ME020399 - PRB: Web mail and web administration may not function after system lockdown


SYMPTOMS

MailEnable web mail and/or web admin may not function immediately after installing on a Windows Server or having recently applied a hotfix or "lockdown utility".

CAUSE

MailEnable's web mail and web administration integrate with the security framework of the Windows platform.

Examples of such services are Internet Information Server (IIS), Component Services (COM+) and the Windows Security Model.

This integration can make MailEnable services are susceptible to changes made to the Windows environment.  If the Windows platform has been modified by "lockdown utilities" or changes have been made to the default security settings, MailEnable may not function correctly.

RESOLUTION

The MEInstaller application can be used to reset permissions to the default settings. If significant customization or changes have been made to the Windows environment, then it may be necessary to manually review accordingly.

The following workaround exists to manually check environment security settings.

WORKAROUND

MailEnable's web mail and web administration features are the most susceptible to any of the following Windows environment changes:

1. Registry Permission Changes (changes to the permissions on reliant or commonly used registry keys)
2. File System Permission changes (reliant DLLs are denied access by the System, IME_ADMIN and/or IME_USER accounts)
3. Missing or corrupted system libraries (e.g. ADO libraries are corrupt or non-existent)
4. DCOM (COM+) security permission changes (changes made to DCOM security settings can cause MailEnable COM components to fail)
5. Configuration changes made to COM+ or IIS (e.g. changing the process isolation to low priority within IIS)
6. Policy Changes (changes in the privilege or rights associated with the System, IME_ADMIN and/or IME_USER account)
 

1. Registry Permissions

MailEnable's IME_USER and IME_ADMIN need read access to certain branches of the registry.
These accounts are members of the Users group, and are therefore given access to the necessary branches of the registry.

It is possible that the Users group is either disabled or is restricted access to the registry.
If this is the case, then the IME_ADMIN and IME_USER accounts need to be given explicit access to some registry keys (so that MailEnable can effectively access the registry).

The IME_ADMIN account needs access to:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable

Note: You may want to ensure that IME_ADMIN has access to the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.Dictionary
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.Encoder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.Signer

Some "lockdown utilities" restrict access to limit the use of the Scripting File System object
The IME_USER account needs access to:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes

2. File System Permission Changes

MailEnable relies on many system libraries and therefore requires read access to these libraries.

MailEnable's IME_USER and IME_ADMIN need read access to the following shared system folders and files:

IME_ADMIN requires read access to the following files:

WindowsSystemDirectory\scrrun.dll
WindowsSystemDirectory\msvbvm60.dll
WindowsSystemDirectory\msxml3.dll
ProgramFilesDir\Common Files\System\ado
ProgramFilesDir\Common Files\System\msadc
ProgramFilesDir\Common Files\System\ole db
ProgramFilesDir\Common Files\System\ado\msader15.dll
ProgramFilesDir\Common Files\System\ado\msado15.dll
ProgramFilesDir\Common Files\System\ado\msadrh15.dll
ProgramFilesDir\Common Files\System\ado\msader15.dll
ProgramFilesDir\Common Files\System\MSADC\msadce.dll
ProgramFilesDir\Common Files\System\MSADC\msadcer.dll
ProgramFilesDir\Common Files\System\OLE DB\msdasql.dll
ProgramFilesDir\Common Files\System\OLE DB\msdasqlr.dll
ProgramFilesDir\Common Files\System\OLE DB\oledb32.dll
ProgramFilesDir\Common Files\System\OLE DB\oledb32r.dll

IME_USER requires read access to the following files:

ProgramFilesDir\Common Files\System\ado\msader15.dll
ProgramFilesDir\Common Files\System\ado\msado15.dll
ProgramFilesDir\Common Files\System\ado\msadrh15.dll
ProgramFilesDir\Common Files\System\ado\msader15.dll
ProgramFilesDir\Common Files\System\MSADC\msadce.dll
ProgramFilesDir\Common Files\System\MSADC\msadcer.dll
ProgramFilesDir\Common Files\System\OLE DB\msdasql.dll
ProgramFilesDir\Common Files\System\OLE DB\msdasqlr.dll
ProgramFilesDir\Common Files\System\OLE DB\oledb32.dll
ProgramFilesDir\Common Files\System\OLE DB\oledb32r.dll

IME_ADMIN requires full access to the following folders and subfolders:

MailEnable\Config
MailEnable\Postoffices
MailEnable\Queues

IME_USER requires read access to the following folders and subfolders:
MailEnable\BIN\WebMail
MailEnable\BIN\WebAdmin

IME_ADMIN requires read access to the following folders and subfolders:

MailEnable\Bin

3. Missing or Corrupted System Libraries

Missing or corrupt system libraries can cause MailEnable to fail. Ensure that MSXML, ADO and the Scripting Runtime are functioning on the system.

MailEnable's Diagnostic Report should briefly test these resources to ensure that they are functioning correctly, however there are also Knowledge Base articles that advise as to diagnosing and correcting these issues.

4. DCOM (COM+) Security Permission Changes

MailEnable's web mail and web admin rely heavily on COM+ and there are many configuration settings in relation to COM+ security that specifically control access to components.

If the DCOM launch permissions are modified from the default, MailEnable's web mail component may not be able to function.

Specifically, IME_ADMIN and IME_USER both need Launch and Execute rights under DCOM.

A knowledge base relating to Windows 2003 Service Pack 1, that outlines some considerations with respect to COM+:

See: Article ME020364

5. Configuration changes made to COM+ or IIS

MailEnable's web mail and web admin rely heavily on COM+. There are many configuration settings in relation to COM+, although it is exceptionally unusual that any generic changes made to the system could directly affect MailEnable.

As a general rule, the MEInstaller application can be used to correct these issues.

See: Article ME020314

The MEInstaller Utility can also reset the IIS Application Isolation Levels. Ensure that the isolation level used is 'High' to be sure that MailEnable functions. It is possible to use a 'Medium' Isolation Level, however this is not recommended.

6. Policy Changes

MailEnable's web mail and web admin use two Windows accounts (IME_USER and IME_ADMIN) to integrate with IIS and COM+ respectively. Each of these accounts needs specific operating system privileges (or rights assignments) in order to operate correctly.

User Rights Assignments are configured via the Local Security Policy editor under Administrative Tools Program Group

IME_ADMIN:
 - Create a token object
 - Adjust memory quotas for a process
 - Act as part of the operating system
 - Access this computer from the network
 - Log on as a batch job
 - Log on as a service
 - Log on locally
 - Replace a process level token

IME_USER:
 - Access this computer from the network
 - Log on as a batch job
 - Log on locally

MORE INFORMATION

SysInternals (www.sysinternals.com) provides an effective utility called FileMon.

This utility can be used to monitor File System access and report on any errors or permission failures.

A similar utility called RegMon is also available to report on accesses made to the Windows Registry.



Product:MailEnable (Pro-Any Ent-Any)
Category:Environment
Module:General
Keywords:hotfix lockdown utility upgrades upgrade security settings webmail webadmin
Class:PRB: Product Problem or Issue
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable