• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 834
  • Last Modified:

Any Way to Prevent Account Lockouts Due to Mail Relay Attempts?

We have been having problems related to unsuccessful attempts to relay e-mail through our Exchange server, or at least, that is what I believe is the root cause. We get a series of several thousand events with ID 529 in our Security event log over a period of a few hours, generally on a weekend, such as the following:

     3/14/2011      7:02:27 AM      Security      Failure Audit      Logon/Logoff       529      NT AUTHORITY\SYSTEM      OURSERVER      "Logon Failure:
            Reason:            Unknown user name or bad password
            User Name:      admin
            Domain:            
            Logon Type:      3
            Logon Process:      Advapi  
            Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
            Workstation Name:      OURSERVER
            Caller User Name:      OURSERVER$
            Caller Domain:      OURDOMAIN
            Caller Logon ID:      (0x0,0x3E7)
            Caller Process ID:      2232  [NOTE: This is inetinfo.exe]
            Transited Services:      -
            Source Network Address:      -
            Source Port:      -

These will contain a variety of user names including "administrator", "master", "root", "123", and so forth. Unfortunately, they also include the user account names of a couple of our actual users (non-administrators). Since there are 20 or more attempts to log in with their account names in a short period of time, their accounts get locked out.

This has been a sporadic problem in the past, but lately it has been happening almost every weekend. Unfortunately, it is the same two user accounts that always get locked out. Previous research had led me to discover that these messages are the result of attempts to relay e-mail through our server, and indeed, I can find thousands of entries such as the following in our SMTP log:

     2011-03-14 00:01:58 88.248.121.201 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 EHLO - +btxcpmjjv.com 250 0 - -
     2011-03-14 00:02:29 88.248.121.201 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 QUIT - btxcpmjjv.com 240 31219 - -

To this point, all I have done is to find the source IP addresses in our SMTP log, then block these at our firewall. Of course, the attacks always come from different IP addresses, so this doesn't have much success.

My question: Is there anything we can do to prevent such attacks from locking out our users?

I figure I can change our password policy to raise the number of attempts before a lockout, but I would rather not have to do that. I'm going to talk to our firewall vendor (SonicWALL) to see if any of their add-on services would help prevent this. But I thought I would try here first to see if anyone had any ideas. So, any ideas?

We are using Windows Small Business Server 2003 SP2 with the included versions of Exchange Server 2003 (SP2) and IIS. Although we have SBS Premium, we are currently NOT using ISA and SBS is configured with a single NIC. It sits behind a SonicWALL PRO 2040 firewall/router.

Thanks,

bhaf
0
bhaf
Asked:
bhaf
  • 5
  • 4
1 Solution
 
Alan HardistyCo-OwnerCommented:
Yes - the simple way is to disable Basic and Integrated Windows Authentication on the SMTP Virtual Server, then only anonymous users can send you mail and anyone trying to authenticate to your server will fail!

My blog article tells you about this:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 
bhafAuthor Commented:
Thanks for the quick reply! I'll read your blog article and get back to you.

bhaf
0
 
Alan HardistyCo-OwnerCommented:
No probs - if you have any users who need to authenticate - you will run into problems, but you can always configure RPC over HTTPS for them and eliminate the problem completely.

Alan
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Alan HardistyCo-OwnerCommented:
FYI - the SMTP Virtual Server is found under Exchange System Manager> Servers> Your Server> Protocols> SMTP> SMTP Virtual Server Properties (right-click and choose properties)> Access Tab> Authentication Button.
0
 
bhafAuthor Commented:
Your blog post was exactly what I was looking for, but before I go ahead and turn off Basic and Integrated Windows Authentication, I have a question.

Most of our users just use Outlook and we already have it configured for RPC over HTTP, so there is no problem there. We also have a couple of applications on our remote computers that are configured to automatically e-mail alerts/reports to us, but I believe these already use anonymous access (I'll check). But we have a number of users who use Outlook Web Access (OWA) and/or connect to our Exchange server via their mobile phones. Do either of these two abilities (OWA & mobile phone access) require Basic or Integrated Windows Authentication?

bhaf
0
 
Alan HardistyCo-OwnerCommented:
The answer is it all depends on how they connect.

RPC over HTPS uses HTTPS, so not an issue, OWA should also be HTTPS, so not an issue either.

Mobile phone access - if configured using Activesync, also uses HTTPS (or HTTP if not using SSL - but shouldn't be), so that shouldn't be a problem.

The only mobile configuration that will cause you problems is if they are configured for SMTP / POP3 - or any external device using authentication.
0
 
bhafAuthor Commented:
Good points. All of our OWA and mobile setups use HTTPS, so it sounds like we'll be okay.

I'm going to make the change but leave this post open for a day or two in case we run into any problems. I think this will do the trick for us, and I'll let you know for sure after we try it.

Thanks for the quick and helpful reply.

bhaf
0
 
Alan HardistyCo-OwnerCommented:
You are welcome.  Very sensible to make the changes and monitor and I wouldn't suggest you do anything else.  Only close the question when you are happy (but don't forget!).

Thanks

Alan
0
 
bhafAuthor Commented:
We have had no problems with our e-mail since disabling Basic and Integrated Windows Authentication on SMTP, so we'll leave them disabled. As your post explained, that should prevent the problems we've had with the account lockouts. Thanks again for your prompt and clear assistance.

bhaf
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now