Accepting Email from Security Service

I look after a number of SBS 2003 and they all get hit with Event ID 529 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 at random times. I understand that this is expected when having a SBS on the Internet, and that the entries are attempts to break in.

To try and reduce the load at which these servers have to service these attempts I was hoping to stop them at the external firewall (Internet Router) so hoping someone can assist with this. In addition, I use an external hosted email service which filters emails and forwards onto SBS 2003 - can I accept email only from this service and block everything else?
LVL 6
FlippAsked:
Who is Participating?
 
Jian An LimConnect With a Mentor Solutions ArchitectCommented:
i probably think what happen is your MX record is public available to anyone who attempt to come in.

What you probably want to do is protect your exchange server by using something like messagelab http://www.symanteccloud.com/en/au/ or  Mailguard http://www.mailguard.com.au

by doing so, your email is route to a 3rd party and they are the only entry point to your network.

or else, you always have a risk there because your SMTP is INTERNET facing.
0
 
The_KirschiConnect With a Mentor Commented:
Well, I don't know about your router model but normally you should just allow SMTP to be accepted from your email providers IP address on the public (i. e. internet facing) IP address of your router. Then configure a port forwarding so that everything that comes on port 25 on the routers external address will be forwarded to your SBS. If you use OWA you also need to do this for port 443 (https). Don't use port 80 (http) because it is unencrypted. But you need accept connections to port 443 on your routers external interface from any source IP if you want your users to be able to connect from anywhere. You should not allow any connections on your routers internet interface that you do not need.
0
 
FlippAuthor Commented:
Can you give me more information on where one could configure only accepting from some IPs?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
The_KirschiCommented:
Well, this is something you need to configure in your router. Of course I do not know every router model but if you tell me brand and model of your router then I can try to help you. Did you ever configure something on that router yourself, i. e. do you know how to access web interface or command line of the router?
0
 
FlippAuthor Commented:
Yes I have configured routers before (not CMd line Cisco though), but currently use low grade linksys and Netgear routers (WRT120N). But am looking at pushing clients to upgrade if I can provide value. Do you know the section that I would be configuring? (eg Port Forwarding).
0
 
Cris HannaConnect With a Mentor Commented:
You don't need to do this at the Router
Here is a link for configuring Exchange to only accept inbound mail from your spam service  http://www.msexchange.org/tutorials/Microsoft-Small-Business-Server-2003-Spam-Filtering.html

Also close port 3389 on the router and I bet you get rid of most of those 529's
0
 
dan_blagutConnect With a Mentor Commented:
Hello


On all low cost brodband routers you can do NAT. When you NAT your network you will have only one IP available on the Internet and you can NAT trafic for specific ports.
For SMTP you should NAT (do port forwarding) your SMTP gateway. At this point all trafic from internet will arrive on your gateway and no trafic to exchange, except the trafic relayed by your gateway. for outgoing email trafic nothing change.
If you have some web sites publied on internet you should configure port forwarding for each site.
Usually the devices that you can find on the market are able to manage only one IP address in output.

Dan
 
0
 
The_KirschiCommented:
For configuring a WRT120N take a look at:

http://www.wtrt.net/manuals/Linksys_WRT120N.pdf

Especially Chapter 3 - Advanced configuration.


Actually CrisHanna is correct I have to admit. By configuring the router like I recommended - which you should definitely do for security reasons - you would not get rid of the 529's I assume.

You should configure the IP Connection Filtering mentioned in the article above to accept mail only from the internet facing router where your mails arrive from outside. This is unless you have mail sending clients or servers inside your network, like backup machines. Then you also need to configure to accept mail from those IP addresses.
0
 
FlippAuthor Commented:
CrisHanna_MVP - I don't explicitly leave 3389 open, I redirect another random port from external to internal 3389. As far as Exchange goes, I thought that the attempted hacks are trying to use Exchange to relay, so need to lock down outgoing email instead? Also, I am following the article you sent through to only allow two IP Ranges in Global Accept and Deny List Configuration by entering the two ranges in Accept (as given to me by Trend Micro). I then apply and restart SMTP Services, then telnet from an IP not in range and can connect successfully. According to this article, the Accept/Deny is the first test and I seem not to be blocked?

@dan_blagut - Yes I do use NAT so all traffic arrives at Router, and I Port Forward only a few ports to Server (25, 443, 4125) but I don't have any options to filter where connections are coming from - this would be ideal for router to do the work rather than connections for SMTP coming through to Server. (I am assuming that the 529 events are from external hackers trying to relay and getting authentication failures, so trying CrisHanna_MVP link from above. Have I overlooked something on the router?

@The_Kirschi - Cheers. Yes trying to get the Global Accept/Deny list to work.
0
 
FlippAuthor Commented:
I updated my MX probably 8 months ago to a third-party Inbound Email Security (Trend Micro's Hosted Email Security), so I assume I can then only accept connections from their IP Address List seen here (http://esupport.trendmicro.com/Pages/How-to-accept-emails-coming-from-Hosted-Email-Security-servers-only.aspx).

So I think I need to just add these IP Ranges to the Accept List in Message Delivery > Connection Filtering and then enable Connection Filtering on my Virtual SMTP Server, then restart services and I should be denied when I telnet to this server per http://www.msexchange.org/tutorials/Microsoft-Small-Business-Server-2003-Spam-Filtering.html.

Please help me - have I missed something to configure?
0
 
Cris HannaCommented:
If you follow the article I posted..this insures that mail only comes in through the spam/av filter

But that is not going to fix the 529 errors
When you read the body of the 529...is it type 10 or type 3?
0
 
FlippAuthor Commented:
Logon Type 3.

Also for my education, what will this actually prevent when I apply IP Ranges in Accept List? :)
0
 
Jian An LimSolutions ArchitectCommented:
To prevent malicious users from delivering messages directly to your Exchange Server (thus bypassing online's servers), perform the following steps:

    Right click the Default SMTP Virtual Server (as shown in Figure 1) and select Properties.
    Click on the Access tab.
    In the window that appears, click on the button marked Connection...
    Another window will appear
    Click on the radio button marked Only the list below.
    Now click on the Add button.
    This will cause another window to appear
    In this window you need to specify the IP addresses of the trend micro (of course, includes your internal network subnet as well)


By doing so, it will prevent any attempt to telnet to your IP address hence blocking unnecessary attempt
0
 
FlippAuthor Commented:
OK, I think my head is spinning :) ..... SMTP Incoming and Outgoing is confusing me a tad so let me take a step back.

Incoming SMTP should be configured per limjianan's comment above, by adding Trend Server IP Ranges and internal IP Ranges. Do I need to consider Smart Phones in this scenario?

Also, how does this relate to configuring per CrisHanna_MVP's suggestion above?

Should I be doing both?

And finally, the Logon Type 3 Event ID 529 issue.
0
 
Jian An LimSolutions ArchitectCommented:
again, i doubt it is about email

have a look at
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_23806408.html

alot of times, this is false alarm and it might be you have change the password but something keep using the previous password.

check what is the time and verify where those traffic comes from (internal or external)

0
 
Cris HannaCommented:
Type 3 event 529's are internal...has nothing to do with email or the firewall
Some device on your network is having occassional issues.
0
 
FlippAuthor Commented:
Thank you all for your input on this issue.

I will monitor the two SBS this week and wait for the issue to arise and can look into Internal/External IP, then will take suitable action.
0
 
FlippAuthor Commented:
I just found one SBS that has over 200 Event ID 529 with various values for Username. The Caller Process ID is inetinfo.exe so I am assuming I can check existing logging to find source, but not sure which log I should be checking?

Please advise.
0
 
FlippAuthor Commented:
Usernames tried were Webmaster, root, mail, info, temp, admin, anonymous.
0
 
FlippAuthor Commented:
I would expect that event 529 could be from external, if using one of the port forwarded ports through firewall (i.e. 25, 443)?

CrisHanna?
0
 
Jian An LimSolutions ArchitectCommented:
it would agree so.
a normal windows server will never have webmaster, root, info, temp, admin and anonymous.

it seems like a random swip on attempt to break your network.
0
 
FlippAuthor Commented:
Then are there any things I should be doing to ensure servers/network are locked down?
0
 
Jian An LimSolutions ArchitectCommented:
can you really put in a example of the error message?

because something like http://support.microsoft.com/kb/811082 can be happening.
and are you so sure it is external?
0
 
FlippAuthor Commented:
Hi All - So today I saw approx 150 ID: 529 in Security Logs and while it is fresh and recent I would like to troubleshoot this asap.

The event entry referenced Process ID which was inetinfo.exe.

So what next? Am I supposed to be enabling logging on Exchange/IIS to find source IP?
0
 
Jian An LimSolutions ArchitectCommented:
can you posted an example ?

Logon Type: 3?
Logon Process: KSecDD?
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ?
0
 
FlippAuthor Commented:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            15/01/2012
Time:            4:42:32 PM
User:            NT AUTHORITY\SYSTEM
Computer:      WINSERV1
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      shop
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      CAS
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1844
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -


0
 
Jian An LimSolutions ArchitectCommented:
OKay,

http://blogs.msdn.com/b/puneetgupta/archive/2007/08/20/unknown-username-or-bad-password-inetinfo-exe-advapi.aspx

it give me some inside it will be some one from externally trying to hack your smtp relay

did you lock your smtp up correctly?
did your mx record no longer shows public IP address?

0
 
FlippAuthor Commented:
Without going through process outlined in link you sent (thank you heaps for that - very useful!), how would you check and ensure SMTP is locked down and MX Record shows Public IP?
0
 
Jian An LimSolutions ArchitectCommented:
hmm..
do a telnet from outside your network to the public IP on port 25.

you should get a connection failure instead of getting the normal screen.

if you confirm your external has secured (by id: 37275970)

then I reckon is internal IP address you need to find out whose computer is infected
0
 
FlippAuthor Commented:
I can telnet to mail.domain.com 25, so how am I supposed to be securing it?

Not sure what you mean by "by id: 37275970"?
0
 
Jian An LimSolutions ArchitectCommented:
ah.. go to the previous work id 37275970 in this page


the reference page i used is http://www.mailguard.com.au/uploads/file/support/microsoft-exchange-2000.htm#inbound
replace the IP address correctly with your provider (symantec cloud ?)

To prevent malicious users from delivering messages directly to your Exchange Server (thus bypassing online's servers), perform the following steps:

    Right click the Default SMTP Virtual Server and select Properties.
    Click on the Access tab.
    In the window that appears, click on the button marked Connection...
    Another window will appear
    Click on the radio button marked Only the list below.
    Now click on the Add button.
    This will cause another window to appear
    In this window you need to specify the IP addresses of the trend micro (of course, includes your internal network subnet as well)


By doing so, it will prevent any attempt to telnet to your IP address hence blocking unnecessary attempt

Open in new window

0
 
FlippAuthor Commented:
Ah yes - so if Trend advise on below:
216.99.131.0/24
216.104.4.0/24
150.70.149.0/27

...... how do I translate theses into Subnet Address and Subnet Mask?
x.x.x.x b.b.b.b

0
 
FlippAuthor Commented:
I think I have it using http://oav.net/mirrors/cidr.html ..... I will lock it down and see how we go over next few weeks, unless there is something else I should be doing to lock down?
0
 
FlippAuthor Commented:
Another question on this ... would I also need to be explicit and add any IP Addresses of devices that use SMTP on Server like Scanners or even itself (127.0.0.1)?
0
 
Jian An LimSolutions ArchitectCommented:
yes, you do! remember to add the internal scanner, printer IP addresss.

Usually i will allow the internal IP address, but if you are security concern, give explicit IP address will helps.

you only need to give the local host if the server pointing to localhost (like backup notification and etc)
i usually whitelist them unless you suspect something rogue.

in your case, i will lock down external access first, then internally if you suspect something internal :)
0
 
Jian An LimSolutions ArchitectCommented:
if it still happen, remember to post the example of your event log so i can see what really goes wrong :)
0
 
FlippAuthor Commented:
Champion - cheers again!
0
 
FlippAuthor Commented:
Awesome source of information!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.