COMMAND

    REBOOT.INI

SYSTEMS AFFECTED

    Back Office Server 4.0

PROBLEM

    Russ Cooper found following.   The Microsoft BackOffice 4.0  Setup
    utility creates a file called REBOOT.INI in the

        \Program Files\Microsoft BackOffice

    directory which contains plaintext  userIDs and Passwords for,  at
    least,  the  SQL  Executive  Logon  account, the Exchange Services
    Account, and  the MTS  Remote Administration  Account, if supplied
    during  BackOffice  Setup.   Other  user  account passwords may be
    recorded  in  this  file  during  setup  as  well,  however Russ's
    investigations have so  far only revealed  those mentioned.   This
    file  is   created  and   stored  with   EVERYONE:  FULL   CONTROL
    permissions.   Obviously this  represents a  significant risk  for
    BackOffice servers that allow console logons by non-Administrators
    and/or remote access to the \Program Files directory.

    Another  potential  vulnerability  exists  in this same directory.
    REGEDIT.EXE  is   stored  there   with  EVERYONE:   FULL   CONTROL
    permissions.  Although proper permissioning of the registry should
    prevent inappropriate access to  it, control over this  executable
    is usually also desired.  There's no reason that this file  should
    exist in  this directory  given it  should be  accessible via  the
    normal path  environment variable,  so its  existence could  allow
    someone to attempt  to use it  without auditing or  the permission
    controls  that  might  normally  be  applied to executables in the
    \systemroot directory tree.

SOLUTION

    The   fix   for   this   problem    is   to   delete   the    file
    <systemdrive>\Program Files\Microsoft Backoffice\Reboot.ini  after
    each BackOffice 4.0 installation, whether successful or not.   The
    file is created only by the installer, and, once deleted, will not
    be re-created unless BackOffice 4.0 is re-installed.