Solved

Securing Exchange Server against Authenticated Relay using Built-In accounts

Posted on 2004-08-25
7
337 Views
Last Modified: 2008-02-01
I am running Windows 2000 Small Business Server SP4 with Exchange Server 2000 (says Ver 6.0 SP3). This server also hosts our website using IIS/ISA and our email and is the local proxy and domain controller for our small network.

I am chasing two Spam issues. This one is the use of our Exchange server as a Spam Relay. Our SMTP Virtual Server is configured to allow Authenticated Relay only and passes independent Open Relay tests, however I still see spam being relayed through our server.

Comments on another thread ( http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20732482.html) led me to look at possible weak security. I discovered the built-in Guest account with the weak password "guest" and disabled it.

My question is: Do I need be concerned with any of the other built-in accounts such as IUSR_servername, IWAM_servername, Small Business Admin, Small Business User, etc.?

Also, if there is a MS Technet document that speaks to what built in users are required for IIS / ISA and what built-in accounts can be disabled, that would be good reading.

Jon
0
Comment
Question by:BRT-Tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 20

Expert Comment

by:ikm7176
ID: 11892017
Windows 2000 has a number of built-in user accounts, which cannot be deleted, but can be renamed. Two of the most commonly known built-in accounts on Windows 2000 are Guest and Administrator. By default, the Guest account is disabled on member servers and domain controllers. You should not change this setting. The built-in Administrator account should be renamed and the description altered to prevent attackers from compromising a remote server using a well known name.Many malicious scripts use the built-in administrator account as a first attempt
for comprising the server.
Note: The built-in administrator account can be renamed using Group Policy. We have not
implemented this setting in the baseline policies because you should choose a name which
is not well known.

Every member server has a local accounts database and a local administrator account that provides full control over the server. This account is therefore very important. You should rename this account, and ensure that it has a complex password.You should also ensure that local administrator passwords are not replicated across member servers. If they are, an attacker who gains access to one member server will be able to gain access to all others with the same password. You should not make local administrator accounts part of the Domain Admins group as this extends their capabilities beyond what is necessary to administer member servers. For the same reason, it is important to ensure that only local accounts are used to administer your member servers.

Windows 2000 services typically run under the Local System account, but they can also be run under a domain user or local account. You should use local accounts whenever possible over domain user accounts. A service runs under the security context of its service account, so if an attacker compromises a service on a member server, the service account can potentially be used to attack a domain controller. When determining which account to use as a service account, you should make sure that the assigned privileges are limited to what is required for the successful operation
of the service. The table below explains the privileges inherent to each type of service account.
0
 

Author Comment

by:BRT-Tech
ID: 11897048
OK,

Thanks for what looks like cut-and paste from a MS document (reference to a table you didn't include, etc.)

We are basically a one server operation, so we have no "member servers"

I'm not a MSCE so most of this has gone over my head. I do understand the bit about renaming Administrator and choosing a strong password. That is good advice and I will implement it.

Still looking for info on specific built-in accounts that might allow spamers to authenticate in order to use my SMTP server to relay.

Jon
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 11920564
Basically, any domain user account could be compromised for Relaying. So, You should have strong password Policy.
Disable Guest Account (which is, by default!)

Exchange server out of the box prevents open relaying unless you changed any settings on your SMTP virtual server which handles the mail delivery. So, i would recommend you to leave default installation of Exchange server and deploy the strong password policy.

0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:BRT-Tech
ID: 11930771
Thank you again for your comments.

This 2000/Exchange server was deployed before I arrived. Guest was enabled for LAN login. It has now been disabled.

We allow authenticated relay because the principals desire to use the SMTP server to send mail from remote locations using unpredictable IP's.

Strong password policy is good advice, I'm not so sure I can convince my bosses that this is necessary. It took me 4 months to convince them they needed anti-virus software!

Can the built-in accounts I mentioned be disabled?  Are they an easy target like Guest?

Jon
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 11931223
0
 

Author Comment

by:BRT-Tech
ID: 11931287
"you didn't mentioned any accounts"

Please re-read my original question...

"My question is: Do I need be concerned with any of the other built-in accounts such as IUSR_servername, IWAM_servername, Small Business Admin, Small Business User, etc.?"
0
 
LVL 20

Accepted Solution

by:
ikm7176 earned 500 total points
ID: 11932658
IUSR_servername, IWAM_servername are used for IIS, it will have adverse affect if you disable this accounts

http://www.brienposey.com/kb/tightening_iis_security.asp
http://www.houseoffusion.com/cf_lists/index.cfm/method=messages&threadid=10068&forumid=4

Small Business Admin, Small Business User might have  critical affects
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video discusses moving either the default database or any database to a new volume.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question