none
Best Practices or Solutions to Stop Exchange 2003 OWA/EAS Dictionary Attacks? RRS feed

  • Question

  • Are there well known best practices and/or solutions for stopping Exchange 2003 OWA/EAS dictionary attacks? I have a client that publishes OWA and EAS securely (SSL) through TMG 2010.  With MX records being "public", I don't see how you can easily stop this unless you change the default directories (e.g. https://FQDN/Exchange) and/or default ports which will likely wreak havoc on end user's smart phones and/or PC browsers if you can even get it to work on the server side of the equation.

    Thanks in advance.


    Bill Thacker

    Thursday, March 8, 2012 2:47 PM

Answers

  • One possible solution would be to change the external name for your MX records.  So for an example, SMTP traffic would be on smtp.domain.com and your OWA/ActiveSync traffic would be on webmail.domain.com.  This would require a certificate change, an additional IP on the TMG server and possibly some backend changes depending on your current Exchange configuration.

    That being said, the brute force attacks would fail due to account lock outs and eventually TMG from blocking the offending IP (if you have the protection set up) - I think its called flood protection.


    JAUCG

    Thursday, March 8, 2012 4:14 PM

All replies

  • One possible solution would be to change the external name for your MX records.  So for an example, SMTP traffic would be on smtp.domain.com and your OWA/ActiveSync traffic would be on webmail.domain.com.  This would require a certificate change, an additional IP on the TMG server and possibly some backend changes depending on your current Exchange configuration.

    That being said, the brute force attacks would fail due to account lock outs and eventually TMG from blocking the offending IP (if you have the protection set up) - I think its called flood protection.


    JAUCG

    Thursday, March 8, 2012 4:14 PM
  • Hi Bill,

    Avery web-site could be attached in the Internet. Exchange is no excluded. I'd sggest you pose this security related question in IIS forum here: http://forums.iis.net/. Your understanding would be appreciated.



    Please
    remember to mark the replies as answers if they help and unmark them if they
    provide no help. If you have feedback for TechNet Subscriber Support,
    contact tnmff@microsoft.com



    Fiona Liao

    TechNet Community Support


    Friday, March 9, 2012 4:00 AM
    Moderator
  • If no more question on this thread, we may mark it as answered. Thanks.

    Fiona Liao

    TechNet Community Support

    Tuesday, March 13, 2012 3:57 AM
    Moderator