?
Solved

Any Way to Prevent Account Lockouts Due to Mail Relay Attempts?

Posted on 2011-03-14
9
Medium Priority
?
824 Views
Last Modified: 2012-05-11
We have been having problems related to unsuccessful attempts to relay e-mail through our Exchange server, or at least, that is what I believe is the root cause. We get a series of several thousand events with ID 529 in our Security event log over a period of a few hours, generally on a weekend, such as the following:

     3/14/2011      7:02:27 AM      Security      Failure Audit      Logon/Logoff       529      NT AUTHORITY\SYSTEM      OURSERVER      "Logon Failure:
            Reason:            Unknown user name or bad password
            User Name:      admin
            Domain:            
            Logon Type:      3
            Logon Process:      Advapi  
            Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
            Workstation Name:      OURSERVER
            Caller User Name:      OURSERVER$
            Caller Domain:      OURDOMAIN
            Caller Logon ID:      (0x0,0x3E7)
            Caller Process ID:      2232  [NOTE: This is inetinfo.exe]
            Transited Services:      -
            Source Network Address:      -
            Source Port:      -

These will contain a variety of user names including "administrator", "master", "root", "123", and so forth. Unfortunately, they also include the user account names of a couple of our actual users (non-administrators). Since there are 20 or more attempts to log in with their account names in a short period of time, their accounts get locked out.

This has been a sporadic problem in the past, but lately it has been happening almost every weekend. Unfortunately, it is the same two user accounts that always get locked out. Previous research had led me to discover that these messages are the result of attempts to relay e-mail through our server, and indeed, I can find thousands of entries such as the following in our SMTP log:

     2011-03-14 00:01:58 88.248.121.201 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 EHLO - +btxcpmjjv.com 250 0 - -
     2011-03-14 00:02:29 88.248.121.201 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 QUIT - btxcpmjjv.com 240 31219 - -

To this point, all I have done is to find the source IP addresses in our SMTP log, then block these at our firewall. Of course, the attacks always come from different IP addresses, so this doesn't have much success.

My question: Is there anything we can do to prevent such attacks from locking out our users?

I figure I can change our password policy to raise the number of attempts before a lockout, but I would rather not have to do that. I'm going to talk to our firewall vendor (SonicWALL) to see if any of their add-on services would help prevent this. But I thought I would try here first to see if anyone had any ideas. So, any ideas?

We are using Windows Small Business Server 2003 SP2 with the included versions of Exchange Server 2003 (SP2) and IIS. Although we have SBS Premium, we are currently NOT using ISA and SBS is configured with a single NIC. It sits behind a SonicWALL PRO 2040 firewall/router.

Thanks,

bhaf
0
Comment
Question by:bhaf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 35132240
Yes - the simple way is to disable Basic and Integrated Windows Authentication on the SMTP Virtual Server, then only anonymous users can send you mail and anyone trying to authenticate to your server will fail!

My blog article tells you about this:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:bhaf
ID: 35132268
Thanks for the quick reply! I'll read your blog article and get back to you.

bhaf
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35132287
No probs - if you have any users who need to authenticate - you will run into problems, but you can always configure RPC over HTTPS for them and eliminate the problem completely.

Alan
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35132414
FYI - the SMTP Virtual Server is found under Exchange System Manager> Servers> Your Server> Protocols> SMTP> SMTP Virtual Server Properties (right-click and choose properties)> Access Tab> Authentication Button.
0
 

Author Comment

by:bhaf
ID: 35132476
Your blog post was exactly what I was looking for, but before I go ahead and turn off Basic and Integrated Windows Authentication, I have a question.

Most of our users just use Outlook and we already have it configured for RPC over HTTP, so there is no problem there. We also have a couple of applications on our remote computers that are configured to automatically e-mail alerts/reports to us, but I believe these already use anonymous access (I'll check). But we have a number of users who use Outlook Web Access (OWA) and/or connect to our Exchange server via their mobile phones. Do either of these two abilities (OWA & mobile phone access) require Basic or Integrated Windows Authentication?

bhaf
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35132514
The answer is it all depends on how they connect.

RPC over HTPS uses HTTPS, so not an issue, OWA should also be HTTPS, so not an issue either.

Mobile phone access - if configured using Activesync, also uses HTTPS (or HTTP if not using SSL - but shouldn't be), so that shouldn't be a problem.

The only mobile configuration that will cause you problems is if they are configured for SMTP / POP3 - or any external device using authentication.
0
 

Author Comment

by:bhaf
ID: 35132632
Good points. All of our OWA and mobile setups use HTTPS, so it sounds like we'll be okay.

I'm going to make the change but leave this post open for a day or two in case we run into any problems. I think this will do the trick for us, and I'll let you know for sure after we try it.

Thanks for the quick and helpful reply.

bhaf
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35132644
You are welcome.  Very sensible to make the changes and monitor and I wouldn't suggest you do anything else.  Only close the question when you are happy (but don't forget!).

Thanks

Alan
0
 

Author Closing Comment

by:bhaf
ID: 35167563
We have had no problems with our e-mail since disabling Basic and Integrated Windows Authentication on SMTP, so we'll leave them disabled. As your post explained, that should prevent the problems we've had with the account lockouts. Thanks again for your prompt and clear assistance.

bhaf
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question