[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Securing Exchange Server against Authenticated Relay using Built-In accounts

Posted on 2004-08-25
Medium Priority
Last Modified: 2008-02-01
I am running Windows 2000 Small Business Server SP4 with Exchange Server 2000 (says Ver 6.0 SP3). This server also hosts our website using IIS/ISA and our email and is the local proxy and domain controller for our small network.

I am chasing two Spam issues. This one is the use of our Exchange server as a Spam Relay. Our SMTP Virtual Server is configured to allow Authenticated Relay only and passes independent Open Relay tests, however I still see spam being relayed through our server.

Comments on another thread ( http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20732482.html) led me to look at possible weak security. I discovered the built-in Guest account with the weak password "guest" and disabled it.

My question is: Do I need be concerned with any of the other built-in accounts such as IUSR_servername, IWAM_servername, Small Business Admin, Small Business User, etc.?

Also, if there is a MS Technet document that speaks to what built in users are required for IIS / ISA and what built-in accounts can be disabled, that would be good reading.

Question by:BRT-Tech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 20

Expert Comment

ID: 11892017
Windows 2000 has a number of built-in user accounts, which cannot be deleted, but can be renamed. Two of the most commonly known built-in accounts on Windows 2000 are Guest and Administrator. By default, the Guest account is disabled on member servers and domain controllers. You should not change this setting. The built-in Administrator account should be renamed and the description altered to prevent attackers from compromising a remote server using a well known name.Many malicious scripts use the built-in administrator account as a first attempt
for comprising the server.
Note: The built-in administrator account can be renamed using Group Policy. We have not
implemented this setting in the baseline policies because you should choose a name which
is not well known.

Every member server has a local accounts database and a local administrator account that provides full control over the server. This account is therefore very important. You should rename this account, and ensure that it has a complex password.You should also ensure that local administrator passwords are not replicated across member servers. If they are, an attacker who gains access to one member server will be able to gain access to all others with the same password. You should not make local administrator accounts part of the Domain Admins group as this extends their capabilities beyond what is necessary to administer member servers. For the same reason, it is important to ensure that only local accounts are used to administer your member servers.

Windows 2000 services typically run under the Local System account, but they can also be run under a domain user or local account. You should use local accounts whenever possible over domain user accounts. A service runs under the security context of its service account, so if an attacker compromises a service on a member server, the service account can potentially be used to attack a domain controller. When determining which account to use as a service account, you should make sure that the assigned privileges are limited to what is required for the successful operation
of the service. The table below explains the privileges inherent to each type of service account.

Author Comment

ID: 11897048

Thanks for what looks like cut-and paste from a MS document (reference to a table you didn't include, etc.)

We are basically a one server operation, so we have no "member servers"

I'm not a MSCE so most of this has gone over my head. I do understand the bit about renaming Administrator and choosing a strong password. That is good advice and I will implement it.

Still looking for info on specific built-in accounts that might allow spamers to authenticate in order to use my SMTP server to relay.

LVL 20

Expert Comment

ID: 11920564
Basically, any domain user account could be compromised for Relaying. So, You should have strong password Policy.
Disable Guest Account (which is, by default!)

Exchange server out of the box prevents open relaying unless you changed any settings on your SMTP virtual server which handles the mail delivery. So, i would recommend you to leave default installation of Exchange server and deploy the strong password policy.

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 11930771
Thank you again for your comments.

This 2000/Exchange server was deployed before I arrived. Guest was enabled for LAN login. It has now been disabled.

We allow authenticated relay because the principals desire to use the SMTP server to send mail from remote locations using unpredictable IP's.

Strong password policy is good advice, I'm not so sure I can convince my bosses that this is necessary. It took me 4 months to convince them they needed anti-virus software!

Can the built-in accounts I mentioned be disabled?  Are they an easy target like Guest?

LVL 20

Expert Comment

ID: 11931223

Author Comment

ID: 11931287
"you didn't mentioned any accounts"

Please re-read my original question...

"My question is: Do I need be concerned with any of the other built-in accounts such as IUSR_servername, IWAM_servername, Small Business Admin, Small Business User, etc.?"
LVL 20

Accepted Solution

ikm7176 earned 1500 total points
ID: 11932658
IUSR_servername, IWAM_servername are used for IIS, it will have adverse affect if you disable this accounts


Small Business Admin, Small Business User might have  critical affects

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question