Link to home
Start Free TrialLog in
Avatar of Flipp
FlippFlag for Australia

asked on

Accepting Email from Security Service

I look after a number of SBS 2003 and they all get hit with Event ID 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 at random times. I understand that this is expected when having a SBS on the Internet, and that the entries are attempts to break in.

To try and reduce the load at which these servers have to service these attempts I was hoping to stop them at the external firewall (Internet Router) so hoping someone can assist with this. In addition, I use an external hosted email service which filters emails and forwards onto SBS 2003 - can I accept email only from this service and block everything else?
SOLUTION
Avatar of Member_2_3654191
Member_2_3654191
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Flipp

ASKER

Can you give me more information on where one could configure only accepting from some IPs?
Well, this is something you need to configure in your router. Of course I do not know every router model but if you tell me brand and model of your router then I can try to help you. Did you ever configure something on that router yourself, i. e. do you know how to access web interface or command line of the router?
Avatar of Flipp

ASKER

Yes I have configured routers before (not CMd line Cisco though), but currently use low grade linksys and Netgear routers (WRT120N). But am looking at pushing clients to upgrade if I can provide value. Do you know the section that I would be configuring? (eg Port Forwarding).
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
For configuring a WRT120N take a look at:

http://www.wtrt.net/manuals/Linksys_WRT120N.pdf

Especially Chapter 3 - Advanced configuration.


Actually CrisHanna is correct I have to admit. By configuring the router like I recommended - which you should definitely do for security reasons - you would not get rid of the 529's I assume.

You should configure the IP Connection Filtering mentioned in the article above to accept mail only from the internet facing router where your mails arrive from outside. This is unless you have mail sending clients or servers inside your network, like backup machines. Then you also need to configure to accept mail from those IP addresses.
Avatar of Flipp

ASKER

CrisHanna_MVP - I don't explicitly leave 3389 open, I redirect another random port from external to internal 3389. As far as Exchange goes, I thought that the attempted hacks are trying to use Exchange to relay, so need to lock down outgoing email instead? Also, I am following the article you sent through to only allow two IP Ranges in Global Accept and Deny List Configuration by entering the two ranges in Accept (as given to me by Trend Micro). I then apply and restart SMTP Services, then telnet from an IP not in range and can connect successfully. According to this article, the Accept/Deny is the first test and I seem not to be blocked?

@dan_blagut - Yes I do use NAT so all traffic arrives at Router, and I Port Forward only a few ports to Server (25, 443, 4125) but I don't have any options to filter where connections are coming from - this would be ideal for router to do the work rather than connections for SMTP coming through to Server. (I am assuming that the 529 events are from external hackers trying to relay and getting authentication failures, so trying CrisHanna_MVP link from above. Have I overlooked something on the router?

@The_Kirschi - Cheers. Yes trying to get the Global Accept/Deny list to work.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Flipp

ASKER

I updated my MX probably 8 months ago to a third-party Inbound Email Security (Trend Micro's Hosted Email Security), so I assume I can then only accept connections from their IP Address List seen here (http://esupport.trendmicro.com/Pages/How-to-accept-emails-coming-from-Hosted-Email-Security-servers-only.aspx).

So I think I need to just add these IP Ranges to the Accept List in Message Delivery > Connection Filtering and then enable Connection Filtering on my Virtual SMTP Server, then restart services and I should be denied when I telnet to this server per http://www.msexchange.org/tutorials/Microsoft-Small-Business-Server-2003-Spam-Filtering.html.

Please help me - have I missed something to configure?
If you follow the article I posted..this insures that mail only comes in through the spam/av filter

But that is not going to fix the 529 errors
When you read the body of the 529...is it type 10 or type 3?
Avatar of Flipp

ASKER

Logon Type 3.

Also for my education, what will this actually prevent when I apply IP Ranges in Accept List? :)
To prevent malicious users from delivering messages directly to your Exchange Server (thus bypassing online's servers), perform the following steps:

    Right click the Default SMTP Virtual Server (as shown in Figure 1) and select Properties.
    Click on the Access tab.
    In the window that appears, click on the button marked Connection...
    Another window will appear
    Click on the radio button marked Only the list below.
    Now click on the Add button.
    This will cause another window to appear
    In this window you need to specify the IP addresses of the trend micro (of course, includes your internal network subnet as well)


By doing so, it will prevent any attempt to telnet to your IP address hence blocking unnecessary attempt
Avatar of Flipp

ASKER

OK, I think my head is spinning :) ..... SMTP Incoming and Outgoing is confusing me a tad so let me take a step back.

Incoming SMTP should be configured per limjianan's comment above, by adding Trend Server IP Ranges and internal IP Ranges. Do I need to consider Smart Phones in this scenario?

Also, how does this relate to configuring per CrisHanna_MVP's suggestion above?

Should I be doing both?

And finally, the Logon Type 3 Event ID 529 issue.
again, i doubt it is about email

have a look at
https://www.experts-exchange.com/questions/23806408/Event-id-529-MICROSOFT-AUTHENTICATION-PACKAGE-V1-0.html

alot of times, this is false alarm and it might be you have change the password but something keep using the previous password.

check what is the time and verify where those traffic comes from (internal or external)

Type 3 event 529's are internal...has nothing to do with email or the firewall
Some device on your network is having occassional issues.
Avatar of Flipp

ASKER

Thank you all for your input on this issue.

I will monitor the two SBS this week and wait for the issue to arise and can look into Internal/External IP, then will take suitable action.
Avatar of Flipp

ASKER

I just found one SBS that has over 200 Event ID 529 with various values for Username. The Caller Process ID is inetinfo.exe so I am assuming I can check existing logging to find source, but not sure which log I should be checking?

Please advise.
Avatar of Flipp

ASKER

Usernames tried were Webmaster, root, mail, info, temp, admin, anonymous.
Avatar of Flipp

ASKER

I would expect that event 529 could be from external, if using one of the port forwarded ports through firewall (i.e. 25, 443)?

CrisHanna?
it would agree so.
a normal windows server will never have webmaster, root, info, temp, admin and anonymous.

it seems like a random swip on attempt to break your network.
Avatar of Flipp

ASKER

Then are there any things I should be doing to ensure servers/network are locked down?
can you really put in a example of the error message?

because something like http://support.microsoft.com/kb/811082 can be happening.
and are you so sure it is external?
Avatar of Flipp

ASKER

Hi All - So today I saw approx 150 ID: 529 in Security Logs and while it is fresh and recent I would like to troubleshoot this asap.

The event entry referenced Process ID which was inetinfo.exe.

So what next? Am I supposed to be enabling logging on Exchange/IIS to find source IP?
can you posted an example ?

Logon Type: 3?
Logon Process: KSecDD?
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ?
Avatar of Flipp

ASKER

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            15/01/2012
Time:            4:42:32 PM
User:            NT AUTHORITY\SYSTEM
Computer:      WINSERV1
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      shop
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      CAS
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1844
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


OKay,

http://blogs.msdn.com/b/puneetgupta/archive/2007/08/20/unknown-username-or-bad-password-inetinfo-exe-advapi.aspx

it give me some inside it will be some one from externally trying to hack your smtp relay

did you lock your smtp up correctly?
did your mx record no longer shows public IP address?

Avatar of Flipp

ASKER

Without going through process outlined in link you sent (thank you heaps for that - very useful!), how would you check and ensure SMTP is locked down and MX Record shows Public IP?
hmm..
do a telnet from outside your network to the public IP on port 25.

you should get a connection failure instead of getting the normal screen.

if you confirm your external has secured (by id: 37275970)

then I reckon is internal IP address you need to find out whose computer is infected
Avatar of Flipp

ASKER

I can telnet to mail.domain.com 25, so how am I supposed to be securing it?

Not sure what you mean by "by id: 37275970"?
ah.. go to the previous work id 37275970 in this page


the reference page i used is http://www.mailguard.com.au/uploads/file/support/microsoft-exchange-2000.htm#inbound
replace the IP address correctly with your provider (symantec cloud ?)

To prevent malicious users from delivering messages directly to your Exchange Server (thus bypassing online's servers), perform the following steps:

    Right click the Default SMTP Virtual Server and select Properties.
    Click on the Access tab.
    In the window that appears, click on the button marked Connection...
    Another window will appear
    Click on the radio button marked Only the list below.
    Now click on the Add button.
    This will cause another window to appear
    In this window you need to specify the IP addresses of the trend micro (of course, includes your internal network subnet as well)


By doing so, it will prevent any attempt to telnet to your IP address hence blocking unnecessary attempt

Open in new window

Avatar of Flipp

ASKER

Ah yes - so if Trend advise on below:
216.99.131.0/24
216.104.4.0/24
150.70.149.0/27

...... how do I translate theses into Subnet Address and Subnet Mask?
x.x.x.x b.b.b.b

Avatar of Flipp

ASKER

I think I have it using http://oav.net/mirrors/cidr.html ..... I will lock it down and see how we go over next few weeks, unless there is something else I should be doing to lock down?
Avatar of Flipp

ASKER

Another question on this ... would I also need to be explicit and add any IP Addresses of devices that use SMTP on Server like Scanners or even itself (127.0.0.1)?
yes, you do! remember to add the internal scanner, printer IP addresss.

Usually i will allow the internal IP address, but if you are security concern, give explicit IP address will helps.

you only need to give the local host if the server pointing to localhost (like backup notification and etc)
i usually whitelist them unless you suspect something rogue.

in your case, i will lock down external access first, then internally if you suspect something internal :)
if it still happen, remember to post the example of your event log so i can see what really goes wrong :)
Avatar of Flipp

ASKER

Champion - cheers again!
Avatar of Flipp

ASKER

Awesome source of information!