Solved

Securing Exchange Server against Authenticated Relay using Built-In accounts

Posted on 2004-08-25
7
332 Views
Last Modified: 2008-02-01
I am running Windows 2000 Small Business Server SP4 with Exchange Server 2000 (says Ver 6.0 SP3). This server also hosts our website using IIS/ISA and our email and is the local proxy and domain controller for our small network.

I am chasing two Spam issues. This one is the use of our Exchange server as a Spam Relay. Our SMTP Virtual Server is configured to allow Authenticated Relay only and passes independent Open Relay tests, however I still see spam being relayed through our server.

Comments on another thread ( http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20732482.html) led me to look at possible weak security. I discovered the built-in Guest account with the weak password "guest" and disabled it.

My question is: Do I need be concerned with any of the other built-in accounts such as IUSR_servername, IWAM_servername, Small Business Admin, Small Business User, etc.?

Also, if there is a MS Technet document that speaks to what built in users are required for IIS / ISA and what built-in accounts can be disabled, that would be good reading.

Jon
0
Comment
Question by:BRT-Tech
  • 4
  • 3
7 Comments
 
LVL 20

Expert Comment

by:ikm7176
ID: 11892017
Windows 2000 has a number of built-in user accounts, which cannot be deleted, but can be renamed. Two of the most commonly known built-in accounts on Windows 2000 are Guest and Administrator. By default, the Guest account is disabled on member servers and domain controllers. You should not change this setting. The built-in Administrator account should be renamed and the description altered to prevent attackers from compromising a remote server using a well known name.Many malicious scripts use the built-in administrator account as a first attempt
for comprising the server.
Note: The built-in administrator account can be renamed using Group Policy. We have not
implemented this setting in the baseline policies because you should choose a name which
is not well known.

Every member server has a local accounts database and a local administrator account that provides full control over the server. This account is therefore very important. You should rename this account, and ensure that it has a complex password.You should also ensure that local administrator passwords are not replicated across member servers. If they are, an attacker who gains access to one member server will be able to gain access to all others with the same password. You should not make local administrator accounts part of the Domain Admins group as this extends their capabilities beyond what is necessary to administer member servers. For the same reason, it is important to ensure that only local accounts are used to administer your member servers.

Windows 2000 services typically run under the Local System account, but they can also be run under a domain user or local account. You should use local accounts whenever possible over domain user accounts. A service runs under the security context of its service account, so if an attacker compromises a service on a member server, the service account can potentially be used to attack a domain controller. When determining which account to use as a service account, you should make sure that the assigned privileges are limited to what is required for the successful operation
of the service. The table below explains the privileges inherent to each type of service account.
0
 

Author Comment

by:BRT-Tech
ID: 11897048
OK,

Thanks for what looks like cut-and paste from a MS document (reference to a table you didn't include, etc.)

We are basically a one server operation, so we have no "member servers"

I'm not a MSCE so most of this has gone over my head. I do understand the bit about renaming Administrator and choosing a strong password. That is good advice and I will implement it.

Still looking for info on specific built-in accounts that might allow spamers to authenticate in order to use my SMTP server to relay.

Jon
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 11920564
Basically, any domain user account could be compromised for Relaying. So, You should have strong password Policy.
Disable Guest Account (which is, by default!)

Exchange server out of the box prevents open relaying unless you changed any settings on your SMTP virtual server which handles the mail delivery. So, i would recommend you to leave default installation of Exchange server and deploy the strong password policy.

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:BRT-Tech
ID: 11930771
Thank you again for your comments.

This 2000/Exchange server was deployed before I arrived. Guest was enabled for LAN login. It has now been disabled.

We allow authenticated relay because the principals desire to use the SMTP server to send mail from remote locations using unpredictable IP's.

Strong password policy is good advice, I'm not so sure I can convince my bosses that this is necessary. It took me 4 months to convince them they needed anti-virus software!

Can the built-in accounts I mentioned be disabled?  Are they an easy target like Guest?

Jon
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 11931223
0
 

Author Comment

by:BRT-Tech
ID: 11931287
"you didn't mentioned any accounts"

Please re-read my original question...

"My question is: Do I need be concerned with any of the other built-in accounts such as IUSR_servername, IWAM_servername, Small Business Admin, Small Business User, etc.?"
0
 
LVL 20

Accepted Solution

by:
ikm7176 earned 500 total points
ID: 11932658
IUSR_servername, IWAM_servername are used for IIS, it will have adverse affect if you disable this accounts

http://www.brienposey.com/kb/tightening_iis_security.asp
http://www.houseoffusion.com/cf_lists/index.cfm/method=messages&threadid=10068&forumid=4

Small Business Admin, Small Business User might have  critical affects
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Suggested Solutions

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now