.
Defense ruleB: Generally, you should not be viewing e-mail on a server.

So, the way I see it, if the worm is able to execute on the server in the
first place, you have other problems to deal with. 

However, having said that, that is a real problem, although with proper
defences in place, the probability of it occurring is minimized. If there is
a way that behavior can be changed/protected, it should be looked into and
work needed weighted out.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
mark@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist





Other related posts: