Increase in Hacker attempts on Windows / Exchange Servers – One Way to Slow Them Down!

In an earlier post I advised about an increase in hacking attempts that I had been seeing on Experts Exchange and also on the servers that we support for our customers.

My Earlier Post:

Having recently been alerted to yet another round of sustained attacks on a couple of servers we receive daily alerts for, I started to dig a little deeper and came up with an interesting thought. A lot of the hackers seems to be passing random usernames such as 1234 / 123 / Claire etc and because these users don’t exist on any of our servers, the Account Lockout Policy does not kick in after x many invalid login attempts. As a result – they just keep on trying in vain!

So – what to do?

Well – it seems that lots of the hackers seem to be trying to use SMTP to attempt to hack a username / password, so I got thinking. On the majority of servers, the SMTP Virtual Server / Receive Connector has Anonymous Authentication / Basic Authentication / Integrated Windows Authentication enabled.

Anonymous Authentication is required if you want to receive emails from other servers around the world, so disabling that is not an option because you would not receive any email at all!

Basic Authentication is required if you want users to send mail with Usernames / Passwords but don’t want to send them securely (why would you?)

Integrated Windows Authentication is required if you want your domain users to to be able to use SMTP and supply their credentials from their Windows accounts to verify access to the server.

As the vast majority of our Server we manage have RPC over HTTPS / Outlook Anywhere configured on them – the Basic / Integrated Windows Authentication is not required in the slightest, so I disabled them both on the servers that were receiving unwanted attention.

Two days later – no more hacker attempts are being reported / logged in the Security Event Logs!

So – if you want a more secure server and don’t have users with SMTP / POP3 accounts sending via your own Exchange Server and have not already disabled Basic & Integrated Windows Authentication on your SMTP Virtual Server / Receive Connector – what are you waiting for?

One less point of attack for hackers is good news in my books.


6 Responses

  1. […] Disabling those forms of authentication can be a signficant deterrent to hackers mounting automated atacks on your system. After disabling those settings on some servers that were under sustained attack by net sappers, Alan Hardisty reports that attacks on the boxes had dried up to nothing in two days. […]

  2. Hi Alan,

    I am facing some issue on Exchange server, log below- Can you please let me know what is wrong?

    EXPS is temporarily unable to provide protocol security with “ABC01”. “CSessionContext::OnEXPSInNegotiate” called “HrServerNegotiateAuth” which failed with error code 0x8009030c ( f:\tisp2\transmt\src\smtpsink\exps\expslib\context.cpp@1799 ).

    2nd issue is:

    The data buffer created for the “IAS” service in the “C:\WINDOWS\System32\iasperf.dll” library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.

    Please help!


    Roshi Singh

  3. Hi Alan,

    On 2nd- Yes internet Authentication service is started and set to automatic.

  4. Our server was getting hammered with these same random attempts, however as of late the attempts weren’t so random. The attackers seemed to be honing in on valid users in our company, trying different variations of the user/domain. I disabled the above mentioned auth methods early last night and not a single log entry. Thanks friend.

  5. Mr. Hardisty,

    I want to thank you for posting this, somewhat of a fix!

    I read this and went ‘Duh!’ Why the hell didn’t i think of that?! Been doin this for over 20 years. My home server (SBS2003) was getting hammered by these brute-force dictionary attacks, which were coming from Iran (Tehran).

    Thank you again…..



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: