Recipe10.12.Changing Server Banners

Recipe 10.12. Changing Server Banners

Problem

You want to change the service connection banner displayed to new SMTP, IMAP, or POP sessions.

Solution

Using a graphical user interface

The following steps describe how to use MetaEdit on Windows 2000 Server to change the SMTP, IMAP, or POP banners:

Log in to the target Exchange server as an administrator.
Download MetaEdit 2.2 from the Microsoft Download Center (http://download.microsoft.com/download/iis50/Utility/5.0/NT45/EN-US/MtaEdt22.exe) and install it.
Open MetaEdit and open the Lm\<ServiceName>\<VirtualServerNumber> node, where <ServiceName> is either imap4svc, pop3svc, or smtpsvc.
From the Edit menu, select New String.
In the Data field, type the new banner entry.
Close MetaEdit.
Stop and restart the service whose banner you modified.

The following steps describe how to use MetaBase Explorer on Windows Server 2003 to change the SMTP service banner:

Log in to the target server as an administrator.
Install the IIS 6.0 Resource Kit on the Exchange Server 2003 server (get it from:
http://download.microsoft.com/download/7/8/2/782c25d3-0f90-4619-ba36-f0d8f351d398/iis60rkt.exe
if necessary).
Open the MetaBase Explorer.
Expand the LM and SmtpSvc nodes, right-click the number corresponding to the SMTP virtual server instance you are going to modify, and select New String Record.
In the Value Data field, type the new banner entry.
Close MetaBase Explorer.
Stop and restart the service whose banner you changed.

Using a command line

Log in to the target Exchange server as an administrator.
Use the net stop command to stop the service whose banner you want to modify (see Table 10-2 for service names). For example, to stop the IMAP service, use the following command:
```
> net stop imap4svc
```
Use the smtpmd command (only available from PSS) to set the new banner:
```
> smtpmd SET -path <svcName>/<svcInstance> -dtype STRING -prop <propertyID> -value <banner>
```
where <svcName> is the name of the service (pop3svc, imap4svc, or smtpsvc), <svcInstance> is the virtual server instance number (the first virtual server is 1, the second is 2, and so on), <propertyID> is the ID of the string for that service's banner (36097 for SMTP, 49884 for IMAP, or 41661 for POP), and <banner> is the text you want to appear in the banner (surround it in quotes if it contains spaces).
Use the net start command to restart the stopped service.

Discussion

The usual rationale for changing the SMTP banner is to prevent advertising the fact that your server is running Exchange; by stripping this revealing information, so the theory goes, potential attackers will not realize they have connected to an Exchange server and will not try any Exchange-specific attacks they may know about.

This theory sounds great right up until the time you connect your modified server to the Internet. What really happens is that the attacker replies to the ESMTP banner with a properly formatted EHLO response; why not, since they are going to need to do so no matter which attack they wish to launch? They then see the list of extended SMTP verbs supported by the server and immediately realize they are dealing with Exchange thanks to the Exchange-specific ESMTP features. Even more commonly, they are not looking for software-specific vulnerabilities, but configuration errors that will allow them to relay messages through your server; they do not care what software you are running, only whether you have properly closed down relay access. This rationale is less applicable to the POP and IMAP services because they don't implement any significant Exchange-specific features.

Because the Exchange SMTP, IMAP, and POP services extend the underlying IIS services, this recipe depends on the version of Windows on your Exchange server, not the version of Exchange. Although you cannot install Exchange 2000 on Windows Server 2003, you can run Exchange Server 2003 on Windows 2000 (see Chapter 1 for more details).

By default, the SMTP banner is a string concatenated from the following elements:

The SMTP result code 220 indicating the beginning of the session
The fully qualified domain name of the server
The string "Microsoft ESMTP MAIL Service, Version:"
The version of the ESMTP mail service
The string "ready at"
The date and time

For example:

 220 host.fdqn.tld Microsoft ESMTP MAIL Service, Version: 6.0.3790.211  ready at  Wed, 8 Dec 2004 22:52:28 -0800

When you change the banner property, Exchange will still display the SMTP result code, the FQDN, and the date/time stamp. Setting the ConnectResponse property to a value of "ESMTP This space for rent" would thus produce:

220 host.fdqn.tld ESMTP This space for rent Thu, 9 Dec 2004 00:52:01 -0800

Whatever connection string you use, be sure to include the string ESMTP in it or else you may disable Extended SMTP functionality on connections with other systems. Some SMTP implantations will not assume the presence of Extended SMTP functionality unless they see the string ESMTP in the initial banner; without it, they will not send an EHLO on the initial connection. This behavior is based on an unwritten rule that many early ESMTP implementations used, though it was never codified in any RFC.

MetaEdit was originally part of the IIS 4.0 Resource Kit. The latest version, 2.2, works on both Windows NT 4.0 and Windows 2000 Server, but will not work on Windows Server 2003 due to the comprehensive changes in the metabase for IIS 6.0.

Editing the metabase for IIS 6.0 is a bit easier. You can use the MetaBase Explorer utility, also part of the appropriate resource kit, or you can take advantage of the ability to directly edit the metabase in XML form. While this feature permits easier scripting capabilities, it is outside the scope of this book. Microsoft provides an example of this functionality in Chapter 6 of the Exchange Server 2003 Technical Reference Guide.