Exchange 5.0 POP3 Passwords
Reported August 27, 1997 by Rajiv Pant
Systems
Affected
Windows NT 4.0 Server running Exchange 5.0 with POP service
The
Problem
Exchange 5.0 Server"s POP3 service does not properly expire cached passwords. Therefore, old passwords continue to be valid along with newly set passwords until the cache expires. The same problem can be found in Microsoft"s FTP, HTTP, and Gopher services, as pointed out by David LeBlanc. According to Rajiv Pant, this problem does not affect the new web page interface to get your mail which uses a different authentication. Nor does it affect NT logons.
Stopping the Problem:
Correcting the problem entails adjusting the cache timeout in the Registry.
From the MS KB Article Q166620:
The credentials cache is controlled by the following registry values:
HKLM\System\CurrentControlSet\Services
\MsExchangeIs\ParametersNetIf
\Credentials
Cache Age Limit (Default = 120 minutes)
HKLM\System\CurrentControlSet\Services
\MsExchangeIs\ParametersNetIf
\Credentials
Cache Idle Limit (Default = 15 minutes)
HKLM\System\CurrentControlSet\Services
\MsExchangeIs\ParametersNetIf
\Credentials
Cache Size (Default = 256 buckets)
Note: to turn off caching, you should set the size = 0
The Age limit specifies the maximum length of time (in minutes) for
entries to live in the cache, the Idle limit specifies the amount of
idle time after which a credential cache element will be considered
too old (and thus discarded).
Microsoft"s Response:
They have been notified, but their response it unknown as of September 1. Perhaps this functionality is by design.
To learn more about new NT security concerns,
subscribe to NTSD.
Credit:
Reported by Rajiv Pant
Posted here at NTSecurity.Net August 31, 1997 11am
|