RE: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and Security Pros/Cons

["Matt Bukaty" <MatthewB () CallMeIT com>]

I am going to have to agree with Sarbjit on this. If you are having problems it is either hardware related or more 
likely antiviral related. I have done 6 conversions this year from both Exchange 5.5 and 2000 to 2003. The most common 
cause of corruption is mis-configured antiviral software. For Norton Antivirus you can reference this document 
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2000110108382454?OpenDocument&src=ent_hot&dtype=corp&prod=Norton%20AntiVirus%20for%20Microsoft%20Exchange&ver=2.x&tpre=
Basically if you have it scanning the *.edb files you will have major issues due to file locks from the Antiviral 
Software. It should also be noted that in E2K3 the M:\ virtual drive no longer exists by default and you must connect 
to it through a share to eliminate that issue. Details can be found here 
http://support.microsoft.com/default.aspx?scid=kb;en-us;821836&Product=exch2003

In terms of E2K3 Security let me point you to these articles from Microsoft:

Overview of Security-Enhanced Settings in the Default Configuration of Exchange Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;818474

Security Setting Changes and Updates That Are Introduced in Exchange Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;824111

Outside of that is Win2K3/E2K3 More Secure? Yes.
Should you use a default install in a production environment? No.
Always and I mean _always_ take steps to lock down your systems over the default install. Whether you are running Sun, 
MS, Linux, or whatever you need to lock the systems down. If I did a plain install of Redhat Advanced Server you would 
also find lots of information from nMap and Nessus. 
For additional information on securing MS Products, you should look here: 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp

Best of Luck,

_________________________________________________________________________
Matthew Bukaty
President 
Call Me I.T.
http://www.CallMeIT.com 
Office: (754) 224 - 9353
Nextel Direct Connect: 159 * 33562 * 2
GnuPG (PGP) Public Key: http://Linux.CallMeIT.com/keys/matthewb.asc 
 
- Information Technology, Security, Consulting, Design and Integration -
________________________________________________________________________


-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com]
Sent: Friday, November 28, 2003 9:36 PM
To: security-basics () securityfocus com
Subject: RE: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and
Security Pros/Cons


 I seriously think it is something to do with your hardware or at least
setup of your OS / Exchange which made it corrupt the databases. Also worse
case , somebody is opening the Exchange DBs using access thinking it is a
JetDatabase technology based database. Also make sure no virus scanners,
defragmentation software are accessing the mdb database.

Anyway, Joint Engine Technology (JET) in earlier versions of Exchange
Server, evolved into the Extensible Storage Engine (ESE) in later versions.
ESE is a solid relational database technology similar to that of Microsoft
SQL Server or Oracle, although ESE's implementation is quite different.
Exchange 2000's ESE, a transacted storage engine that works primarily with
messaging and collaborative data, guarantees that all database operations
meet the Atomicity, Consistency, Isolation, and Durability (ACID)
properties. ACID properties for database engines ensure that you can roll
back transactions in the event of unsuccessful completion or replay them in
recovery. Microsoft uses ESE throughout Exchange 2000, in places such as the
Key Management Server (KMS) and the Site Replication Service (SRS), as well
as in Windows 2000's Active Directory (AD).

I have clients which have implemented Exchange 2003 (and before that
Exchange 2000) and never had problems like you have. Also one of my clients,
I just met up last week is a polytechnic and they have a 8-way server
running exchange 2003 and all is ok since they installed Exchange 2003 this
year.

I don't think Exchange 2003 is "self-corrupting the JetDatabase Data Store."
There is no such thing. Like I mentioned above, the technology isn't
JetDatabase anymore. So somebody in your organization some setup not done
correctly. Verify all logs, event logs etc to see if there is something not
proper. Could even be a hardware based disk cache mechanism which interferes
with the transaction log management of the databases.

Kind Regards
Gill


-----Original Message-----
From: Jimi Thompson [mailto:jimit () myrealbox com] 
Sent: Friday, November 28, 2003 1:01 PM
To: tawilson () speakeasy net
Cc: security-basics () securityfocus com
Subject: Re: Exchange 2K3 and Server 2K3 versus SUN One Pros/Cons and
Security Pros/Cons

I'm not going to tell you what you should buy, but I do suggest that you
benefit from my experience and my advice is that you should avoid 
Microsoft, if if the alternative costs more upfront.    We are a 
relatively small (for email)  Microsoft Shop running Exhcange 2003 and we
have had endless problems with it self-corrupting the JetDatabase Data
Store.  It's been horrible.  We've only got about 300-350 users and we've
had to reload (format the drives, reinstall the OS, and restore from a back
up) the server 3 times since May, when it got deployed.  If we hadn't put a
Sendmail sever in front of it to do spam filtering, we'd have lost days of
email.  Fortunately, we have been able to configure the Sendmail server to
spool until we could bring the Exchange box back on line.  As things stand,
we've lost a total of about  24 hours worth of email. 

It so bad that even though we are a university and Microsoft basically gives
us their products, we're looking at purchasing an alternative.  
Right now the front runner is Samsung Contact (nee HP's OpenMail), but that
may change now that SuSE has released a new mail server.

I can tell you from experience that the "new secure 'out-of-the-box' 
2003" products aren't much better than their current counterparts.  The
service isn't any better, it's just not "on".  They also left a lot of
things turned on that I'd turn off in a "secure out of the box" OS.  I'd be
happy to supply you with both NMAP and NESSUS scan results from various
machines that we've loaded.  We've deliberately done some very vanilla
installs specifically so that we could scan them.  Our experience indicates
that unless you plan on deploying Office 2003 as well, you won't be getting
any change in how Outlook (XP and earlier) connects to Exchange in any
event. 

iPlanet's big downside has always been documentation and installation.  
Regardless of the product, their install process has tended to bite rather
severely.  Part of what has traditionally made the installs so painful is
that their products are SOOOOOO poorly documented.  If you guys have worked
with iPlanet/SunONE, you know what I'm talking about.  
However, once installed and working they tend to be rock solid. 

There's other stuff out there though.  I've got a pretty good list, since
we've been doing evals looking to replace our Exchange server with something
that actually works reliably and has all the groupware features that our
users want (namely calendaring). I'd be happy to share my notes with you.

HTH,

Jimi


tawilson () speakeasy net wrote:

> Hello everyone,
>
> Our IS group is a current SUN Iplanet shop. We have Win2K3 AD running and
the majority of the server infrastructure is running on Win2K.
> We are looking to upgrade our Email infrastructure. Our current SUN Iplanet
implementation is about 3 years old. At the time of deployment it was
perfect for our environment. We needed to deploy web mail and at that time
there was/is no question that MS Exchange was not mature enough in the web
client. 
> Our environment still has a HIGH demand for a web based client due to our
customer base.
> We are now talking with SUN about upgrading the infrastructure and moving
to their new Email infrastructure. We are also looking to determ if
Microsoft has come of age and does it now fit in to our environment better
then the SUN solution.
> SUN and Microsoft are preparing presentations as well as presenting SOWs
for our review and interactive discussion. I am interested in security
issues or design issues with either platform. We have users that need to
access our email infrastructure from around the world. Our clients use UNIX
(all flavors), MACs, Win2K/XP and some older MS OSs as well.
> So let me have it hit me with the good the bad and the ugly about E2K3 and
Win2K3 as well as any SUN items you can come up with. Security is my primary
focus but I will addressing questions from all aspects to presentation
teams.
> I have not had a chance to see the new outlook client and the new "secure"
way it connects to E2K3 so if anyone has input to this I would really love
to hear that.
> Thanks in advance for any inputs I look forward to reading them.
>
>
> -Todd
>
>
>
>
> -----------------------------------------------------------------------
> ----
> -----------------------------------------------------------------------
> -----
>
>
>
>  



---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------