Increase in Hacker attempts on Windows / Exchange Servers – One Way to Slow Them Down! | Alan Hardisty's Blog

Excellent Price / Performance Anti-Spam Software

If you are looking for some Excellent Anti-Spam software that is priced per server not per user and that will reduce your spam dramatically, then I can recommend Vamsoft ORF (http://www.vamsoft.com). I personally use this on my own server and have installed it successfully on the majority of my customer's servers and we are all incredibly pleased with the results. If you would like to purchase this software at a very competitive price, please drop me an email to alan@it-eye.co.uk.

Increase in Hacker attempts on Windows / Exchange Servers – One Way to Slow Them Down!

Posted on December 1, 2010 by Alan Hardisty

In an earlier post I advised about an increase in hacking attempts that I had been seeing on Experts Exchange and also on the servers that we support for our customers.

My Earlier Post:
https://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

Having recently been alerted to yet another round of sustained attacks on a couple of servers we receive daily alerts for, I started to dig a little deeper and came up with an interesting thought. A lot of the hackers seems to be passing random usernames such as 1234 / 123 / Claire etc and because these users don’t exist on any of our servers, the Account Lockout Policy does not kick in after x many invalid login attempts. As a result – they just keep on trying in vain!

So – what to do?

Well – it seems that lots of the hackers seem to be trying to use SMTP to attempt to hack a username / password, so I got thinking. On the majority of servers, the SMTP Virtual Server / Receive Connector has Anonymous Authentication / Basic Authentication / Integrated Windows Authentication enabled.

Anonymous Authentication is required if you want to receive emails from other servers around the world, so disabling that is not an option because you would not receive any email at all!

Basic Authentication is required if you want users to send mail with Usernames / Passwords but don’t want to send them securely (why would you?)

Integrated Windows Authentication is required if you want your domain users to to be able to use SMTP and supply their credentials from their Windows accounts to verify access to the server.

As the vast majority of our Server we manage have RPC over HTTPS / Outlook Anywhere configured on them – the Basic / Integrated Windows Authentication is not required in the slightest, so I disabled them both on the servers that were receiving unwanted attention.

Two days later – no more hacker attempts are being reported / logged in the Security Event Logs!

So – if you want a more secure server and don’t have users with SMTP / POP3 accounts sending via your own Exchange Server and have not already disabled Basic & Integrated Windows Authentication on your SMTP Virtual Server / Receive Connector – what are you waiting for?

One less point of attack for hackers is good news in my books.

Filed under: Exchange 2003, Exchange 2007, Exchange 2010, Exchange Server, Security | Tagged: Hackers, Security, SMTP Authentication Methods |

6 Responses

How to fight hacker attacks on Exchange servers, on December 15, 2010 at 1:04 pm said:

[…] Disabling those forms of authentication can be a signficant deterrent to hackers mounting automated atacks on your system. After disabling those settings on some servers that were under sustained attack by net sappers, Alan Hardisty reports that attacks on the boxes had dried up to nothing in two days. […]

Reply
Roshi Singh, on January 27, 2012 at 12:25 pm said:

Hi Alan,

I am facing some issue on Exchange server, log below- Can you please let me know what is wrong?

EXPS is temporarily unable to provide protocol security with “ABC01”. “CSessionContext::OnEXPSInNegotiate” called “HrServerNegotiateAuth” which failed with error code 0x8009030c ( f:\tisp2\transmt\src\smtpsink\exps\expslib\context.cpp@1799 ).

2nd issue is:

The data buffer created for the “IAS” service in the “C:\WINDOWS\System32\iasperf.dll” library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.

Please help!

Thanks,

Roshi Singh

Reply
- Alan Hardisty, on January 27, 2012 at 1:35 pm said:
  
  The following KB Article suggests the exact same problem you have for the first issues and a fix:
  http://support.microsoft.com/kb/914137
  
  Regarding the 2nd error – is the IAS service started and set to Automatic start?
  
  Reply
Roshi Singh, on March 2, 2012 at 4:26 pm said:

Hi Alan,

On 2nd- Yes internet Authentication service is started and set to automatic.

Reply
Jackson, on March 16, 2015 at 11:17 am said:

Our server was getting hammered with these same random attempts, however as of late the attempts weren’t so random. The attackers seemed to be honing in on valid users in our company, trying different variations of the user/domain. I disabled the above mentioned auth methods early last night and not a single log entry. Thanks friend.

Reply
Philip Albert, on January 30, 2017 at 8:38 am said:

Mr. Hardisty,

I want to thank you for posting this, somewhat of a fix!

I read this and went ‘Duh!’ Why the hell didn’t i think of that?! Been doin this for over 20 years. My home server (SBS2003) was getting hammered by these brute-force dictionary attacks, which were coming from Iran (Tehran).

Thank you again…..

Sincerely,

Phil

Reply

Alan Hardisty's Blog – All Things IT Related

Need a Trusted 3rd Party SSL Certificate?

Got a question – talk to me now.

Help Bring Clean Water to Ethiopia

Excellent Price / Performance Anti-Spam Software

Top Posts

Categories

Archives

Recent Posts