Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Spam Operating Systems Software Windows

Mail Server Flaw Opens MS Exchange to Spam 487

bl8n8r writes: " Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail. He says even though software Microsoft provides on its site certifies that the server is secure, it's not. There are dozens of messages--with subject lines such as 'Open relay problem' and 'We are sending spam?'--on Microsoft's Exchange Administration newsgroup, sent by information system managers who haven't been able to staunch the flow of spam from their servers. 'It is really inexcusable for a company that claims security is its top priority,' he said." If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled.
This discussion has been archived. No new comments can be posted.

Mail Server Flaw Opens MS Exchange to Spam

Comments Filter:
  • YES!!! More ammo to convice my IT department to upgrade exchange so I can connect the Ximian Evolution calendar to it. It's the last hurtle between me and 100% linux on the desktop at work.
    • by Anonymous Coward on Tuesday November 18, 2003 @12:48AM (#7500012)
      Please read the article. This is not a flaw in exchange, but a flaw in the server configuration. The feature is generally disabled but might have been enabled if the server in question had been infected with a virus.


      To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.


      Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled. Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said. "

      • by bgog ( 564818 ) on Tuesday November 18, 2003 @12:51AM (#7500034) Journal
        I did read the article and am fully aware of it's implications. However... SHUT UP... I'm trying to get them to upgrade! :) SHHHH
        • I did read the article and am fully aware of it's implications. However... SHUT UP... I'm trying to get them to upgrade! :) SHHHH

          No kidding. As a former Exchange admin, POP/SMTP/... support -- or at a bare minimum an upgrade to Exchange 2000 -- is exactly what I do want so I can stop using that damn Outlook Web Access (OWA).

          I've asked multiple times if they have plans for any upgrade -- I've sent links to alternatives, asked if Exchange 2000 was planned -- and get no response from corporate except "onl

      • by bgog ( 564818 ) * on Tuesday November 18, 2003 @01:09AM (#7500120) Journal
        Furthur more, what if someone wants the guest account enabled. It states in the article. "... even if the login fails" Sound like a bug to me.
        • by NightSpots ( 682462 ) on Tuesday November 18, 2003 @01:33AM (#7500222) Homepage
          Then configure exchange not to allow the guest account to send email. Yes, you can set exchange to disallow sending email on a user by user level.

          Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.
          • by julesh ( 229690 ) on Tuesday November 18, 2003 @05:45AM (#7500850)
            Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.

            Yes. That the generally accepted argument behind the 'Windows has a lower TCO than Unix' argument (that Windows admins are generally cheaper than Unix admins) is utter bollocks if you actually want a secure system that won't get your mail rejected by approximately a quarter of the internet.

          • Then configure exchange not to allow the guest account to send email. Yes, you can set exchange to disallow sending email on a user by user level.

            Real exchange admins already know all this. The people being hit by this "vulnerability" are the same morons who got hit by Code Red. That should tell you something.

            Hey Mr Insightful Exchange Admin, maybe you could read posts you reply to? The poster said they wanted to let the guest account send mail and your response is to make the guest account unable to

        • by Da_Weasel ( 458921 ) on Tuesday November 18, 2003 @02:12AM (#7500365)
          Nope....try to refrain from commenting when you really have nothing of value to add. The Windows Guest account is equivlent to the anonymous login in most other system. These do not require a valid password, and generally anything or nothing can be entered. If there was a password that could fail then it would no longer be a Guest/Anonymous account now would it?! Don't take it personally though, I was just in a flaming mood, and your post smelled like gasoline...haha!
      • Please read the article. This is not a flaw in exchange, but a flaw in the server configuration. The feature is generally disabled but might have been enabled if the server in question had been infected with a virus.

        To put it bluntly: Administrators who do not secure servers after a virus infection are not the victims of a Microsoft security hole, but the cause of this particular problem.

        Quote: "The guest account is a way for administrators to let visitors use a mail server anonymously, but because of s

    • I am 100% linux at work, but have the same problem as you, incompatible exchange server for evolution...

      So, I have been using outlook with codeweaver's crossover office (http://codeweavers.com/site/products/cxoffice/), which you are no doubt aware of, but if you haven't tried it, it is awesome. While not perfect, it certainly beats the other options of getting exchange mail on a linux desktop (term serv/rdesktop, outlook web access, dual booting, etc), and the small amount of money (~$60) is well worth it
    • Are you sure the upgrade will help you with Ximian? From what I understand, the Exchange server needs to turn on "http export" or something like that. It's basically M$ speak for webdavs. I can't use either Ximian Connector or KOrganizer at work with the Exchange Calendar just because of this.
      • Yea, We have http export enabled but the Ximian Connector doesn't support Exchange 5.5. It's too bad your company doesn't have the http enabled. :(
        • It's too bad your company doesn't have the http enabled.

          I'm still trying to figure out a way to politely ask IT to turn it on, without letting it be known that I'm not using Windows.

          p.s. I have permission to use FreeBSD at work, and IT doesn't "own" my system. But why provoke them unnecessarily?
          • Good point. Depending on the size of the company, IT departments tend to get a little agitated when you don't use the approved OS. I used to work for Intel developing Linux kernel modules. At first they refused to allow us to install linux on our boxes. (uhhh ok, they how do we do the job?) Then they wouldn't give us root access to the linux installation on our development machines. (or root equiv) Hard to develop kernel mods without root access. Oddly enough there were others in our group who had tr
  • Ensure (Score:2, Interesting)

    by Anonymous Coward
    Ensure? Insure? Do both work now? Apparently dictionary.com says so.
    • I think it's an Americanism. They certainly seem to trip up over the word more than others. Not quite as badly as with inquiry and enquiry though.
    • Re:Ensure (Score:3, Informative)

      by Tet ( 2721 ) *
      This is one Americanism that really pisses me off. Learn the difference between the two, and use the right one. To insure is to arrange financial or other reimbursement, in the event that the unwanted happens. To ensure is to take steps to prevent the unwanted happening in the first place. BTW, I don't care what dictionary.com may say. The definitive guide to the language is the Oxford English Dictionary, which says that in modern English, "insure" is used almost exclusively to mean protecting against losse
  • indemnity? (Score:4, Insightful)

    by bman08 ( 239376 ) on Tuesday November 18, 2003 @12:43AM (#7499986)
    Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.
    • by Black Parrot ( 19622 ) on Tuesday November 18, 2003 @02:07AM (#7500347)


      > Is microsoft indemnifying its customers against problems like this? I know that indemnity has been a big keyword of theirs lately and I'd just like to be certain that I can get indemnified if something like this happens. I mean, that's the advantage of going with a big, closed source company right? It's the indemnity.

      Yes, they agree to only charge you one license for the unauthorized use of 'guest', no matter how many spammers are actually using it.

      They also agree to send someone to show your PHB some overdecorated ppt slides about how secure their software is, if incidents like this have him thinking about switching to another software supplier.

  • This Just In... (Score:5, Insightful)

    by E-Rock ( 84950 ) on Tuesday November 18, 2003 @12:43AM (#7499988) Homepage
    Misconfigured servers are vulnerable to exploit allowing relaying. Film at 11.

    Granted, the bigger question is why is there a guest account at all, since you're not supposed to ever enable it.
  • guest accounts (Score:5, Insightful)

    by Pompatus ( 642396 ) on Tuesday November 18, 2003 @12:45AM (#7499999) Journal
    "If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," ......... The guest account is a way for administrators to let visitors use a mail server anonymously, but because of security issues, the feature is generally not enabled.

    Why on earth does a guest account even EXIST anymore????? I would think it is obvious that guest access on any machine is a bad thing.

    Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled, Greenspan said.

    Was code red really just a tool for spammers?
    • This is like asking why default passwords exist. It boggles the mind how many users have their default Win2k Administrator account password set to "Admin".

      The system should at least make you do a security question, or *something*. Even "type your last name to gain Administrator access" would be more secure than "Admin".

      The bottom line is, any sysAdmin who buys a software package because it's got a "security guarrentee" needs to be hit in the face with a hammer, repeatedly.
    • Re:guest accounts (Score:5, Insightful)

      by ejaw5 ( 570071 ) on Tuesday November 18, 2003 @01:29AM (#7500200)
      What's worse about the guest account is that while it can be disabled, it cannot be removed.
      • Re:guest accounts (Score:4, Interesting)

        by MarcQuadra ( 129430 ) * on Tuesday November 18, 2003 @05:44AM (#7500848)
        I don't know if it's worth anything, but I always rename the default accounts on any windows box that's connected to the 'net. I rename Administrator to 'root' and guest to 'nobody' and other such nonsense. One would think that it would at least stop a great many 'brute-force' scripted login attempts against windows machines. It's also more convenient for me as a Linux Guy to have 'root' login (ever typed 'Administartor'?)
        • Re:guest accounts (Score:3, Interesting)

          by fdiskne1 ( 219834 )
          I rename the administrator account for my net-facing servers to some nearly random series of characters that no one could guess, but I know and also have hidden away, just in case. I rename the "Guest" account to "Administrator", disable it, expressly deny logon rights and expressly deny NTFS permissions to the root of the C: drive. Should take care of anyone attempting to log on as "Administrator" AND "Guest".
        • (ever typed 'Administartor'?)

          No, but I've typed 'Administraitor' before... :)

    • Guest Accounts (Score:5, Interesting)

      by Detritus ( 11846 ) on Tuesday November 18, 2003 @03:52AM (#7500628) Homepage
      Maybe because some of us still believe that computers are there to provide useful services to the community, which may be a university, corporation or other large organization.

      Many organizations are decentralized, without an IT Gestapo to dole out accounts and enforce the "One True Way".

      In many cases, multiple organizations need to collaborate and share information in order to pursue common goals.

      In other words, I may wish to share information and resources with other people, even members of the public, without requiring them to have an account on the system.

      If I wanted perfect security, I would encase the computer in concrete and dump it in the ocean.

      • Re:Guest Accounts (Score:3, Informative)

        by mjh ( 57755 )
        That is the worst excuse for insecurity that I've ever heard. Call me the IT gestapo if you like but there are a TON of ways to securely share documents with an unknown anonymous community. Don't believe me? What do you think you're doing right now! A web page is nothing more than a series of files. Files that are securely shared and, most of the time, done incredibly easily.

        Using the guest account is probably the worst way that I can think of to share files... oh wait, I just thought of a worse one -
    • Re:guest accounts (Score:3, Interesting)

      by kinkie ( 15482 )
      Just for the same reason why my brand new Linux box has a "nobody" account. Which, admittedly, cannot log on.

      Having an user with no privileges whatsoever (at least in theory) is a very handy convenience.
  • Are you INSANE? (Score:4, Interesting)

    by CrankyFool ( 680025 ) on Tuesday November 18, 2003 @12:45AM (#7500001)
    What sort of IT group decides to run their Exchange environment unprotected on the internet?

    I'm working for a company that's deeply in MS's back pocket -- we use Windows *everything*, including Exchange. Our SMTP gateway? Postfix on Linux. Sure, I'd rather it was OpenBSD, but whatever -- it's still not Exchange.

    The bloatier the app, the harder it is to ensure it's secure. These are probably the same sort of people who run SQL Server on an unfirewalled system and are then shocked someone managed to hack into it.

  • RTFA (Score:2, Insightful)

    It's an issue. But Microsoft is saying it's not a big one.
    Open realys are not a big problem? Right.
    What Microsoft really means we are making money on it so it's not a problem shut up and go away and leave us alone.
  • Three words... (Score:3, Informative)

    by allan_q ( 561224 ) on Tuesday November 18, 2003 @12:46AM (#7500008)
    Turn off Guest!
  • Guest account (Score:3, Informative)

    by sigxcpu ( 456479 ) on Tuesday November 18, 2003 @12:52AM (#7500044)
    Since M$ windows will not allow you to delete the guest account (or administrator) it is standerd practis,
    after disabeling guest to rename both accounts to somthing hard to guess.

    It might shock you but on my Linux boxes the superuser is not called 'root' either.
  • by mattyohe ( 517995 ) <matt.yoheNO@SPAMgmail.com> on Tuesday November 18, 2003 @01:00AM (#7500073)
    this issue was never really resolved for exchange 5.5.. but it is simply resolved in 2000 which is detailed here [msexchange.org]

    If you are running Exchange 5.5 you shouldn't be wasting time locking it down... Your hours would be better spent opening ports on your firewall or something, because 5.5 is so old and underupdated that it more efficient to work on a new mail server with new software.
  • 10 hours after BG announced anti-spam protection in Windows [nwfusion.com] something like this comes up. Now they can claim spam reduction just by patching their own crappy software.
  • by bluekanoodle ( 672900 ) on Tuesday November 18, 2003 @01:03AM (#7500084)
    This is a completely retarded article. This isn't a hole, it's a misconfigured mail server improperly secured after a virus infection.

    Here I thought /. was the source for fair and balanced coverage.

    Must be a slow news week when a college kid can get the media's attention because he decided to point out the obvious.

    • by Anonymous Coward on Tuesday November 18, 2003 @01:11AM (#7500129)
      Here I thought /. was the source for fair and balanced coverage.
      You're new here, aren't you?
    • The effect of articles like this is making true, realisitic criticism of MS security by Unix users look like the same kind of bullshit we see here.
      • Shrug, Exchange much like Sendmail has always been a bastard child. It deservedly should always have an albatros around it's neck.

        I mean hell, you don't so much admin exchange as wrestle with it(although this might have changed).

        And realistic criticism pretty much amounts to: Hire someone with experience, good references, who knows their stuff and the only difference in security is going to be employment cost versus sunk cost.

        There is no remote MS flaw that can't be worked around to my knowledge, and th
    • Actually its an error considering when the login FAILS you can still send email. RTFA!!!
      • It's not that it fails, it's that you don't understand how ACLs work in Windows.

        A simple login 'failure' only locks them out from a single user account. If they can authenticate on any of the other accounts, they're still a logged in user. If the guest account is active, they'll be able to authenticate, and viola.

        If you actually know what you're doing with Windows, you disabled that account years ago.
    • Here I thought /. was the source for fair and balanced coverage.

      As "fair and balanced" as that other fair and balanced news source anyway.
    • The only thing suprising (or maybe not?) about this is Microsoft's apathy. Yes, it is a mis-configured mail server, possibly resulting from a virus infection. However, in all of the removal docs I never saw it mentioned to check and re-disable the guest account.

      I can easily see how many people would simply RTFA on how to remove it, not read anything about it re-enabling the guest account, and simply think they are okay.

      After a quick read of the Symantec removal steps, they did not include anything about
  • by Robber Baron ( 112304 ) on Tuesday November 18, 2003 @01:14AM (#7500139) Homepage
    ...and I run multiple Exchange boxen in multiple locations. ...of course I wouldn't do anything so clueless as leave the relays open or leave the default guest account active.

    As far as open relays go, it actually pains me to have to close them off. I'd rather leave them open and help people out when their ISPs are dicking them around. Unfortunately a few assholes are ruining it for everyone else.
  • Hmmmm. (Score:3, Insightful)

    by Sevn ( 12012 ) on Tuesday November 18, 2003 @01:16AM (#7500145) Homepage Journal
    Perhaps instead of spending a fortune to "innovate" a matrix knockoff (how original) they could spend some money on making secure software.
  • by xQx ( 5744 ) on Tuesday November 18, 2003 @01:20AM (#7500164)
    This is silly, exchange 5.5 and exchange 2000 don't ship with "allow users to relay if they authenticate regardless of if they are in this list" checked by default. Systems Administrators need to enable that feature specifically.

    Also, The guest account is disabled by default.

    Saying exchange servers may be relaying because of this 'bug' is like saying linux is insecure because you can set a blank root password and enable sshd to accept connections as root.
  • News Flash! (Score:3, Insightful)

    by donutello ( 88309 ) on Tuesday November 18, 2003 @01:21AM (#7500169) Homepage
    If your server has been compromised and you don't take adequate steps to clean it up after that there is the potential that it is still vulnerable.
  • Balance (Score:2, Insightful)

    by m00nun1t ( 588082 )
    Hmmm, nice editorial on Exchange, what should I use for a secure product - Sendmail?

    And please stop quoting out of context, it was always said the focus on security was for new products. Exchange 5.5 is hardly a new product. Find a problem in Exchange 2003 and then you can complain. /. people should know better than most that you can't retroactively flip a security bit and make past mistakes better, security is built into the product from the ground up. So why do you expect it from Microsoft?
    • If security is built into the product from the ground up, you're fucked by satan sideways with a pineapple. Cause the later versions are always built upon the older ones, even with a recode certain things need to stay the same.

      You will always need to upgrade software, you will always need to patch it, the only real difference is MS charges you for it every few years.
  • deserves to be shot. The only way you'd ever convince me to even let an exchange go up is if it was strictly internal use, and COMPLETELY firewalled off the net. Even then i'd be nervous.
  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Tuesday November 18, 2003 @01:45AM (#7500263)
    The problem has nothing to do with Exchange, or SMTP itself. It has to do with SMTP AUTH -- an extension that allows clients to authenticate themselves. This allows a roaming client (connecting from anywhere) to authenticate via username and password, and they are then given relaying rights as if they were directly on the ISPs network.

    The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more. Once the spammer is 'authenticated' they are free to relay. They could have also guessed any real user's password, the effect would be the same.
    • by doorbot.com ( 184378 ) on Tuesday November 18, 2003 @02:57AM (#7500491) Journal
      The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more.

      This is 90% correct. It's important to understand the function of the "Guest" account in Windows. It allows any user, using any login name, and any password, to authenticate. Enabling the "Guest" account does not allow the username "Guest" to login specifically, it enables any username, which does not match an existing user in Active Directory or the local SAM to authenticate.

      Clearly this is a security vulnerability, and why the Guest account ships in the disabled state. It would be very nice if Windows would warn you when you enabled it, and made an attempt to explain the implications of doing so.

      With regards to attempts at guessing SMTP AUTH passwords, this has been happening lately. One caveat is that one a Linux box it can be difficult to enumerate the usernames, while on a Windows box (AD/NT/workstation) it is usually quite easy <insert obligatory firewall statement here>.
    • The attacker simply finds a frequently used account such as 'guest' and guesses a few passwords on it. This is classic account/password compromise, nothing more.

      the article says:
      "If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall,"

  • by Anonymous Coward on Tuesday November 18, 2003 @01:53AM (#7500293)
    I'm all for kicking a company when they deserve it but yet again I feel this Microsoft bashing episode is another beefed up piece of CNET pseduo FUD disguised as news. I'm sick of the way they trump up the Windows vs. *Nix wars - it brings in readers (baaaaa).

    I agree it's a potential issues, but FFS this is 90% (again) a problem with the system admins, not Microsoft. Remember the recent spate of SSH issues - I know a handful of companies who got fucked by that because their admins had poor root passwords and didn't keep up with security issues. I do however agree that it should probably be removed (note that guest is off by default in Windows Server 2003).

    We need less dickheads running IT. It's not that hard to build secure solutions regardless of what platform you choose - you just need to know what you are doing.Companies need to grill their staff better at interviews and follow their performance.

    My 2 cents...
  • Please... (Score:2, Insightful)

    by Shippy ( 123643 ) *
    So, software that is years old is insecure. Not a big surprise. Install any Linux distro that is years old and you're going to find security holes as well.

    Also, what software at Microsoft says it's secure? The only thing I can think of is MBSA [microsoft.com] and that pretty much just tells you if you have all patches installed. Notice how Exchange 2003 doesn't suffer from this problem. Also, it relies on a misconfigured server or a server that was previously infected from code red. This feature is off by default. IMHO,
  • Turn off SMTP AUTH (Score:3, Informative)

    by csk_1975 ( 721546 ) on Tuesday November 18, 2003 @02:34AM (#7500435)
    This is an SMTP AUTH problem and any mail server which permits relaying using SMTP AUTH and doesn't filter by source IP is open to this type of abuse. Exchange is more susceptible to this attack than other mail servers because there are predictable account names which can be brute forced and SMTP AUTH is enabled by default. It is simple [microsoft.com] to turn this off [microsoft.com].

    What is the big deal?

    It looks like thinkcomputer has an ulterior motive "Microsoft telephone support is not available without the risk of paying a relatively high per incident fee. Therefore, we recommend contacting Think Computer via e-mail at info@thinkcomputer.com for more information about the issues discussed in this White Paper."
  • by Zeddicus_Z ( 214454 ) on Tuesday November 18, 2003 @03:47AM (#7500619) Homepage
    "If the guest account is enabled (on Exchange 5.5 and 2000), even if your login fails, you can send mail, because the guest account is there as a catchall," he said. "Even if you think you've done everything (to secure the server), you are still open to spammers."

    Um, excuse me? Any idiot with more than 7 days experience administering a Windows server should know that the Guest account is BAD BAD BAD.

    By definition "Guest" doesn't require successful authentication to access resources. The entire reason "Guest" exists is to provide un-authenticated access to resources.

    I can read bugtraq as well as anyone else, so I'm aware of the past history Microsoft has with the security of its products. However, no sane person could reasonably attribute this "flaw" to Microsoft software. A more apt description is "Flaw in MS Exchange 5.5 and 2000 Administrators".

    I mean really. It's like setting a Windows Domain Administrator account password to "Administrator" or "password" (another major cause of Exchange-based spam. Grep USENET and MS KB's for UI).

    No software yet written or ever to be written in the future can make up for mistakes, oversights and sometimes just plain stupidity of humans.
  • Insure? (Score:2, Informative)

    by norfolkboy ( 235999 )
    "If you are using vulnerable versions of Exchange, and have been hit by a Code Red variant, you may want to insure your 'guest' accounts are still disabled. "

    What insurance policy would that be on sir?

    I think you mean "you may want to ensure..."
  • by ahodgkinson ( 662233 ) on Tuesday November 18, 2003 @04:12AM (#7500669) Homepage Journal
    Wait a minute. The problem only affects misconfigured servers? The article states that the problem affected servers infected by CodeRed that had been de-infected, presumably by service packs downloaded from Microsoft. To quote:
    • ..Exchange servers that had been infected by the Code Red worm and subsequently cleaned will still have the guest account enabled...
    Does cleaned mean that a MS service pack forgot to close the holes or even opened a new security hole? Either way, in the light of MS's so called security initiative the result is unacceptable.

    The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers. That's why vendors who sell secure systems set strict default settings. A real security initiative would lock down the OS a tight as Guantanamo Bay, but MS rightly fears that would alienate their customers.

    Early on MS's goal was market share and control. They targeted 'ease of use' and adopted a policy of tight integration between the OS and applications, including massive auto-enabling (by default!) of applications via application data like documents, e-mails, etc. The result is that the current Microsoft server is merely a single user system on steroids. Even with their previous Internet initiative (which basically produced a free embedded browser and a lot of service packs) the MS OS still suffers from the single user mindset. Witness all the 'way too friendly' default settings on most Microsoft systems. It worked (mostly) fine when the PCs were all in one office connected by a sneaker net (the viruses just spread slower via floppy). But now in the Internet age they're paying the price.

    As Bruce Schneier says: security is a process not a product. Until that process becomes part of MS's corporate culture, don't expect much security from Microsoft. Gates may be trying to change that, but given their history of going after market share and their foundations of sand, it's gonna take a long time.

    • by Anonymous Coward
      "The argument that moron administrators forgot to do something misses the point. Microsoft should know that most administrators don't have the time, training or resources available to discover and understand all the OS settings required to secure their servers."

      Are you smoking crack? Isn't it an administrators *JOB* to know how to do this?

      And everyone wonders why IT departments are getting shipped overseas - people think they can be an administrator and not know how to do anything. If I'm going to hire a
  • Very misleading... (Score:3, Insightful)

    by nmg196 ( 184961 ) on Tuesday November 18, 2003 @05:13AM (#7500787)
    I hardly think an open Guest account is a security problem with Exchange server. It's more a competance problem with the server's administrator. A lot of systems have a Guest account - if it's enabled, Guest's will get in - that's what those accounts are for!

If mathematically you end up with the wrong answer, try multiplying by the page number.

Working...