Security Basics mailing list archives
RE: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons
From: "Matt Bukaty" <MatthewB () CallMeIT com>
Date: Mon, 1 Dec 2003 12:36:16 -0500
I am going to have to agree with Sarbjit on this. If you are having problems it is either hardware related or more likely antiviral related. I have done 6 conversions this year from both Exchange 5.5 and 2000 to 2003. The most common cause of corruption is mis-configured antiviral software. For Norton Antivirus you can reference this document http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2000110108382454?OpenDocument&src=ent_hot&dtype=corp&prod=Norton%20AntiVirus%20for%20Microsoft%20Exchange&ver=2.x&tpre= Basically if you have it scanning the *.edb files you will have major issues due to file locks from the Antiviral Software. It should also be noted that in E2K3 the M:\ virtual drive no longer exists by default and you must connect to it through a share to eliminate that issue. Details can be found here http://support.microsoft.com/default.aspx?scid=kb;en-us;821836&Product=exch2003 In terms of E2K3 Security let me point you to these articles from Microsoft: Overview of Security-Enhanced Settings in the Default Configuration of Exchange Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;818474 Security Setting Changes and Updates That Are Introduced in Exchange Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;824111 Outside of that is Win2K3/E2K3 More Secure? Yes. Should you use a default install in a production environment? No. Always and I mean _always_ take steps to lock down your systems over the default install. Whether you are running Sun, MS, Linux, or whatever you need to lock the systems down. If I did a plain install of Redhat Advanced Server you would also find lots of information from nMap and Nessus. For additional information on securing MS Products, you should look here: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp Best of Luck, _________________________________________________________________________ Matthew Bukaty President Call Me I.T. http://www.CallMeIT.com Office: (754) 224 - 9353 Nextel Direct Connect: 159 * 33562 * 2 GnuPG (PGP) Public Key: http://Linux.CallMeIT.com/keys/matthewb.asc - Information Technology, Security, Consulting, Design and Integration - ________________________________________________________________________ -----Original Message----- From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com] Sent: Friday, November 28, 2003 9:36 PM To: security-basics () securityfocus com Subject: RE: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons I seriously think it is something to do with your hardware or at least setup of your OS / Exchange which made it corrupt the databases. Also worse case , somebody is opening the Exchange DBs using access thinking it is a JetDatabase technology based database. Also make sure no virus scanners, defragmentation software are accessing the mdb database. Anyway, Joint Engine Technology (JET) in earlier versions of Exchange Server, evolved into the Extensible Storage Engine (ESE) in later versions. ESE is a solid relational database technology similar to that of Microsoft SQL Server or Oracle, although ESE's implementation is quite different. Exchange 2000's ESE, a transacted storage engine that works primarily with messaging and collaborative data, guarantees that all database operations meet the Atomicity, Consistency, Isolation, and Durability (ACID) properties. ACID properties for database engines ensure that you can roll back transactions in the event of unsuccessful completion or replay them in recovery. Microsoft uses ESE throughout Exchange 2000, in places such as the Key Management Server (KMS) and the Site Replication Service (SRS), as well as in Windows 2000's Active Directory (AD). I have clients which have implemented Exchange 2003 (and before that Exchange 2000) and never had problems like you have. Also one of my clients, I just met up last week is a polytechnic and they have a 8-way server running exchange 2003 and all is ok since they installed Exchange 2003 this year. I don't think Exchange 2003 is "self-corrupting the JetDatabase Data Store." There is no such thing. Like I mentioned above, the technology isn't JetDatabase anymore. So somebody in your organization some setup not done correctly. Verify all logs, event logs etc to see if there is something not proper. Could even be a hardware based disk cache mechanism which interferes with the transaction log management of the databases. Kind Regards Gill -----Original Message----- From: Jimi Thompson [mailto:jimit () myrealbox com] Sent: Friday, November 28, 2003 1:01 PM To: tawilson () speakeasy net Cc: security-basics () securityfocus com Subject: Re: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons I'm not going to tell you what you should buy, but I do suggest that you benefit from my experience and my advice is that you should avoid Microsoft, if if the alternative costs more upfront. We are a relatively small (for email) Microsoft Shop running Exhcange 2003 and we have had endless problems with it self-corrupting the JetDatabase Data Store. It's been horrible. We've only got about 300-350 users and we've had to reload (format the drives, reinstall the OS, and restore from a back up) the server 3 times since May, when it got deployed. If we hadn't put a Sendmail sever in front of it to do spam filtering, we'd have lost days of email. Fortunately, we have been able to configure the Sendmail server to spool until we could bring the Exchange box back on line. As things stand, we've lost a total of about 24 hours worth of email. It so bad that even though we are a university and Microsoft basically gives us their products, we're looking at purchasing an alternative. Right now the front runner is Samsung Contact (nee HP's OpenMail), but that may change now that SuSE has released a new mail server. I can tell you from experience that the "new secure 'out-of-the-box' 2003" products aren't much better than their current counterparts. The service isn't any better, it's just not "on". They also left a lot of things turned on that I'd turn off in a "secure out of the box" OS. I'd be happy to supply you with both NMAP and NESSUS scan results from various machines that we've loaded. We've deliberately done some very vanilla installs specifically so that we could scan them. Our experience indicates that unless you plan on deploying Office 2003 as well, you won't be getting any change in how Outlook (XP and earlier) connects to Exchange in any event. iPlanet's big downside has always been documentation and installation. Regardless of the product, their install process has tended to bite rather severely. Part of what has traditionally made the installs so painful is that their products are SOOOOOO poorly documented. If you guys have worked with iPlanet/SunONE, you know what I'm talking about. However, once installed and working they tend to be rock solid. There's other stuff out there though. I've got a pretty good list, since we've been doing evals looking to replace our Exchange server with something that actually works reliably and has all the groupware features that our users want (namely calendaring). I'd be happy to share my notes with you. HTH, Jimi tawilson () speakeasy net wrote:
Hello everyone, Our IS group is a current SUN Iplanet shop. We have Win2K3 AD running and
the majority of the server infrastructure is running on Win2K.
We are looking to upgrade our Email infrastructure. Our current SUN Iplanet
implementation is about 3 years old. At the time of deployment it was perfect for our environment. We needed to deploy web mail and at that time there was/is no question that MS Exchange was not mature enough in the web client.
Our environment still has a HIGH demand for a web based client due to our
customer base.
We are now talking with SUN about upgrading the infrastructure and moving
to their new Email infrastructure. We are also looking to determ if Microsoft has come of age and does it now fit in to our environment better then the SUN solution.
SUN and Microsoft are preparing presentations as well as presenting SOWs
for our review and interactive discussion. I am interested in security issues or design issues with either platform. We have users that need to access our email infrastructure from around the world. Our clients use UNIX (all flavors), MACs, Win2K/XP and some older MS OSs as well.
So let me have it hit me with the good the bad and the ugly about E2K3 and
Win2K3 as well as any SUN items you can come up with. Security is my primary focus but I will addressing questions from all aspects to presentation teams.
I have not had a chance to see the new outlook client and the new "secure"
way it connects to E2K3 so if anyone has input to this I would really love to hear that.
Thanks in advance for any inputs I look forward to reading them. -Todd ----------------------------------------------------------------------- ---- ----------------------------------------------------------------------- -----
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons Sarbjit Singh Gill (Dec 01)
- Re: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons Jimi Thompson (Dec 08)
- RE: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons Sarbjit Singh Gill (Dec 08)
- <Possible follow-ups>
- RE: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons Matt Bukaty (Dec 01)
- RE: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons Nero, Nick (Dec 08)
- Re: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons Jimi Thompson (Dec 11)
- Re: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons Jimi Thompson (Dec 08)