COMMAND

    MS Exchange

SYSTEMS AFFECTED

    - Microsoft Exchange 2000 Server CDs without "Rev. A" stamped on the CD on the line below the Part No.
    - Microsoft Exchange 2000 Enterprise Server CDs without "Rev. A" stamped on the CD below the Part No.

PROBLEM

    Following is  based on  a Microsoft  Security Bulletin (MS00-088).
    In  early  shipments  of  Exchange  2000, setup creates an account
    with a known username and  password.  If a malicious  user learned
    the username and password, he  or she could log onto  the account.
    Under  normal  circumstances,  this  account  only  has local user
    rights  -  it  is  not  a  privileged  account  and  cannot access
    Exchange 2000 data.  However,  if Exchange 2000 were installed  on
    a  Domain  Controller,  the  account  would  also have Domain user
    privileges, and could thus gain  access to other resources in  the
    affected Domain.  Nevertheless, he would still be restricted  from
    accessing Exchange 2000 data.

    This also applies to evaluation editions and to Microsoft Exchange
    2000 Server and Microsoft Exchange 2000 Enterprise Server included
    on the October 2000 Select CDs.

SOLUTION

    To eliminate the security vulnerability, Microsoft has provided  a
    manual procedure,  discussed in  the FAQ,  and a  tool to  protect
	their customers. Microsoft also recommends that customers affected
    by this vulnerability disable  or delete this account  after setup
    completes.  In addition, Exchange 2000 SP1 will contain a fix that
    removes this vulnerability.  The Tool can be downloaded from:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25866