Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Change Account Login Name for an SBS 2003 AD account.

Posted on 2013-06-03
21
Medium Priority
?
268 Views
Last Modified: 2013-11-01
I have inherited a domain that was setup by a previous admin where a number of user accounts were setup with their login names being simply their first names. The obvious end result is that these accounts are susceptible to directory and other attacks which result in their accounts being routinely locked out. We require the use of strong passwords that are changed frequently, and believe me I hammer this point home. That said it is a nuisance and concerns me despite the strong passwords.
I would like to change the user login names on these accounts to something more secure like first-name. initial#, but I have concerns as to what this will do.

First, if I change the account login name are there any best practices to be observed when making the change?

Second, how can I alter the client account that already exists on the client box so when the user logs in with their new credentials they will load their existing account on the box and still have access and privilege's to their desktop, documents, e-mail etc..

The clients by the way are a mix of XP Pro and Win 7 Pro.
0
Comment
Question by:telefunken
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 10
21 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 39215990
To be perfectly honest, I very much doubt that changing the login ID's to firstname.initial is going to make much difference to a hacker.

What you should be more concerned about is the options you have enabled on the server that allow hackers to constantly try and hack your server.

My blog covers one way to stop hackers from trying username / password combos on your server:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

Also make sure you don't have port 3389 open (to all) on the firewall as that is another route that won't take a hacker long to breach your server.

Check what else is open and forwarded to your server and block what isn't needed, e.g., POP3 access, IMAP access etc.

Alan
0
 

Author Comment

by:telefunken
ID: 39215999
Alan,

As always thank you for your reply, I read your article and one thing I didn't mention is that we do run Exchange 2003 on this server and use SMTP; so if I understand the article correctly I can't do what you suggest.

Regards,
Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39216279
That is correct!

Are you not able to switch users to RPC over HTTPS to bypass the need for SMTP?

Alan
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:telefunken
ID: 39216630
Alan,

I must admit to being a bit ignorant on the protocol. If there is a guide somewhere you could point me to I would read up on it. As I said I inherited this system/job from someone else and have learned a lot in the past 2½ years, but as you know it is a daily learning experience. That's what I enjoy most about it!

Regards,
Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39216651
I know the feeling well.

In terms of an article to read - there isn't much to it to be honest.

Are you using a 3rd party SSL certificate on the server or a self-issued one?

You can check this in IIS Manager under the Default Website Properties > Security Tab > View Server Certificate.

If it was self-issued, then the certificate would need to be installed on each and every client using RPC over HTTPS, but if you are using a 3rd party certificate, then as long as it is trusted by the client, which most are (not all), then it should be plain sailing.

If you visit https://testexchangeconnectivity.com and run the Outlook Anywhere Test and then on the next screen, specify manual server settings, fill in the details and run the test and let me know the results.

Should be able to get you up and running using RPC over HTTPS in no time and then you can stop using SMTP remotely to send mail and then close that down for hackers, giving you far fewer locked accounts.

Alan
0
 

Author Comment

by:telefunken
ID: 39216670
Self Signed...that much I know. Sounds like it would be far easier to purchase a certificate.

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39216766
It can be - for $30 you can get a self-signed cert from a GoDaddy Reseller or a bit more for a GoDaddy one which are about the cheapest.

Check who the Admin contact for the domain is before venturing down the certificate avenue as the Admin contact will need to receive and approve an email for the domain.

I'm happy to help you as much as I can (as usual).

Alan
0
 

Author Comment

by:telefunken
ID: 39216777
Alan,

Which domain are you referring to? Our local domain host's our Exchange server, that's the one that has the self signed cert.. Our web presence is hosted by a third party and registered with Network-Solutions.

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39216782
If your domain for email is abc.com then you need to check the Admin Contact for abc.com to make sure the email address for the Admin contact is one you can reach.

You can check on www.whois.com/whois

Alan
0
 

Author Comment

by:telefunken
ID: 39216830
Well, that would be me then! I'm the admin contact....scary isn't it!

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39216840
Excellent - can you access your own emails??

If you can - which I would imagine you can, then you can order a certificate and get the ball rolling.

Have you requested a certificate before on an SBS 2003 server using IIS Manager?

What FQDN do you plan on using e.g., mail.yourdomain.com ?

Alan
0
 

Author Comment

by:telefunken
ID: 39218636
Alan,

Yes, I am the domain admin so I can access or create an email address I want....the power is overwhelming......

No, I have never requested a certificate before, we have always used the self signed cert., though I have thought about it many times.

Yes, our mail is directed to mail.mydomain.com.

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39218673
Okay - if you fire up IIS Manager, then expand down to your Default Website and right-click it and choose properties.

On the Directory Security Tab, click on the Server Certificate Button and remove the current certificate (which will of course break anything that uses it!).

Then click the same button again and run through the wizard, following the "Generating the CSR:" section of this link:

http://www.123-reg.co.uk/support/answers/SSL-Certificates/Generate-a-CSR/generate-a-csr-microsoft-exchange-2003-638/

Then buy a certificate from wherever you like, copy the contents of the CSR generated into the relevant page on the SSL site and request the certificate, then once you have approved the certificate, download and install it by using IIS Manager again and going back to the Server Certificate button and complete the request by pointing the wizard to the downloaded Certificate file.

Once installed, then you can use the test site and should get a good result for RPC over HTTPS, then we can use Outlook happily and do away with SMTP remotely.

Shout if any of that is too confusing.

Alan
0
 

Author Comment

by:telefunken
ID: 39218698
Alan,

I think I understand everything about the certificate. How do I make the change to RPC over HTTPS, and how will that affect my mobile (cell phone) users? Also will there be anything else I need to do on the client side?

Thanks for your help,

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39218801
The switch to RPC over HTTPS is a client configuration change in Outlook and it won't affect your mobile users at all.

Both communications take place over port 443 though.

On SBS 2003 it should be working by default, unless your settings are slightly out, but having run the SBS Connect To The Internet Wizard in your other questions, that should be 100% okay, apart from having to add the Integrated Windows Auth to the RPC Virtual Directory in IIS Manager as that always gets removed when running the wizard and it won't work without it!

Alan
0
 

Author Comment

by:telefunken
ID: 39223379
Alan,

Sorry I've been busy today. So to be clear are you saying that each client's Outlook would need a config change to establish the connection once the Cert is in place and the Internet connection wizard has been run?

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39223502
No probs - you are not alone.

Yes - they would all need to be changed if outside the company.
0
 

Author Comment

by:telefunken
ID: 39225229
OK. So if they are local on the LAN or connected via VPN nothing would need to change. Only if they were outside the LAN and not connected via VPN would I need to change the config correct? If that's the case then as far as I know there wouldn't be any client's affected!

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39225302
That's correct.  Although if they connect via VPN just to get mail, you can switch them to RPC over HTTPS and then they will get their emails automatically without the VPN link.

Also, if you don't have any clients externally except via VPN, then you don't need SMTP externally other than to receive emails normally, so you can turn off the authentications methods listed in my article.

Alan
0
 

Author Comment

by:telefunken
ID: 39226290
Alan,

I think I understand. It's a lot for me to digest right now, I'm going on vacation next week! I'll ponder it tonight then post back if I have any more questions. Otherwise I'll accept your solution even though I won't be able to try anything out right away. I trust your recommendations implicitly, you've never steered me wrong in the past!

Regards,

Telefunken (Nathaniel)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39226317
There is no need to accept anything before you know it is a working solution, unless you are planning a 6-month holiday!

I don't need the points, so have a ponder tonight, forget about this for the length of your holiday, then when you come back refreshed and relaxed, pick up the question again and shout if you get stuck with anything.

If you think you are still using SMTP, which by the sounds of it, you aren't, then you can do away with the authentication methods and protect your server some more.

Alan
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question