|
Hi,
I found a little issue with a possible misconfiguration with Exchange Server
5.5 and Windows NT Server 4.0 .
If the value LMCompatibilityLevel is added to the registry and set to 5 on a
NT server that is running Exchange Server 5.5 running POP3 or IMAP4, a
client will no longer be able to authenticate himself to the server with
clear text authentication. Even if this configuration may sound like a
contradiction, I will explain why I think it is still an issue.
TESTED SERVER-CONFIGURATION:
============================
Microsoft Windows NT Server 4.0, SP6a, english, PDC configuration
with registry setting
HKLM\System\CurrentControlSet\Control\Lsa\LMCompatibilityLeve
l=5
Microsoft Exchange Server 5.5, SP3, english, POP3 enabled and configured
TESTED CLIENT-CONFIGURATION:
============================
Local machine (see above)
Microsoft Windows 95 Telnet Client
PROBLEM:
========
POP3 Authentication is not possible anymore, error message says: "Unknown
username or bad password", even when credentials match. Connection from the
local machine, that is from the server where Exchange Server is installed,
is not possible either.
WORK-AROUND:
============
Set registry value
HKLM\System\CurrentControlSet\Control\Lsa\LMCompatibilityLeve
l to 4 or
remove value
EXPLANATION:
============
Setting LMCompatibilityLevel to 5 prevents a domain controller from
accepting LanManager NTLM authentication, only NTLM2 should be accepted.
However, a computer running Exchange Server 5.5 will also no longer be able
to accomodate POP3 clients that authenticate via clear text. This might be
an issue one of the following scenarios:
*) A script running periodically on a server might check a pop3 mailbox
without posing a security problem through authentication
*) POP3 clients and usernames might reside on a specific, more secure subnet
*) A previous administrator might have added the value to the registry
without documenting it, pop3 and imap4 problems might not be easily solved
then
*) I am sure there might be other, those are the ones I could think of
I had a little dilemma trying to decide whether I would call this a bug or
not, but I finally decided to call it a bug. NT authentication is usually
never performed in clear text which is why this registry value should not
affect a pop3 server, but the NTLM authentication option of the pop3
service.
Best regards,
Ingmar Koecher [MCSE,MCT,CCNA].
=================================
-----http://www.netikus.net/-----
mailto:ingmar.koecher@netikus.net
=================================
NEWSGROUP,URLWATCH,POP3-CENTER...
=================================
This message can also be found in the WINDOWS-NT forum of the NETIKUS.NET
newsgroup.
----------------------------------------------------------------------------
Delivery co-sponsored by eEye Digital Security
============================================================================
Vulnerability Is Over ... eEye Digital Security Announces Retina(tm)
Retina, the unparalleled network security product that scans, monitors,
alerts, and automatically fixes network security vulnerabilities. Retina
includes an auto-update feature providing continuous update of its modules,
allowing users to keep pace with the latest security vulnerabilities.
Retina, the first network security software that works like an
around-the-clock human network security analyst. Available for download;
<http://www.eeye.com/click.asp?referrer=ntbugtraq1&P;=retina>
----------------------------------------------------------------------------
|
