• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 429
  • Last Modified:

Account lockout Exchange 2003

I have an issue I’ve been dealing with for about 6 or 7 months.  I have 13-15 accounts in AD that get locked out at random at all hours of the day and night.  Originally it started with the office manager and one of the company owners, but it has expanded to other users over time.  The office manager’s account is by leaps and bounds the most prevalent, it has locked out 101 times since I installed Netwrix account lockout examiner in February.  The next closest is the owner at 42 lockouts.  The next most frequent is 25.  Using Netwrix Account Lockout Manager I have traced the culprit machine to my Exchange 2003 server, but I can’t tell if it is something with the AD connector back to my DC, or something else that is actually on my Exchange server, I’m just not really sure where to go from here.  

Initially I thought it was the users byod mobile devices or outlook web access, but I have tested this by disabling both services for the main problem user, and I was still getting lockouts.  And, this issue has happened with users that don't have mobile access.  I’m absolutely certain the problem isn’t incorrect passwords, as their mobile devices work correctly with the stored passwords after their accounts have been unlocked.  

In my research I found information about the Conficker virus, and the symptoms sounded like they were exactly what I’ve been experiencing.  I’ve used nmap and McAfee’s conficker scanning utility to search my network immediately after an account lockout occurred, but the results have come up negative.  

One of the latest symptoms, my account and the user that is my backup when I’m absent were locked out simultaneously today.  This also happened about a week and a half ago, both at exactly the same time.  Another weird symptom, one of the accounts that was locked out recently was a terminated employee who has been gone for almost a year.  His account is disabled and he doesn’t belong to any distribution or security groups.  His email address is hidden from the public address book.  Any mail to him is forwarded to his replacement.  

The Exchange server is Exchange 2003 on a Windows Server 2003 R2 SP2 OS, the DC is Windows Server 2008 R2.  The domain functional level is Windows Server 2008 R2, and has been for over 2 years without any prior issue.  In short, nothing in the AD infrastructure has changed in the last 2 years, and I’m the only one with access to do so.  

My last reboot of the DC’s was this morning.  My last reboot of the Exchange server was 2 weeks ago.  The lockout of my account and the other user today was after the server reboot.

I’m using a mix of Trend Micro Office Scan and Microsoft Security Essentials, but I’m in the process of negotiating a price for Kaspersky Select so I can have a better centrally managed system.

Thoughts?
0
dejavoodoo77
Asked:
dejavoodoo77
2 Solutions
 
Simon Butler (Sembee)ConsultantCommented:
You need to go through the security log on the Exchange server. I would also enable logging on the SMTP virtual server, as I would expect it is an authenticated user attack of some description.
Logging on the SMTP virtual server could give you a chance to establish where the attempts are coming from.

Simon.
0
 
dejavoodoo77Author Commented:
I just turned on the SMTP virtual server logging, so I'll see if anything coincides with the next lockout.

In the Security log in Event Viewer I see an event ID 539 (failure audit) from when my account locked out today, as well as 680, 576, 540, and 538 (all success audits) happening at a high volume for about 10 minutes before finally intermingling with other logging activity for other users, but my username and the other user were in the log quite a bit for about the next 10 minutes.  I saw my name in the logs throughout the rest of the day more frequently than any other user that has a mobile device with activesync.  

Is there any other level of security logging I could enable via Event Viewer that will provide me with more information?  

In case it was going to be a question, I only have ports 25 and 443 open via NAT on my firewall for the Exchange server.  Going through the web log from the time of my lockout, the only connection I see associated with my account appears to be coming from my phone, or at least one of the same model as mine.
0
 
Alan HardistyCommented:
Please have a read of my blog and if appropriate, disable all but Anonymous Authentication on your SMTP Virtual Server to prevent hackers from trying to brute-force attack your server:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

Alan
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
jimmithakkarCommented:
Hi

it is due to virus,

refer below,

http://support.microsoft.com/kb/962007
0
 
dejavoodoo77Author Commented:
I'm dealing with a worm issue this morning from an unrelated user, but I did take a look at the smtp virtual server log, and I found an IP address that appears to be a known spammer in Germany.  I'm going to block that address at the firewall and see if it solves the issue.  I use an external anti-spam relay service, and I see their address in the log as well.

Alan, thanks, I'll take a look at that.

jimmithakkar, I've already explored the conficker route and detection has come up with nothing using nmap.  I'll take a look at the prevention methods, but I'm leaning toward Simon's suggested path right now since I've found suspicious activity.  If that doesn't fix it I'll explore the registry settings in your link.
0
 
dejavoodoo77Author Commented:
Update:  I've blocked a number of addresses that were popping up in my smtp virtual server log, and I've gone 24 hours without a lockout.  I'll monitor it over the weekend before I call it fixed, but it's looking promising.
0
 
Alan HardistyCommented:
They will no doubt be using the authentication methods that my article suggests you block.  With Anonymous enabled only, you won't need to keep chasing and blocking IP's as that will be an ever-moving target.
0
 
dejavoodoo77Author Commented:
Would disabling Integrated Windows Authentication affect my clients connecting with Outlook or ActiveSync?  I already have Basic disabled.

Thanks
0
 
Alan HardistyCommented:
No - only if you want to send via SMTP as an authenticated relay.

Activesync uses HTTPS to send mail and Outlook uses RPC over HTTPS, so both using port 443 and not even touching the SMTP Virtual Server.

Integrated Windows Auth will be what the hackers are trying to hack into your server using.  Remove the tick and restart the SMTP service and they can't use that option to try and hack into an account on your server, so no more account lockouts via that method.

Alan
0
 
dejavoodoo77Author Commented:
I wish I could give you both 500 points, because both of your answers helped me immensely.  Simon's answer exactly pinpointed the issue, and Alan's answer is going to keep me from having to stay on the hunt for all of the IP addresses they could use to give me further aggravation.  Thank you both so much.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now