Re: Security log errors 529, store.exe
- From: "Alex Persky" <alexvi@xxxxxxxxxxxxxx>
- Date: Thu, 8 Nov 2007 09:52:58 +1100
Thank you Susan
The change was: Default SMTP Virtual Server Properties -> Access tab ->
Authentication -> leaving only Anonymous access on and disabling Basic
authentication and Integrated Windows Authentication -> OK -> OK -> restart
the virtual SMTP server.
This did help because we were getting 529s from a many systems every day
which stopped as soon as we did the above change, except for those systems
where we need that authentication. My worry is that now those hackers are
getting to store.exe which they weren't supposed to as the Exchange's ports
aren't published.
Put a mail filtering in front of the server, close port 25 to only respond
to the servers www.exchangedefender.com forwards from
Such solution wouldn't be acceptable to the client due to "political"
problems, for examle because of high sensitivity of communications coming
through.
If you have ports, people will bang on them.
You said it yourself... you have all the email ports open. They are
knocking. They want to guess/see if you have a sucky password.
It's ok for them to try, it's not actually a problem. Our task is to find
out WHO they are from the server logs, any server logs -- shouldn't Exchange
have any log with a proper requester's IP address? and we can't get this
info from the hardware firewall due to a number of reasons (we don't manage
it).
Unless that pop3 is ssl based pop3, you are transfering that
username/password over clear text.
POP3 clear text authentication failures do not leave any events 529.
Therefore it's logical to exclude the POP3 service from the list of
suspects. I'm not sure where IMAP service keeps it's logs, but an
unsuccessfull attempt to authenticate via IMAP (or POP3) with secure
password authentication wouldn't bring out Advapi as the logon process, it
would be NtLmSsp instead. Thus it's unlikely to be IMAP.
Alex
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
wrote in message news:%23sstOcNIIHA.5684@xxxxxxxxxxxxxxxxxxxxxxx
"These attempts were effectively stopped after we disabled all
authentication to the SMTP virtual service except Anonymous access (for
those who legitimately submits their mail in"
Exactly what did you change there? Not sure i understand the setting you
changed?
www.exchangedefender.com
Put a mail filtering in front of the server, close port 25 to only respond
to the servers www.exchangedefender.com forwards from.
Unless that pop3 is ssl based pop3, you are transfering that
username/password over clear text.
If you have ports, people will bang on them.
You said it yourself... you have all the email ports open. They are
knocking. They want to guess/see if you have a sucky password.
As far as the IP you'll need to track this back through to your firewall
logs.
Alex Persky wrote:
Hi
We're periodically having series of errors 529 in the security log on a
Windows 2003 SBS. Usually they come like 2-10-40 logon attempts within
2-3 minutes, never on weekend, which suggests someone's periodically
trying to hack in, every couple of days.
Here's a sample event
Event ID: 529
Computer: SERVER
Category: logon/logoff
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: (a proper SBS's domain name here)
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4180
Transited Services: -
Source Network Address: -
Source Port: -
The PID belongs to store.exe (= Exchange).
We used to experience similar series of 529 errors before with caller
process inetinfo.exe which we figured out were related to someone trying
authenticate to our SMTP with usernames like webmaster, info, guest,
administrator. These attempts were effectively stopped after we disabled
all authentication to the SMTP virtual service except Anonymous access
(for those who legitimately submits their mail in).
But this time we're getting similar logon failures logged by store.exe!
The only services published (i.e. accessible from outside) are IMAP, SMTP
and POP3, and also OWA (Outlook web access) and the website. I've found
nothing relevant in SMTP and web logs. POP3 unsuccessfull logons don't
generate such events.
The question is: how they're doing this? what kind of hole in our system
could possibly exist?
And finally we would like to find an IP address of whoever is doing this.
Please don't suggest:
1. restart the server -- we restart it regularly
2. boot it into the safe mode -- we can't afford any interruptions to the
work of the system, too much depends on it
3. change the administrator password to a better one, introduce policies
to force the users to change them regularly -- we already have very good
and very long passwords.
Thank you
Alex
.
- References:
- RE: Security log errors 529, store.exe
- From: Alex Persky
- Re: Security log errors 529, store.exe
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- RE: Security log errors 529, store.exe
- Prev by Date: RE: Force use of ISA Firewall Client
- Next by Date: Re: SMTP in bound mail stopped coming In
- Previous by thread: Re: Security log errors 529, store.exe
- Next by thread: Re: SCSI vs SATA
- Index(es):
Relevant Pages
|
