Solved

Change Account Login Name for an SBS 2003 AD account.

Posted on 2013-06-03
21
256 Views
Last Modified: 2013-11-01
I have inherited a domain that was setup by a previous admin where a number of user accounts were setup with their login names being simply their first names. The obvious end result is that these accounts are susceptible to directory and other attacks which result in their accounts being routinely locked out. We require the use of strong passwords that are changed frequently, and believe me I hammer this point home. That said it is a nuisance and concerns me despite the strong passwords.
I would like to change the user login names on these accounts to something more secure like first-name. initial#, but I have concerns as to what this will do.

First, if I change the account login name are there any best practices to be observed when making the change?

Second, how can I alter the client account that already exists on the client box so when the user logs in with their new credentials they will load their existing account on the box and still have access and privilege's to their desktop, documents, e-mail etc..

The clients by the way are a mix of XP Pro and Win 7 Pro.
0
Comment
Question by:telefunken
  • 11
  • 10
21 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
To be perfectly honest, I very much doubt that changing the login ID's to firstname.initial is going to make much difference to a hacker.

What you should be more concerned about is the options you have enabled on the server that allow hackers to constantly try and hack your server.

My blog covers one way to stop hackers from trying username / password combos on your server:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

Also make sure you don't have port 3389 open (to all) on the firewall as that is another route that won't take a hacker long to breach your server.

Check what else is open and forwarded to your server and block what isn't needed, e.g., POP3 access, IMAP access etc.

Alan
0
 

Author Comment

by:telefunken
Comment Utility
Alan,

As always thank you for your reply, I read your article and one thing I didn't mention is that we do run Exchange 2003 on this server and use SMTP; so if I understand the article correctly I can't do what you suggest.

Regards,
Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
That is correct!

Are you not able to switch users to RPC over HTTPS to bypass the need for SMTP?

Alan
0
 

Author Comment

by:telefunken
Comment Utility
Alan,

I must admit to being a bit ignorant on the protocol. If there is a guide somewhere you could point me to I would read up on it. As I said I inherited this system/job from someone else and have learned a lot in the past 2½ years, but as you know it is a daily learning experience. That's what I enjoy most about it!

Regards,
Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I know the feeling well.

In terms of an article to read - there isn't much to it to be honest.

Are you using a 3rd party SSL certificate on the server or a self-issued one?

You can check this in IIS Manager under the Default Website Properties > Security Tab > View Server Certificate.

If it was self-issued, then the certificate would need to be installed on each and every client using RPC over HTTPS, but if you are using a 3rd party certificate, then as long as it is trusted by the client, which most are (not all), then it should be plain sailing.

If you visit https://testexchangeconnectivity.com and run the Outlook Anywhere Test and then on the next screen, specify manual server settings, fill in the details and run the test and let me know the results.

Should be able to get you up and running using RPC over HTTPS in no time and then you can stop using SMTP remotely to send mail and then close that down for hackers, giving you far fewer locked accounts.

Alan
0
 

Author Comment

by:telefunken
Comment Utility
Self Signed...that much I know. Sounds like it would be far easier to purchase a certificate.

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
It can be - for $30 you can get a self-signed cert from a GoDaddy Reseller or a bit more for a GoDaddy one which are about the cheapest.

Check who the Admin contact for the domain is before venturing down the certificate avenue as the Admin contact will need to receive and approve an email for the domain.

I'm happy to help you as much as I can (as usual).

Alan
0
 

Author Comment

by:telefunken
Comment Utility
Alan,

Which domain are you referring to? Our local domain host's our Exchange server, that's the one that has the self signed cert.. Our web presence is hosted by a third party and registered with Network-Solutions.

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If your domain for email is abc.com then you need to check the Admin Contact for abc.com to make sure the email address for the Admin contact is one you can reach.

You can check on www.whois.com/whois

Alan
0
 

Author Comment

by:telefunken
Comment Utility
Well, that would be me then! I'm the admin contact....scary isn't it!

Telefunken
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Excellent - can you access your own emails??

If you can - which I would imagine you can, then you can order a certificate and get the ball rolling.

Have you requested a certificate before on an SBS 2003 server using IIS Manager?

What FQDN do you plan on using e.g., mail.yourdomain.com ?

Alan
0
 

Author Comment

by:telefunken
Comment Utility
Alan,

Yes, I am the domain admin so I can access or create an email address I want....the power is overwhelming......

No, I have never requested a certificate before, we have always used the self signed cert., though I have thought about it many times.

Yes, our mail is directed to mail.mydomain.com.

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - if you fire up IIS Manager, then expand down to your Default Website and right-click it and choose properties.

On the Directory Security Tab, click on the Server Certificate Button and remove the current certificate (which will of course break anything that uses it!).

Then click the same button again and run through the wizard, following the "Generating the CSR:" section of this link:

http://www.123-reg.co.uk/support/answers/SSL-Certificates/Generate-a-CSR/generate-a-csr-microsoft-exchange-2003-638/

Then buy a certificate from wherever you like, copy the contents of the CSR generated into the relevant page on the SSL site and request the certificate, then once you have approved the certificate, download and install it by using IIS Manager again and going back to the Server Certificate button and complete the request by pointing the wizard to the downloaded Certificate file.

Once installed, then you can use the test site and should get a good result for RPC over HTTPS, then we can use Outlook happily and do away with SMTP remotely.

Shout if any of that is too confusing.

Alan
0
 

Author Comment

by:telefunken
Comment Utility
Alan,

I think I understand everything about the certificate. How do I make the change to RPC over HTTPS, and how will that affect my mobile (cell phone) users? Also will there be anything else I need to do on the client side?

Thanks for your help,

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
The switch to RPC over HTTPS is a client configuration change in Outlook and it won't affect your mobile users at all.

Both communications take place over port 443 though.

On SBS 2003 it should be working by default, unless your settings are slightly out, but having run the SBS Connect To The Internet Wizard in your other questions, that should be 100% okay, apart from having to add the Integrated Windows Auth to the RPC Virtual Directory in IIS Manager as that always gets removed when running the wizard and it won't work without it!

Alan
0
 

Author Comment

by:telefunken
Comment Utility
Alan,

Sorry I've been busy today. So to be clear are you saying that each client's Outlook would need a config change to establish the connection once the Cert is in place and the Internet connection wizard has been run?

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
No probs - you are not alone.

Yes - they would all need to be changed if outside the company.
0
 

Author Comment

by:telefunken
Comment Utility
OK. So if they are local on the LAN or connected via VPN nothing would need to change. Only if they were outside the LAN and not connected via VPN would I need to change the config correct? If that's the case then as far as I know there wouldn't be any client's affected!

Telefunken
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
That's correct.  Although if they connect via VPN just to get mail, you can switch them to RPC over HTTPS and then they will get their emails automatically without the VPN link.

Also, if you don't have any clients externally except via VPN, then you don't need SMTP externally other than to receive emails normally, so you can turn off the authentications methods listed in my article.

Alan
0
 

Author Comment

by:telefunken
Comment Utility
Alan,

I think I understand. It's a lot for me to digest right now, I'm going on vacation next week! I'll ponder it tonight then post back if I have any more questions. Otherwise I'll accept your solution even though I won't be able to try anything out right away. I trust your recommendations implicitly, you've never steered me wrong in the past!

Regards,

Telefunken (Nathaniel)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
There is no need to accept anything before you know it is a working solution, unless you are planning a 6-month holiday!

I don't need the points, so have a ponder tonight, forget about this for the length of your holiday, then when you come back refreshed and relaxed, pick up the question again and shout if you get stuck with anything.

If you think you are still using SMTP, which by the sounds of it, you aren't, then you can do away with the authentication methods and protect your server some more.

Alan
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now