Any Way to Prevent Account Lockouts Due to Mail Relay Attempts?
We have been having problems related to unsuccessful attempts to relay e-mail through our Exchange server, or at least, that is what I believe is the root cause. We get a series of several thousand events with ID 529 in our Security event log over a period of a few hours, generally on a weekend, such as the following:
3/14/2011 7:02:27 AM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OURSERVER "Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: OURSERVER
Caller User Name: OURSERVER$
Caller Domain: OURDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2232 [NOTE: This is inetinfo.exe]
Transited Services: -
Source Network Address: -
Source Port: -
These will contain a variety of user names including "administrator", "master", "root", "123", and so forth. Unfortunately, they also include the user account names of a couple of our actual users (non-administrators). Since there are 20 or more attempts to log in with their account names in a short period of time, their accounts get locked out.
This has been a sporadic problem in the past, but lately it has been happening almost every weekend. Unfortunately, it is the same two user accounts that always get locked out. Previous research had led me to discover that these messages are the result of attempts to relay e-mail through our server, and indeed, I can find thousands of entries such as the following in our SMTP log:
2011-03-14 00:01:58 88.248.121.201 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 EHLO - +btxcpmjjv.com 250 0 - -
2011-03-14 00:02:29 88.248.121.201 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 QUIT - btxcpmjjv.com 240 31219 - -
To this point, all I have done is to find the source IP addresses in our SMTP log, then block these at our firewall. Of course, the attacks always come from different IP addresses, so this doesn't have much success.
My question: Is there anything we can do to prevent such attacks from locking out our users?
I figure I can change our password policy to raise the number of attempts before a lockout, but I would rather not have to do that. I'm going to talk to our firewall vendor (SonicWALL) to see if any of their add-on services would help prevent this. But I thought I would try here first to see if anyone had any ideas. So, any ideas?
We are using Windows Small Business Server 2003 SP2 with the included versions of Exchange Server 2003 (SP2) and IIS. Although we have SBS Premium, we are currently NOT using ISA and SBS is configured with a single NIC. It sits behind a SonicWALL PRO 2040 firewall/router.
Thanks,
bhaf
3/14/2011 7:02:27 AM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM OURSERVER "Logon Failure:
Reason: Unknown user name or bad password
User Name: admin
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_P
Workstation Name: OURSERVER
Caller User Name: OURSERVER$
Caller Domain: OURDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2232 [NOTE: This is inetinfo.exe]
Transited Services: -
Source Network Address: -
Source Port: -
These will contain a variety of user names including "administrator", "master", "root", "123", and so forth. Unfortunately, they also include the user account names of a couple of our actual users (non-administrators). Since there are 20 or more attempts to log in with their account names in a short period of time, their accounts get locked out.
This has been a sporadic problem in the past, but lately it has been happening almost every weekend. Unfortunately, it is the same two user accounts that always get locked out. Previous research had led me to discover that these messages are the result of attempts to relay e-mail through our server, and indeed, I can find thousands of entries such as the following in our SMTP log:
2011-03-14 00:01:58 88.248.121.201 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 EHLO - +btxcpmjjv.com 250 0 - -
2011-03-14 00:02:29 88.248.121.201 btxcpmjjv.com SMTPSVC1 OURSERVER 192.168.111.25 0 QUIT - btxcpmjjv.com 240 31219 - -
To this point, all I have done is to find the source IP addresses in our SMTP log, then block these at our firewall. Of course, the attacks always come from different IP addresses, so this doesn't have much success.
My question: Is there anything we can do to prevent such attacks from locking out our users?
I figure I can change our password policy to raise the number of attempts before a lockout, but I would rather not have to do that. I'm going to talk to our firewall vendor (SonicWALL) to see if any of their add-on services would help prevent this. But I thought I would try here first to see if anyone had any ideas. So, any ideas?
We are using Windows Small Business Server 2003 SP2 with the included versions of Exchange Server 2003 (SP2) and IIS. Although we have SBS Premium, we are currently NOT using ISA and SBS is configured with a single NIC. It sits behind a SonicWALL PRO 2040 firewall/router.
Thanks,
bhaf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No probs - if you have any users who need to authenticate - you will run into problems, but you can always configure RPC over HTTPS for them and eliminate the problem completely.
Alan
Alan
FYI - the SMTP Virtual Server is found under Exchange System Manager> Servers> Your Server> Protocols> SMTP> SMTP Virtual Server Properties (right-click and choose properties)> Access Tab> Authentication Button.
ASKER
Your blog post was exactly what I was looking for, but before I go ahead and turn off Basic and Integrated Windows Authentication, I have a question.
Most of our users just use Outlook and we already have it configured for RPC over HTTP, so there is no problem there. We also have a couple of applications on our remote computers that are configured to automatically e-mail alerts/reports to us, but I believe these already use anonymous access (I'll check). But we have a number of users who use Outlook Web Access (OWA) and/or connect to our Exchange server via their mobile phones. Do either of these two abilities (OWA & mobile phone access) require Basic or Integrated Windows Authentication?
bhaf
Most of our users just use Outlook and we already have it configured for RPC over HTTP, so there is no problem there. We also have a couple of applications on our remote computers that are configured to automatically e-mail alerts/reports to us, but I believe these already use anonymous access (I'll check). But we have a number of users who use Outlook Web Access (OWA) and/or connect to our Exchange server via their mobile phones. Do either of these two abilities (OWA & mobile phone access) require Basic or Integrated Windows Authentication?
bhaf
The answer is it all depends on how they connect.
RPC over HTPS uses HTTPS, so not an issue, OWA should also be HTTPS, so not an issue either.
Mobile phone access - if configured using Activesync, also uses HTTPS (or HTTP if not using SSL - but shouldn't be), so that shouldn't be a problem.
The only mobile configuration that will cause you problems is if they are configured for SMTP / POP3 - or any external device using authentication.
RPC over HTPS uses HTTPS, so not an issue, OWA should also be HTTPS, so not an issue either.
Mobile phone access - if configured using Activesync, also uses HTTPS (or HTTP if not using SSL - but shouldn't be), so that shouldn't be a problem.
The only mobile configuration that will cause you problems is if they are configured for SMTP / POP3 - or any external device using authentication.
ASKER
Good points. All of our OWA and mobile setups use HTTPS, so it sounds like we'll be okay.
I'm going to make the change but leave this post open for a day or two in case we run into any problems. I think this will do the trick for us, and I'll let you know for sure after we try it.
Thanks for the quick and helpful reply.
bhaf
I'm going to make the change but leave this post open for a day or two in case we run into any problems. I think this will do the trick for us, and I'll let you know for sure after we try it.
Thanks for the quick and helpful reply.
bhaf
You are welcome. Very sensible to make the changes and monitor and I wouldn't suggest you do anything else. Only close the question when you are happy (but don't forget!).
Thanks
Alan
Thanks
Alan
ASKER
We have had no problems with our e-mail since disabling Basic and Integrated Windows Authentication on SMTP, so we'll leave them disabled. As your post explained, that should prevent the problems we've had with the account lockouts. Thanks again for your prompt and clear assistance.
bhaf
bhaf
ASKER
bhaf