MailEnable Lockdown Utility
 

MailEnable Lockdown Utility

When a software release is produced it is likely that the version of the software will be updated from time to time, for feature improvements and to overcome any shortcomings in the software.

With desktop software, if there are any weaknesses in the software they are not likely to cause significant issues because the services/applications are “private” in that there is usually no way for a third party to actively exploit the weakness. Since e-mail server software involves interacting with unknown parties (anyone can connect to a mail server), there is obviously an increased risk of exploitation if any errors should be incurred. 

Typically, “hackers” will install one or more instances of the software in a controlled environment and use brute force scripts that randomize strings to attempt to cause the software to crash. Once the software crashes, the hacker will investigate the pattern of data that caused the system to crash and will then review the system call stack at the time of the crash. Often the hacker will use debug libraries so they can gain more insight into the nature of the crash; hence allowing them to exploit it. 

Once the hacker establishes how to cause the crash to occur, they develop a purposed script that causes the server to crash. There are two primary types of vulnerabilities. These are Denial of Service (DOS) vulnerabilities and buffer overflow vulnerabilities. A DOS vulnerability will allow a remote hacker to crash the service, hence preventing access to the service until it is restarted. A buffer overflow vulnerability may allow a malicious party to inject a small application that is executed as a result of exploitation. Most commonly, the application that is executed is a small socket program that allows the server to accept commands via telnet and have the server execute them. 

Best Practice

The most effective way to avoid exploitation is to identify and fix any issues with the software (and distribute patches accordingly).

The other way to protect the server from exploitation is by ensuring that services are correctly secured or “locked down”. Locking down the services restricts the resources that any hacker can access should they successfully exploit a vulnerability. 

In a server installation, it is advisable to limit who has access to sensitive applications on the server (like telnet, command.com, ftp.exe, etc) Ensure that any service accounts run with only the permissions they need. This is outlined in the following section.

Service Account Identity

Unless specified otherwise, MailEnable Services will run with the identity of the in-built LOCALSYSTEM user. The local system user is a privileged local account with access to an extensive array of system rights (and access to system resources).  

There is a risk associated with running services under this user since it means that any successful exploitation of the service may allow arbitrary code to be executed with the rights of that account.

It is therefore desirable to run MailEnable services with the identity of a lower privileged account that only has access to the resources MailEnable requires. 

To combat these issues of potential exploitation, MailEnable can be configured as a ‘hardened’ installation. If the option to harden the server is selected, then the SMTP, POP, and IMAP services will run under the identity of IME_SYSTEM. Other system services and agents will continue to run under the LOCALSYSTEM account. 

If you are running Version 1 or 2 of MailEnable (Standard, Professional or Enterprise Editions), you should download the latest version of the MEInstaller application and select the option to “Harden the Server”. A utility can also be downloaded from our website here: http://www.mailenable.com/hotfix/me-10031.exe 

Before hardening the server, disable any resident scanners or ensure that the MailEnable message store is excluded from protection. Also, temporarily disable the Microsoft Indexing Service to minimize IO constraints. 

Future versions of MailEnable will have an IME_SYSTEM user that has been granted minimal access to the resources required to run MailEnable Services. It will also create an IME_STORE_GROUP group that has access to the MailEnable message store, and the IME_SYSTEM user will be a member of the IME_STORE_GROUP group. 

MailEnable Hardened Server Configuration

The specific changes made to MailEnable when being run in the hardened installation mode are outlined below: 

Registry Permissions

When MailEnable is configured to run with minimal permissions, the following registry permission changes are applied:

Path

Account

Access

HKLM::SOFTWARE\Classes\...

IME_SYSTEM

READ

HKLM::SOFTWARE\Microsoft\...

IME_SYSTEM

READ

HKLM::SYSTEM\...

IME_SYSTEM

READ

HKLM::SOFTWARE\Mail Enable\..

IME_SYSTEM

FULL

File System Permissions (Access Granted)

MailEnable Services require access to a core set of DLLs that provide library functionality.
  
When MailEnable is configured to run with minimal permissions, the following file system permission changes are applied/granted:
  

Path

Account

Access

[SYSTEM32]\ACTIVEDS.DLL

IME_SYSTEM

READ

[SYSTEM32]\ADSLDPC.DLL

IME_SYSTEM

READ

[SYSTEM32]\CLBCATQ.DLL

IME_SYSTEM

READ

[SYSTEM32]\DHCPCSVC.DLL

IME_SYSTEM

READ

[SYSTEM32]\DNSAPI.DLL

IME_SYSTEM

READ

[SYSTEM32]\iphlpapi.dll

IME_SYSTEM

READ

[SYSTEM32]\ICMP.dll

IME_SYSTEM

READ

[SYSTEM32]\INDICDLL.dll

IME_SYSTEM

READ

[SYSTEM32]\IMM32.dll

IME_SYSTEM

READ

[SYSTEM32]\msafd.dll

IME_SYSTEM

READ

[SYSTEM32]\MSVCP71D.dll

IME_SYSTEM

READ

[SYSTEM32]\MPRAPI.dll

IME_SYSTEM

READ

[SYSTEM32]\msafd.dll

IME_SYSTEM

READ

[SYSTEM32]\mlang.dll

IME_SYSTEM

READ

[SYSTEM32]\MSVCP60.dll

IME_SYSTEM

READ

[SYSTEM32]\msxml3.dll

IME_SYSTEM

READ

[SYSTEM32]\msxml3r.dll

IME_SYSTEM

READ

[SYSTEM32]\netmsg.dll

IME_SYSTEM

READ

[SYSTEM32]\NETAPI32.DLL

IME_SYSTEM

READ

[SYSTEM32]\NTDSAPI.dll

IME_SYSTEM

READ

[SYSTEM32]\NETRAP.dll

IME_SYSTEM

READ

[SYSTEM32]\ODBC32.dll

IME_SYSTEM

READ

[SYSTEM32]\odbcint.dll

IME_SYSTEM

READ

[SYSTEM32]\odbctrac.dll

IME_SYSTEM

READ

[SYSTEM32]\PSAPI.DLL

IME_SYSTEM

READ

[SYSTEM32]\rpcss.dll

IME_SYSTEM

READ

[SYSTEM32]\RTUTILS.DLL

IME_SYSTEM

READ

[SYSTEM32]\RASAPI32.dll

IME_SYSTEM

READ

[SYSTEM32]\rasman.dll

IME_SYSTEM

READ

[SYSTEM32]\rnr20.dll

IME_SYSTEM

READ

[SYSTEM32]\rasadhlp.dll

IME_SYSTEM

READ

[SYSTEM32]\Secur32.dll

IME_SYSTEM

READ

[SYSTEM32]\SAMLIB.DLL

IME_SYSTEM

READ

[SYSTEM32]\SETUPAPI.DLL

IME_SYSTEM

READ

[SYSTEM32]\TAPI32.dll

IME_SYSTEM

READ

[SYSTEM32]\USERENV.DLL

IME_SYSTEM

READ

[SYSTEM32]\winrnr.dll

IME_SYSTEM

READ

[SYSTEM32]\WSOCK32.dll

IME_SYSTEM

READ

[SYSTEM32]\WS2_32.DLL

IME_SYSTEM

READ

[SYSTEM32]\WS2HELP.DLL

IME_SYSTEM

READ

[SYSTEM32]\wshtcpip.dll

IME_SYSTEM

READ

[WINDOWS]\Registration

IME_SYSTEM

READ

[WINDOWS]\Config

IME_SYSTEM

READ/WRITE

File System Permissions (Access Denied) 

There are a number of Windows programs that may be accessed by unwanted parties should a vulnerability be exploited. It is important to limit access to these resources.

When MailEnable is configured to run with minimal permissions, the following file system permission changes are applied/denied:

Path

Account

Access

[SYSTEM32]\at.exe

IME_SYSTEM

DENIED

[SYSTEM32]\cacls.exe

IME_SYSTEM

DENIED

[SYSTEM32]\command.com

IME_SYSTEM

DENIED

[SYSTEM32]\cmd.exe

IME_SYSTEM

DENIED

[SYSTEM32]\cscript.exe

IME_SYSTEM

DENIED

[SYSTEM32]\debug.exe

IME_SYSTEM

DENIED

[SYSTEM32]\edlin.exe

IME_SYSTEM

DENIED

[SYSTEM32]\finger.exe

IME_SYSTEM

DENIED

[SYSTEM32]\ftp.exe

IME_SYSTEM

DENIED

[SYSTEM32]\ipconfig.exe

IME_SYSTEM

DENIED

[SYSTEM32]\krnl386.exe

IME_SYSTEM

DENIED

[SYSTEM32]\nbstat.exe

IME_SYSTEM

DENIED

[SYSTEM32]\net.exe

IME_SYSTEM

DENIED

[SYSTEM32]\net1.exe

IME_SYSTEM

DENIED

[SYSTEM32]\netsh.exe

IME_SYSTEM

DENIED

[SYSTEM32]\posix.exe

IME_SYSTEM

DENIED

[SYSTEM32]\rcp.exe

IME_SYSTEM

DENIED

[SYSTEM32]\regedt32.exe

IME_SYSTEM

DENIED

[SYSTEM32]\regini.exe

IME_SYSTEM

DENIED

[SYSTEM32]\regsvr32.exe

IME_SYSTEM

DENIED

[SYSTEM32]\rexec.exe

IME_SYSTEM

DENIED

[SYSTEM32]\rsh.exe

IME_SYSTEM

DENIED

[SYSTEM32]\runas.exe

IME_SYSTEM

DENIED

[SYSTEM32]\runonce.exe

IME_SYSTEM

DENIED

[SYSTEM32]\srvmgr.exe

IME_SYSTEM

DENIED

[SYSTEM32]\sysedit.exe

IME_SYSTEM

DENIED

[SYSTEM32]\syskey.exe

IME_SYSTEM

DENIED

[SYSTEM32]\telnet.exe

IME_SYSTEM

DENIED

[SYSTEM32]\tftp.exe

IME_SYSTEM

DENIED

[SYSTEM32]\tracert.exe

IME_SYSTEM

DENIED

[SYSTEM32]\usrmgr.exe

IME_SYSTEM

DENIED

[SYSTEM32]\wscript.exe

IME_SYSTEM

DENIED

Windows Accounts created

When MailEnable is configured to run with minimal permissions, a user account called IME_SYSTEM is created. A group called IME_STORE_GROUP is also created and IME_SYSTEM is made a member of this group.
  
The Windows security objects created are outlined below:
  

Type

Object Name

Access

USER

IME_SYSTEM

CREATED

GROUP

IME_STORE_GROUP

CREATED

MEMBERSHIP

IME_STORE_GROUP

ADDED[IME_SYSTEM]

Windows Rights Assignment

The IME_SYSTEM user is granted the following rights by default.

Right

Object Name

Access

SeServiceLogonRight

IME_SYSTEM

GRANTED

The following additional rights are granted if the system is configured to use integrated authentication: 

Right

Object Name

Access

SeTcbPrivilege

IME_SYSTEM

GRANTED

SeNetworkLogonRight

IME_SYSTEM

GRANTED

SeBatchLogonRight

IME_SYSTEM

GRANTED

SeCreateTokenPrivilege

IME_SYSTEM

GRANTED

SeInteractiveLogonRight

IME_SYSTEM

GRANTED

SeIncreaseQuotaPrivilege

IME_SYSTEM

GRANTED

Database Changes

If the system is configured to use SQL Server in integrated mode then the following changes are made to SQL Server: 

Type

Object Name

Access

USER

IME_SYSTEM

CREATED

ACCESS

IME_SYSTEM

INSERT,DELETE,EXECUTE,UPDATE to MAILENABLE DB

Service Identity Changes

The following services are changed to run under the IME_SYSTEM identity:

Type

Access

MailEnable Mail Transfer Agent

IME_SYSTEM

MailEnable SMTP Connector

IME_SYSTEM

MailEnable POP Service

IME_SYSTEM

MailEnable IMAP Service

IME_SYSTEM

Access changes to MailEnable File System Paths

The following changes are made to MailEnable File System Paths to allow access to services running under IME_SYSTEM.

Type

Object Name

Access

MailEnable Store

IME_STORE_GROUP

FULL CONTROL

MailEnable\QUEUES

IME_SYSTEM

FULL

MailEnable\LOGGING

IME_SYSTEM

FULL

MailEnable\CONFIG

IME_SYSTEM

FULL

MailEnable\Bad Mail

IME_SYSTEM

FULL

MailEnable\Backup

IME_SYSTEM

FULL

MailEnable\Bin

IME_SYSTEM

READ+EXECUTE