locked
Can someone please outline the purpose of the Address folder? RRS feed

  • Question

  • Hello,

    Other than containing dll files for I assume policy updates for SMTP Proxy addresses, what is the purpose of the folder "C:\Program Files\Microsoft\Exchange Server\Mailbox\address" and why is it shared?

    Is this folder available through Outlook Anywhere or OWA?

    I have had a server comprimised and this folder has executables in it running as services.

    I am recommending rebuilding the server however want to be sure that this cannot happen again and I understand what the folder does.

    Thanks


    Michael Jenkin (Mickyj) www.mickyj.com (Community website) - SBS MVP (2004 - 2008) *5 times Microsoft MVP award winner *Previously MacWorld Australia contributer *Previously APAC Vice Chairman Culminis (Pro IT User group support system)* APAC chairman GITCA *Director Business Technology Partners, Microsoft Small Business Specialist, SMB150 2012 Member

    Tuesday, October 16, 2012 8:44 AM

Answers

  • On Tue, 16 Oct 2012 08:44:59 +0000, Mickyj.com wrote:
     
    >Other than containing dll files for I assume policy updates for SMTP Proxy addresses, what is the purpose of the folder "C:\Program Files\Microsoft\Exchange Server\Mailbox\address" and why is it shared?
    >
    >Is this folder available through Outlook Anywhere or OWA?
    >
    >I have had a server comprimised and this folder has executables in it running as services.
    >
    >I am recommending rebuilding the server however want to be sure that this cannot happen again and I understand what the folder does.
     
    The folder is shared because each Exchange server verifies that it has
    the same version of the address generators as the other serevers. If
    you update one server by adding a new (or updated) address generator
    the other servers will copy the new version to their directory.
     
    Only local administrators and the machine account of the computer that
    hosts the share should have write permission on the share. If one of
    the admins was the source of the problem (a much better chance than
    the machine account) it's a problem that's hard to prevent.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Mickyj.com Wednesday, October 17, 2012 10:30 PM
    Wednesday, October 17, 2012 12:13 AM
  • Hi Micky,

    Based on my experience, this folder contains the subdirectories for proxy address generators. The default installation contains DLLs for notes, SMTP, and X.400 e-mail address generators.

    As Rich said, each server would check and copy this shared folder to make sure that they have the same version.

    And if you do not have this folder or the permissions are not set correctly on this folder, you would receive errors while creating or linking mailboxes.

    Thanks,

    Andy

    • Marked as answer by emma.yoyo Thursday, October 18, 2012 2:03 AM
    Wednesday, October 17, 2012 6:04 AM
    Moderator

All replies

  • I think it's needed for some remote management operations, e.g. when you create a new mailbox using Exchange Management Console or Shell from a workstation.  If you have EMC on a workstation, you could easily test this by temporarily unsharing it.

    Mobile OWA For Smartphone
    www.leederbyshire.com
    email a@t leederbyshire d.0.t c.0.m

    Tuesday, October 16, 2012 1:38 PM
  • On Tue, 16 Oct 2012 08:44:59 +0000, Mickyj.com wrote:
     
    >Other than containing dll files for I assume policy updates for SMTP Proxy addresses, what is the purpose of the folder "C:\Program Files\Microsoft\Exchange Server\Mailbox\address" and why is it shared?
    >
    >Is this folder available through Outlook Anywhere or OWA?
    >
    >I have had a server comprimised and this folder has executables in it running as services.
    >
    >I am recommending rebuilding the server however want to be sure that this cannot happen again and I understand what the folder does.
     
    The folder is shared because each Exchange server verifies that it has
    the same version of the address generators as the other serevers. If
    you update one server by adding a new (or updated) address generator
    the other servers will copy the new version to their directory.
     
    Only local administrators and the machine account of the computer that
    hosts the share should have write permission on the share. If one of
    the admins was the source of the problem (a much better chance than
    the machine account) it's a problem that's hard to prevent.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Mickyj.com Wednesday, October 17, 2012 10:30 PM
    Wednesday, October 17, 2012 12:13 AM
  • Thanks for everyones replies. Let me detail more of what I have found as someone might be able to fill in the blanks.

    This particular server has three services listed purely as GUID's (in services.msc). These were installed into the registry in August 2010. Up until recently, they were hidden and noone knew that they were there. Suddenly they have appeared and I found out the install date using a third party tool by nirsoft.

    The three exe files for these three services were in "C:\Program Files\Microsoft\Exchange Server\Mailbox\address" and had randonly generated names.

    When you go to this folder, these exe's are no longer there. Looking in backups and in Volume shadow Copy, they have not been there for quite some time. There was one other exe currently there. It was a known Password stealer.

    As the Administrators group is the only one that can write to that folder (and there is no strange accounts in the administrators group), I am trying to work out how these files got there and what they could do.

    The services will no longer run (As the exe files are gone) and I can't get the files to test for viruses within them.

    Obvously someone got to this share and could write to it. That is why I am interested in what other interface to this folder exists. I.E is it published via Webdav or other.

    The other curious thing involved iPhones attached via Activesync. The dates that these files existed and the date the services were created, was also the date that the phones attached via ActiveSync  were getting Flash Zero SMS's. The SMS's were scary as they contained network passwords.

    Hence I really want to solve this and figure out how access was gained.

    Microsoft ran a Windows Online Forensics (Wolf) against the server in question back in August 2010, it found nothing. Symanec and Trend Micro also looked. Many anti rootkit tools and other were run. The server got a clean bill of health (As much as you can when dealing with Malware/rootkits). The forensics team at the local police cloned the phones and looked into the way the phones were being targetted.

    The phones were not jailbroken, no weird Apps installed. It happed from IOS 4 through to 5. As the telephony companies do not record and track the use of Flash Zero, we got no help there.

    2 years latter we stumble on these files.

    If anyone knows anything, no matter how small (or freaky), let me know.


    Michael Jenkin (Mickyj) www.mickyj.com (Community website) - SBS MVP (2004 - 2008) *5 times Microsoft MVP award winner *Previously MacWorld Australia contributer *Previously APAC Vice Chairman Culminis (Pro IT User group support system)* APAC chairman GITCA *Director Business Technology Partners, Microsoft Small Business Specialist, SMB150 2012 Member

    Wednesday, October 17, 2012 1:07 AM
  • On Wed, 17 Oct 2012 01:07:35 +0000, Mickyj.com wrote:
     
    >
    >
    >Thanks for everyones replies. Let me detail more of what I have found as someone might be able to fill in the blanks.
    >
    >This particular server has three services listed purely as GUID's (in services.msc). These were installed into the registry in August 2010. Up until recently, they were hidden and noone knew that they were there. Suddenly they have appeared and I found out the install date using a third party tool by nirsoft.
    >
    >The three exe files for these three services were in "C:\Program Files\Microsoft\Exchange Server\Mailbox\address" and had randonly generated names.
    >
    >When you go to this folder, these exe's are no longer there. Looking in backups and in Volume shadow Copy, they have not been there for quite some time. There was one other exe currently there. It was a known Password stealer.
    >
    >As the Administrators group is the only one that can write to that folder
     
    That's not true. The machine's computer account can also write to the
    share. And there are other permissions on the directory (not the
    share) that allow modification (Power Users, Terminal Server Users,
    SYSTEM). Also, access to the directory is possible for anything with
    permission to get to the administrative share for the drive -- or if
    the entire drive is shared.
     
    >(and there is no strange accounts in the administrators group), I am trying to work out how these files got there and what they could do.
     
    That horse has already left the barn. Auditing on the directory would
    tell you that, but you can't turn back the clock.
     
    >The services will no longer run (As the exe files are gone) and I can't get the files to test for viruses within them.
    >
    >Obvously someone got to this share and could write to it. That is why I am interested in what other interface to this folder exists. I.E is it published via Webdav or other.
     
    No. It's used only for address generation -- at least that's all
    Exchange uses it for.
     
    >The other curious thing involved iPhones attached via Activesync. The dates that these files existed and the date the services were created, was also the date that the phones attached via ActiveSync were getting Flash Zero SMS's. The SMS's were scary as they contained network passwords.
    >
    >Hence I really want to solve this and figure out how access was gained.
    >
    >Microsoft ran a Windows Online Forensics (Wolf) against the server in question back in August 2010, it found nothing. Symanec and Trend Micro also looked. Many anti rootkit tools and other were run. The server got a clean bill of health (As much as you can when dealing with Malware/rootkits). The forensics team at the local police cloned the phones and looked into the way the phones were being targetted.
    >
    >The phones were not jailbroken, no weird Apps installed. It happed from IOS 4 through to 5. As the telephony companies do not record and track the use of Flash Zero, we got no help there.
    >
    >2 years latter we stumble on these files.
    >
    >If anyone knows anything, no matter how small (or freaky), let me know.
    >
    >
    >
    >
    >
    >
    >Michael Jenkin (Mickyj) www.mickyj.com (Community website) - SBS MVP (2004 - 2008) *5 times Microsoft MVP award winner *Previously MacWorld Australia contributer *Previously APAC Vice Chairman Culminis (Pro IT User group support system)* APAC chairman GITCA *Director Business Technology Partners, Microsoft Small Business Specialist, SMB150 2012 Member
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, October 17, 2012 2:56 AM
  • Thanks Rich

    "That's not true. The machine's computer account can also write to the share. And there are other permissions on the directory (not the share) that allow modification (Power Users, Terminal Server Users, SYSTEM). Also, access to the directory is possible for anything with permission to get to the administrative share for the drive -- or if the entire drive is shared."

    - Agreed (I checked about the same time as you sent this)

    "That horse has already left the barn. Auditing on the directory would tell you that, but you can't turn back the clock."

    - Agreed. And based on your other answers, there would seem to be no real reason to use this folder except it was available and not a place we would likely look.

    I still wish I could work out how Flash SMS Zero traffic was sent to the iPhones. We know it came from a local internal source due to the passwords contained in the messages. they were local domain details.

    thanks for rulling out that folder as being significant. Obviously just a location selected opitunistically.


    Michael Jenkin (Mickyj) www.mickyj.com (Community website) - SBS MVP (2004 - 2008) *5 times Microsoft MVP award winner *Previously MacWorld Australia contributer *Previously APAC Vice Chairman Culminis (Pro IT User group support system)* APAC chairman GITCA *Director Business Technology Partners, Microsoft Small Business Specialist, SMB150 2012 Member

    Wednesday, October 17, 2012 4:23 AM
  • Hi Micky,

    Based on my experience, this folder contains the subdirectories for proxy address generators. The default installation contains DLLs for notes, SMTP, and X.400 e-mail address generators.

    As Rich said, each server would check and copy this shared folder to make sure that they have the same version.

    And if you do not have this folder or the permissions are not set correctly on this folder, you would receive errors while creating or linking mailboxes.

    Thanks,

    Andy

    • Marked as answer by emma.yoyo Thursday, October 18, 2012 2:03 AM
    Wednesday, October 17, 2012 6:04 AM
    Moderator
  • Thanks everyone. I think I have the answers I need. I now just need to work out how the Flash SMS's were sent to teh handsets and if Exchange was involved.

    Michael Jenkin (Mickyj) www.mickyj.com (Community website) - SBS MVP (2004 - 2008) *5 times Microsoft MVP award winner *Previously MacWorld Australia contributer *Previously APAC Vice Chairman Culminis (Pro IT User group support system)* APAC chairman GITCA *Director Business Technology Partners, Microsoft Small Business Specialist, SMB150 2012 Member

    Wednesday, October 17, 2012 10:30 PM