Securing Exchange Server against Authenticated Relay using Built-In accounts

Posted on 2004-08-25
Last Modified: 2008-02-01
I am running Windows 2000 Small Business Server SP4 with Exchange Server 2000 (says Ver 6.0 SP3). This server also hosts our website using IIS/ISA and our email and is the local proxy and domain controller for our small network.

I am chasing two Spam issues. This one is the use of our Exchange server as a Spam Relay. Our SMTP Virtual Server is configured to allow Authenticated Relay only and passes independent Open Relay tests, however I still see spam being relayed through our server.

Comments on another thread ( led me to look at possible weak security. I discovered the built-in Guest account with the weak password "guest" and disabled it.

My question is: Do I need be concerned with any of the other built-in accounts such as IUSR_servername, IWAM_servername, Small Business Admin, Small Business User, etc.?

Also, if there is a MS Technet document that speaks to what built in users are required for IIS / ISA and what built-in accounts can be disabled, that would be good reading.

Question by:BRT-Tech
  • 4
  • 3
LVL 20

Expert Comment

ID: 11892017
Windows 2000 has a number of built-in user accounts, which cannot be deleted, but can be renamed. Two of the most commonly known built-in accounts on Windows 2000 are Guest and Administrator. By default, the Guest account is disabled on member servers and domain controllers. You should not change this setting. The built-in Administrator account should be renamed and the description altered to prevent attackers from compromising a remote server using a well known name.Many malicious scripts use the built-in administrator account as a first attempt
for comprising the server.
Note: The built-in administrator account can be renamed using Group Policy. We have not
implemented this setting in the baseline policies because you should choose a name which
is not well known.

Every member server has a local accounts database and a local administrator account that provides full control over the server. This account is therefore very important. You should rename this account, and ensure that it has a complex password.You should also ensure that local administrator passwords are not replicated across member servers. If they are, an attacker who gains access to one member server will be able to gain access to all others with the same password. You should not make local administrator accounts part of the Domain Admins group as this extends their capabilities beyond what is necessary to administer member servers. For the same reason, it is important to ensure that only local accounts are used to administer your member servers.

Windows 2000 services typically run under the Local System account, but they can also be run under a domain user or local account. You should use local accounts whenever possible over domain user accounts. A service runs under the security context of its service account, so if an attacker compromises a service on a member server, the service account can potentially be used to attack a domain controller. When determining which account to use as a service account, you should make sure that the assigned privileges are limited to what is required for the successful operation
of the service. The table below explains the privileges inherent to each type of service account.

Author Comment

ID: 11897048

Thanks for what looks like cut-and paste from a MS document (reference to a table you didn't include, etc.)

We are basically a one server operation, so we have no "member servers"

I'm not a MSCE so most of this has gone over my head. I do understand the bit about renaming Administrator and choosing a strong password. That is good advice and I will implement it.

Still looking for info on specific built-in accounts that might allow spamers to authenticate in order to use my SMTP server to relay.

LVL 20

Expert Comment

ID: 11920564
Basically, any domain user account could be compromised for Relaying. So, You should have strong password Policy.
Disable Guest Account (which is, by default!)

Exchange server out of the box prevents open relaying unless you changed any settings on your SMTP virtual server which handles the mail delivery. So, i would recommend you to leave default installation of Exchange server and deploy the strong password policy.

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 11930771
Thank you again for your comments.

This 2000/Exchange server was deployed before I arrived. Guest was enabled for LAN login. It has now been disabled.

We allow authenticated relay because the principals desire to use the SMTP server to send mail from remote locations using unpredictable IP's.

Strong password policy is good advice, I'm not so sure I can convince my bosses that this is necessary. It took me 4 months to convince them they needed anti-virus software!

Can the built-in accounts I mentioned be disabled?  Are they an easy target like Guest?

LVL 20

Expert Comment

ID: 11931223

Author Comment

ID: 11931287
"you didn't mentioned any accounts"

Please re-read my original question...

"My question is: Do I need be concerned with any of the other built-in accounts such as IUSR_servername, IWAM_servername, Small Business Admin, Small Business User, etc.?"
LVL 20

Accepted Solution

ikm7176 earned 500 total points
ID: 11932658
IUSR_servername, IWAM_servername are used for IIS, it will have adverse affect if you disable this accounts

Small Business Admin, Small Business User might have  critical affects

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question