MailEnable Lockdown Utility
When a software release is produced it is likely that the version of the software will be updated from time to time, for feature improvements and to overcome any shortcomings in the
software.
With desktop software, if there are any weaknesses in the software they are not likely to cause significant issues because the services/applications are “private” in that there is usually no way for a third party to actively exploit the weakness. Since e-mail server software involves interacting with unknown parties (anyone can connect to a mail server), there is obviously an increased risk of exploitation if any errors should be incurred.
Typically, “hackers” will install one or more instances of the software in a controlled environment and use brute force scripts that randomize strings to attempt to cause the software to crash. Once the software crashes, the hacker will investigate the pattern of data that caused the system to crash and will then review the system call stack at the time of the crash. Often the hacker will use debug libraries so they can gain more insight into the nature of the crash; hence allowing them to exploit it.
Once the hacker establishes how to cause the crash to occur, they develop a purposed script that causes the server to crash. There are two primary types of vulnerabilities. These are Denial of Service (DOS) vulnerabilities and buffer overflow vulnerabilities. A DOS vulnerability will allow a remote hacker to crash the service, hence preventing access to the service until it is restarted. A buffer overflow vulnerability may allow a malicious party to inject a small application that is executed as a result of exploitation. Most commonly, the application that is executed is a small socket program that allows the server to accept commands via telnet and have the server execute them.
Best Practice
The most effective way to avoid exploitation is to identify and fix any issues with the software (and distribute patches accordingly).
The other way to protect the server from exploitation is by ensuring that services are correctly secured or “locked down”. Locking down the services restricts the resources that any hacker can access should they successfully exploit a vulnerability.
In a server installation, it is advisable to limit who has access to sensitive applications on the server (like telnet, command.com, ftp.exe, etc) Ensure that any service accounts run with only the permissions they need. This is outlined in the following
section.
Service Account Identity
Unless specified otherwise, MailEnable Services will run with the identity of the in-built LOCALSYSTEM user. The local system user is a privileged local account with access to an extensive array of system rights (and access to system resources).
There is a risk associated with running services under this user since it means that any successful exploitation of the service may allow arbitrary code to be executed with the rights of that
account.
It is therefore desirable to run MailEnable services with the identity of a lower privileged account that only has access to the resources MailEnable requires.
To combat these issues of potential exploitation, MailEnable can be configured as a ‘hardened’ installation. If the option to harden the server is selected, then the SMTP, POP, and IMAP services will run under the identity of IME_SYSTEM. Other system services and agents will continue to run under the LOCALSYSTEM account.
If you are running Version 1 or 2 of MailEnable (Standard, Professional or Enterprise Editions), you should download the latest version of the MEInstaller application and select the option to “Harden the Server”. A utility can also be downloaded from our website here:
http://www.mailenable.com/hotfix/me-10031.exe
Before hardening the server, disable any resident scanners or ensure that the MailEnable message store is excluded from protection. Also, temporarily disable the Microsoft Indexing Service to minimize IO constraints.
Future versions of MailEnable will have an IME_SYSTEM user that has been granted minimal access to the resources required to run MailEnable Services. It will also create an IME_STORE_GROUP group that has access to the MailEnable message store, and the IME_SYSTEM user will be a member of the IME_STORE_GROUP group.
MailEnable Hardened Server Configuration
The specific changes made to MailEnable when being run in the hardened installation mode are outlined below:
Registry Permissions
When MailEnable is configured to run with minimal permissions, the following registry permission changes are applied: