Re: IIS SMTP component allows mail relaying via Null Session

[Todd Sabin <tsabin () razor bindview com>]

"Toni Lassila" <toni.lassila () mc-europe com> writes:
> > Overview:
> > IIS comes with a small SMTP component.  The default settings allow
> > anyone who can authenticate to it to relay email.  Because the
> > authentication system supports NTLM, it is possible for anyone to
> > authenticate using null session credentials, and then relay email.
> >
> > Workarounds:
> > Disable the SMTP service.
> > Disable the ability of authenticated users to relay email.
> > Firewall off the SMTP service from untrusted networks.
>
> I suspect turning off NTLM authentication and allowing only Basic
> Authentication (with or without TLS), 

I tried this, and it appears to be effective.

>                                       or alternatively disabling
> null session access (details are in many MS KB) from the server
> are two possible workarounds as well. Disabling null sessions is
> one of those security features one should do when securing a
> Windows-based server anyway.

If by "disabling null sessions" you mean setting RestrictAnonymous to
1 or 2, then that is not effective.  RestrictAnonymous doesn't disable
anonymous access, it just places additional restrictions on it.  You
can still authenticate just fine with a null session when RA=2, and
that's all you need for relaying.


Todd

-- 
Todd Sabin                                               <tas () webspan net>
BindView RAZOR Team                            <tsabin () razor bindview com>