Solved

Any Way to Prevent Account Lockouts Due to Mail Relay Attempts?

Posted on 2011-03-14
9
801 Views
Last Modified: 2012-05-11
We have been having problems related to unsuccessful attempts to relay e-mail through our Exchange server, or at least, that is what I believe is the root cause. We get a series of several thousand events with ID 529 in our Security event log over a period of a few hours, generally on a weekend, such as the following:

     3/14/2011      7:02:27 AM      Security      Failure Audit      Logon/Logoff       529      NT AUTHORITY\SYSTEM      OURSERVER      "Logon Failure:
            Reason:            Unknown user name or bad password
            User Name:      admin
            Domain:            
            Logon Type:      3
            Logon Process:      Advapi  
            Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
            Workstation Name:      OURSERVER
            Caller User Name:      OURSERVER$
            Caller Domain:      OURDOMAIN
            Caller Logon ID:      (0x0,0x3E7)
            Caller Process ID:      2232  [NOTE: This is inetinfo.exe]
            Transited Services:      -
            Source Network Address:      -
            Source Port:      -

These will contain a variety of user names including "administrator", "master", "root", "123", and so forth. Unfortunately, they also include the user account names of a couple of our actual users (non-administrators). Since there are 20 or more attempts to log in with their account names in a short period of time, their accounts get locked out.

This has been a sporadic problem in the past, but lately it has been happening almost every weekend. Unfortunately, it is the same two user accounts that always get locked out. Previous research had led me to discover that these messages are the result of attempts to relay e-mail through our server, and indeed, I can find thousands of entries such as the following in our SMTP log:

     2011-03-14 00:01:58 88.248.121.201 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 EHLO - +btxcpmjjv.com 250 0 - -
     2011-03-14 00:02:29 88.248.121.201 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 QUIT - btxcpmjjv.com 240 31219 - -

To this point, all I have done is to find the source IP addresses in our SMTP log, then block these at our firewall. Of course, the attacks always come from different IP addresses, so this doesn't have much success.

My question: Is there anything we can do to prevent such attacks from locking out our users?

I figure I can change our password policy to raise the number of attempts before a lockout, but I would rather not have to do that. I'm going to talk to our firewall vendor (SonicWALL) to see if any of their add-on services would help prevent this. But I thought I would try here first to see if anyone had any ideas. So, any ideas?

We are using Windows Small Business Server 2003 SP2 with the included versions of Exchange Server 2003 (SP2) and IIS. Although we have SBS Premium, we are currently NOT using ISA and SBS is configured with a single NIC. It sits behind a SonicWALL PRO 2040 firewall/router.

Thanks,

bhaf
0
Comment
Question by:bhaf
  • 5
  • 4
9 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35132240
Yes - the simple way is to disable Basic and Integrated Windows Authentication on the SMTP Virtual Server, then only anonymous users can send you mail and anyone trying to authenticate to your server will fail!

My blog article tells you about this:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:bhaf
ID: 35132268
Thanks for the quick reply! I'll read your blog article and get back to you.

bhaf
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35132287
No probs - if you have any users who need to authenticate - you will run into problems, but you can always configure RPC over HTTPS for them and eliminate the problem completely.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35132414
FYI - the SMTP Virtual Server is found under Exchange System Manager> Servers> Your Server> Protocols> SMTP> SMTP Virtual Server Properties (right-click and choose properties)> Access Tab> Authentication Button.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:bhaf
ID: 35132476
Your blog post was exactly what I was looking for, but before I go ahead and turn off Basic and Integrated Windows Authentication, I have a question.

Most of our users just use Outlook and we already have it configured for RPC over HTTP, so there is no problem there. We also have a couple of applications on our remote computers that are configured to automatically e-mail alerts/reports to us, but I believe these already use anonymous access (I'll check). But we have a number of users who use Outlook Web Access (OWA) and/or connect to our Exchange server via their mobile phones. Do either of these two abilities (OWA & mobile phone access) require Basic or Integrated Windows Authentication?

bhaf
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35132514
The answer is it all depends on how they connect.

RPC over HTPS uses HTTPS, so not an issue, OWA should also be HTTPS, so not an issue either.

Mobile phone access - if configured using Activesync, also uses HTTPS (or HTTP if not using SSL - but shouldn't be), so that shouldn't be a problem.

The only mobile configuration that will cause you problems is if they are configured for SMTP / POP3 - or any external device using authentication.
0
 

Author Comment

by:bhaf
ID: 35132632
Good points. All of our OWA and mobile setups use HTTPS, so it sounds like we'll be okay.

I'm going to make the change but leave this post open for a day or two in case we run into any problems. I think this will do the trick for us, and I'll let you know for sure after we try it.

Thanks for the quick and helpful reply.

bhaf
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35132644
You are welcome.  Very sensible to make the changes and monitor and I wouldn't suggest you do anything else.  Only close the question when you are happy (but don't forget!).

Thanks

Alan
0
 

Author Closing Comment

by:bhaf
ID: 35167563
We have had no problems with our e-mail since disabling Basic and Integrated Windows Authentication on SMTP, so we'll leave them disabled. As your post explained, that should prevent the problems we've had with the account lockouts. Thanks again for your prompt and clear assistance.

bhaf
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video discusses moving either the default database or any database to a new volume.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now