RE: Interesting Observation

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 10 Jun 2004 13:00:38 -0700

> I was teaching an Exchange 2003 support class for Symantec this week, so
> that their gold and platinum support guys had a good understanding of how
> Exchange really works :-), he talked about log files, and one of the guys
> asked what would happen if you created a new log file, for example, the
> log file is E0000001.LOG and you create E0000002.log manually.
> We tried it to see, and the effect was that the Outlook clients would hang
> when trying to send mail, until you deleted the manually created log file,
> the other effect was when you performed an online backup the backup would
> fail, and then dismount all the Stores in the Storage Group that you were
> trying to backup, this then led them to ask what type of security risk
> would be, if someone managed to create a worm that created a log file
> manually it would bring down all the Stores when you perform a backup.

1. The worm would have to reach the server. Defense rule: All computers must
have AV installed to protect the server itself.
2. The worm would have to get past the firewall. Defense rule: All computers
must be behind a firewall.
3. The worm would have to be executed by e-mail if not through the firewall.
Defense ruleA: All incoming e-mail must be scanned for viruses,
vulnerabilities and possible malicious content, ie executable attachments.
Defense ruleB: Generally, you should not be viewing e-mail on a server.

So, the way I see it, if the worm is able to execute on the server in the
first place, you have other problems to deal with. 

However, having said that, that is a real problem, although with proper
defences in place, the probability of it occurring is minimized. If there is
a way that behavior can be changed/protected, it should be looked into and
work needed weighted out.

John Tolmachoff
eServices For You

Other related posts: