Securing Exchange Server against Authenticated Relay using Built-In accounts

Posted on 2004-08-25
Medium Priority
Last Modified: 2008-02-01
I am running Windows 2000 Small Business Server SP4 with Exchange Server 2000 (says Ver 6.0 SP3). This server also hosts our website using IIS/ISA and our email and is the local proxy and domain controller for our small network.

I am chasing two Spam issues. This one is the use of our Exchange server as a Spam Relay. Our SMTP Virtual Server is configured to allow Authenticated Relay only and passes independent Open Relay tests, however I still see spam being relayed through our server.

Comments on another thread ( http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_20732482.html) led me to look at possible weak security. I discovered the built-in Guest account with the weak password "guest" and disabled it.

My question is: Do I need be concerned with any of the other built-in accounts such as IUSR_servername, IWAM_servername, Small Business Admin, Small Business User, etc.?

Also, if there is a MS Technet document that speaks to what built in users are required for IIS / ISA and what built-in accounts can be disabled, that would be good reading.

Question by:BRT-Tech
  • 4
  • 3
LVL 20

Expert Comment

ID: 11892017
Windows 2000 has a number of built-in user accounts, which cannot be deleted, but can be renamed. Two of the most commonly known built-in accounts on Windows 2000 are Guest and Administrator. By default, the Guest account is disabled on member servers and domain controllers. You should not change this setting. The built-in Administrator account should be renamed and the description altered to prevent attackers from compromising a remote server using a well known name.Many malicious scripts use the built-in administrator account as a first attempt
for comprising the server.
Note: The built-in administrator account can be renamed using Group Policy. We have not
implemented this setting in the baseline policies because you should choose a name which
is not well known.

Every member server has a local accounts database and a local administrator account that provides full control over the server. This account is therefore very important. You should rename this account, and ensure that it has a complex password.You should also ensure that local administrator passwords are not replicated across member servers. If they are, an attacker who gains access to one member server will be able to gain access to all others with the same password. You should not make local administrator accounts part of the Domain Admins group as this extends their capabilities beyond what is necessary to administer member servers. For the same reason, it is important to ensure that only local accounts are used to administer your member servers.

Windows 2000 services typically run under the Local System account, but they can also be run under a domain user or local account. You should use local accounts whenever possible over domain user accounts. A service runs under the security context of its service account, so if an attacker compromises a service on a member server, the service account can potentially be used to attack a domain controller. When determining which account to use as a service account, you should make sure that the assigned privileges are limited to what is required for the successful operation
of the service. The table below explains the privileges inherent to each type of service account.

Author Comment

ID: 11897048

Thanks for what looks like cut-and paste from a MS document (reference to a table you didn't include, etc.)

We are basically a one server operation, so we have no "member servers"

I'm not a MSCE so most of this has gone over my head. I do understand the bit about renaming Administrator and choosing a strong password. That is good advice and I will implement it.

Still looking for info on specific built-in accounts that might allow spamers to authenticate in order to use my SMTP server to relay.

LVL 20

Expert Comment

ID: 11920564
Basically, any domain user account could be compromised for Relaying. So, You should have strong password Policy.
Disable Guest Account (which is, by default!)

Exchange server out of the box prevents open relaying unless you changed any settings on your SMTP virtual server which handles the mail delivery. So, i would recommend you to leave default installation of Exchange server and deploy the strong password policy.

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.


Author Comment

ID: 11930771
Thank you again for your comments.

This 2000/Exchange server was deployed before I arrived. Guest was enabled for LAN login. It has now been disabled.

We allow authenticated relay because the principals desire to use the SMTP server to send mail from remote locations using unpredictable IP's.

Strong password policy is good advice, I'm not so sure I can convince my bosses that this is necessary. It took me 4 months to convince them they needed anti-virus software!

Can the built-in accounts I mentioned be disabled?  Are they an easy target like Guest?

LVL 20

Expert Comment

ID: 11931223

Author Comment

ID: 11931287
"you didn't mentioned any accounts"

Please re-read my original question...

"My question is: Do I need be concerned with any of the other built-in accounts such as IUSR_servername, IWAM_servername, Small Business Admin, Small Business User, etc.?"
LVL 20

Accepted Solution

ikm7176 earned 1500 total points
ID: 11932658
IUSR_servername, IWAM_servername are used for IIS, it will have adverse affect if you disable this accounts


Small Business Admin, Small Business User might have  critical affects

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question