Re: MS Exchange Relay Authentication

From: Jannie Hanekom (j_hanekom_at_HOTMAIL.COM)
Date: 10/01/03

  • Next message: Greg Crowe: "Re: MS Exchange Relay Authentication" 
    Date:         Wed, 1 Oct 2003 16:02:29 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    This is where past recommendations by a lot of people are shown to have a
    solid basis.

    * Do not run internet-facing services on domain controllers - this removes a
    huge attack surface area. Guessing an account on a domain controller
    requires only an account name and password. Guessing a domain account on a
    member server requires the domain name, account name and password. Guessing
    an account on a properly secured stand-alone server is next to impossible.
    * Change the RestrictAnonymous setting to at least 1 (preferably 2) to
    prevent enumeration of a list of accounts on a machine (leaving it at 0 is
    akin to putting a list of all valid accounts up at the local Seven Eleven.)
    * Implement account lockouts and a proper password policy (the "force
    complex passwords" policy in 2K is quite efficient)
    * There are high-security group policy templates which set all sorts of
    things for you, including RestrictAnonymous. Use them.

    Another good idea might be to disable Basic Authentication on the SMTP
    service properties. This type of authentication is a bad idea to begin with
    anyway. You could also consider disabling some of the ESMTP verbs on
    public-facing
    servers: http://support.microsoft.com/support/kb/articles/q257/5/69.asp

    Jannie

    -----
    Wondering as to whether the list is running? The NTBugtraq archives are
    updated first before messages are emailed to subscribers. Check the
    archives first to see if you have missed any messages;

    http://www.ntbugtraq.com/archives

    -----

  • Next message: Greg Crowe: "Re: MS Exchange Relay Authentication"

    Relevant Pages

    • RE: Account Lockout Policy
      ... he didn't say that the policy would be *linked* at ... the Domain Controllers OU, just that the domain password policy would apply ... the Domain Controllers OU will still use the password policy that is defined ... they still utilize the domain-level account settings, because, again, the ...
      (Focus-Microsoft)
    • Re: Domain Admin account and lockout Policy
      ... The Account Policy in the Default Domain Policy is applied to all domain user accounts by the Domain Controllers. ... There is no way to have different account policies for different domain user accounts, since the Domain Controllers can apply only one set of account policies. ...
      (microsoft.public.windows.group_policy)
    • RE: 529 Logon Failures - 138 Events
      ... Enable complicated password policy is not same as using complicated ... Note: you can find the Default Domain Controllers policy here: ... Configure account lockout policy. ... The account lockout policy only effect on the user account, ...
      (microsoft.public.windows.server.sbs)
    • Re: finally implementing password policy questions??
      ... includes the Password Policy, is enforced by the Domain Controllers, not ... by whatever domain member computer the domain user happens to log on at. ... Account Policy in effect for that computer is used. ...
      (microsoft.public.windows.group_policy)
    • Re: Windows cannot connect to the domain & Event ID 3210 5722 - Lots of Details!
      ... When a machine joins the domain (Domain Controllers are included in this) it ... back up it is required to log onto the domain, just like a user account. ... from the domain, adding it to a workgroup, then without rebooting ... DNS addresses and there is only one network card in the computer. ...
      (microsoft.public.windows.server.active_directory)