You're an admin! You're an admin! You're all admins, thanks to this Microsoft Exchange zero-day and exploit Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user with a mailbox to become a Domain Admin. On Thursday, Dirk-jan Mollema, a security researcher with Fox-IT in the Netherlands, published proof-of-concept code and an explanation of the attack, which involves the interplay …
"and enforcing SMB signing."
I haven't had time to get to the bottom of this snag yet but enabling SMB signing is a very quick, easy and low risk change. You probably have it enabled already if you're big enough to need an Exchange system cluttering up the place. Fire up gpmc.msc!
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/ - Mitigations. Several low cost options there that are a good idea anyway.
Did you realise that Exchange isn't just 'an email server'? At least recommend something like Zimbra to cover calenders and a web ui, then you might as well use Samba v4 (I assume we're ignoring the fact it's based on Microsoft code) to give you proper single sign on, and there's not really any equivalent to Group Policy, but I suppose we could use something like Puppet to provide consistency across users desktops.
So, once you've hooked up all those different Open Source programs and got them all working (probably not as turn-key as setting up a Windows domain), what's the betting that you've inadvertently left a similarly glaring security hole?
> "you might as well use Samba v4 (I assume we're ignoring the fact it's based on Microsoft code)"
A correction. Samba is not, and has never been, based on Microsoft code. (Well, now we have a Microsoft engineer on the Samba Team I suppose his changes could now be accurately described as such, but he writes new code, not cut-n-paste from the Microsoft git repositories :-).
Jeremy Allison,
Samba Team.
Bob...
New to information security and/or application development are you?
You're too fixated on an issue without looking at the entire requirement(s) a product is meant to provide.
You're 'solution' doesn't even come close to providing a work around for Exchange.
Also, thinking Linux is so much more secure than Windows is short sided and short minded.
Especially when both require humans to build and configure them--not to mention the applications running on top of the OS.
I've used cyrus for the past 19 years now.. for email it works great(though the migration from v1 to v2 was quite painful - though I haven't run email for a corporate type environment since 2002 and at the time it was Cyrus). Since then the only email hosting I have done is just my personal and family stuff.
I don't have opinions strong enough to try to talk someone else into what email solution to use, but I wanted to (sadly) mention this that I noticed last year:
https://www.cmu.edu/computing/services/comm-collab/email-calendar/cyrus/decommission.html
made me kinda feel sick inside (the main reason of course being they built Cyrus, am not sure how much involvement they have in it today).
I have been a user of office 365 for the past 6 years or so(I don't work in corporate IT so have never managed exchange). I don't have major complaints. I'm certainly not the office power user who leverages their stuff more so can understand those who need that groupware functionality. I could get by with just IMAP without an issue though I know many others need much more than that. Office 2010 on windows 7 and OWA on Linux and email on android all seem to work ok.
I'm admin. Thats what killed my payrise. Despite being allowed to write my own JD and put terms like develop / script /SQL / servers ....
The people that look at the JDs to make sure everyones being paid fairly know fuck all about I.T. , so when they saw "administrator" they read "receptionist".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
