Getting the datacenter ready for the Holidays – a few thoughts

Note: This was written just before Christmas 2012 but it does apply to any longer holidays or vacations ../Juha Jurvanen

The Christmas holidays are coming up and most people look forward to them as always.

One aspect of the holidays though that might be worth to remember is that your serves might be more attacked during the holiday seasons since many hackers assume that your ususal vigilance for monitoring brute force attacka and dictionary attacks is lowered.

This year, Christmas Eve is on a Tuesday and for quite a few the time away from work can be up to a couple of weeks, including system administrators and techs.

The downside to this well-deserved leave is that it might give an attacker at least two weeks to try and hack your servers without anyone noticing it.

A few things you may want to do before you leave work for Christmas then.

Security patches

Make sure your servers and systems (such as firmware for switches, WiFi and so on) have all necessary security patches installed.

Antivirus status

Make sure your antivirus is running and updated.

Firewalls and WiFi entry points

Have a final look at any entrypoints to your networks i.e. have a look at firewall rules and WiFi access points. Shutdown everything that doesn’t need to be running.

Test servers

Have look around and see that you don’t have any unncessary test systems running, if for no other reason than to save money on current. If your test-serevrs are in a virtual environment, shut them down since they could pose a securiy risk. Test systems are always test systems.

External access via VPN

Make sure you don’t have any rogue VPN certificates out in the wild or any users active that should’t have access. Also, consider changing administrative passwords if it’s been a while.


Have a look at battery and charging levels for your UPS ,
Should a power failure occur and these things don’t work , you might be forced to fix a failed hardrive on Christnmas Evev and nobody wants that.

Hardware health checks

Check for any hardware errors in your monitoring sodtware (such as the HP Insight interface ) to see make sure you don’t have hard drives that are predicted to fail or any other hardwrae malfuncion going on.


Have a good look at your backups, logs and doublecheck they’re running correctly and that data is duplicated automatically. Especially for any backups that clear logsfiles sucha as Exchange backups, SQL Server backups . You don’t want to fill up yur system drives if ou’re not around to take care of it.

Contingency plan

Make sure there’s an updated plan in place with the correct phone numbers and contact info to the right staff and suppliers in case of an emergency. Have a look at the schedules to see who’s on call and make sure the plan is reachable, even if the datacenter isn’t.

Network monitoring

Install software for monitoring and scanning your network and have it alert via email for anything strange such as a new device on your network, a newly created user somewhere, mismatch in network configurations and so on. You could have a look at SpiceWorks that’s free and gets the job done if don’t have anything in pace now,

Brute force and dictionary attacks and intrusion detection

Install Syspeace to automatically block, trace and report any brute force attacks against your Windows, Citrix, Exchange OWA, Sharepoint, Terminal servers, Sharepoint and so on.

I’m sure there’s even more things that might be worth doing but this is a start anyway.

By Juha Jurvanen – Senior IT Consultant

Securing Cloud services from dictionary attacks – hack yourself and check your Cloud providers / outsourcing providers security and response

The more we move our data to various Cloud services and to outsourcing companies, we also need to take the consequences into account what that means from a security perspective.

Prior to a move to Cloud services, a company could keep track of how communications are secured, they could set their own account lockout policies and monitor all logfiles in order to keep security at the desired level.

With the popularity of Cloud services becoming more widespread, a lot of the possibilities for this kind of control and tightened security has disappeared. As a Cloud user you rarely get any indication that someone is for instance trying to use your username and password to gain access to your, for instance , your Microsoft Exchange Webmail , also called OWA.

A hacker can probably try to guess your password with a brute force attack or dictionary attack for quite some time and nothing really happens. The protective measures at the Cloud service provider are most likely unknown to you and you will not get a notification of that something might be going on.

An easy way for you to verify this is actually to try hack yourself. By this I mean, try to login to you account but with an invalid password. See what happens. Is your account locked out? Does the OWA disappear for you, indicating your IP address has been locked down by some security countermeasure?
Are you as a customer and user notified and alerted in any way of the attempt? This is of course also a simple test you can do against you own companys webmail if you want to, although the server team won’t like it when you point out the problem.

Keep in mind that it would take quite some time to do each logon manually but hackers don’t do this manually. They use special software for this that is freely available for download and they can render thousands and thousands logon attempts in  few minutes.

From the Cloud Service provider point of view, this has been a big problem for years. Brute force prevention and dictionary attack prevention on especially the Windows server platform has always come with lots of manual labor and high costs so it’s usually not even dealt with.

From the user point of view, there’s not that much you can do about it reslly more than verify what happens if you try and then ask your service provider for a solution if you’re not happy with the result after hacking yourself.

If you’re running Virtual Private Servers (VPS) with Windows you should consider this also but as a Cloud Service provider should.

As an important piece of the puzzle of the security systems that need to be in place, and as a natural part of the server baseline security configuration, have a look at Syspeace , an easy to use, easy to deploy and configure brute force prevention software that automatically blocks the intruders IP address,tracks it and reports it to the system administrator. Without causing the legitimate users account to be locked out and with no manual intervention at all.

Syspeace works by monitoring the servers eventlogs and is triggered by unsuccesful login attempts as alerted by a process called Windows Authentication.

With this method, there is out of the box protection for Citrix, Microsoft Terminal Server, Sharepoint, Exchange Server and more. There is also a Global Blacklist, offering preemptive protection from well known hackers around the world.

If you’re a Cloud Service provider or if you running or hosting any Windows servers you want protected, download a free trial from Syspeace trial download and see for yourself how easily you can get rid of a big problem and, at a low cost.

Posted with WordPress for Android.
Juha Jurvanen
Senior IT consultant in backup, server operations, security and cloud. Syspeace reseller in Sweden.


Securing your webmail/OWA on Microsoft Exchange and a few other tips

This is what I’d called a “blogomercial” with a hidden agenda but I hope you’ll find some interesting pointers anyway, the commercial part is at the end really. 🙂

Servicing your users and customer over the Internet 

Anything facing the Internet is a potential target for anyone who wants to gain access or disrupt your data operations. If it’s here, people will try to get in or make it stop working. That’s just the way it is and I’m sure you’re aware of it.

There’s different methods for the attacks actually, they could be a DOS attack, a DDOS attack , SYN Floods to name a few
The motives behind any of these could be a number of things such a hacktivism, former employees or even current, script kiddies just fooling around, organized crime, extortion, theft of company secrets and so on.
Just take your pick really.

You need to make a SWOT analysis and have a Business Continuity Plan (BCP) in place for the different scenarios actually.  It sounds expensive (and, yes,  it can be) but the day you servers are under attack, you’ll be happy you took the time to create one. Trust me. So will your CEO be.

A few of the different techniques for DOS, DDOS , Brute force

The methods of taking down a server vary. As with everything else in the real world, there are different tools to get the same job done, it’s basically a matter of taste and skill and how much time the attackers have on their hands. If you’ve pissed of a state , you’re probably going to have an extremely bad day since they do have extensive resources to keep you “offline” for as long as they want really.


For instance there’s SYN flooding , basically equivalent to old school prank calling,

Send a network packet to the server announcing you want to “speak”  , the server responds but no one is there to continue the “conversation” . If you do this a few hundred thousand times, the server will have quite a few “phone calls” to attend to and therefore can’t actually be bothered with picking up the “phone” for the legitimate “calls” thus making a DOS attack meaning “Denial of Service”, the server can no longer service what it’s meant to service, that being your users or customers.

DOS and DDOS Attacks

A DDOS (Distributed Denial of Service) attack is actually the same thing , the main difference being that its spread out over an extremely large number of computers around the world doing the same thing , making it very difficult to manually block each and every one of them in the firewall manually. These computers are usually part of something called botnets and the users of these computers are rarely aware even of them being a part of it. In this scenario you need to contact a lot of people and get it sorted, for instance your ISP, the server guys and firewall guys and you need to have a look at the BCP. What do we do when this happens and so on. Do we move the servers, up the bandwidth, go out of business,  wait until it passes and so on ?

MITM, Man in the Middle 

Using MITM (Man In The Middle) attacks is also popular method if you haven’t secured your server and your communications with valid SSL certificates. Quite a few actually use self-issued certificates on the websites and on their OWA site and that’s not a good thing. When someone who knows what they’re doing connect to a site that has a self issued certificate the first thing that comes to mind is ..”hmm .. these sysadmins are cheap and lazy and I’m fairly sure they just set this server up using default values.. let’s have a look”  .. )

The problem is that there’s actually no real way for the connecting computer to validate that the site it is connecting to actually is the site it’s hoping for. It might as well be someone claiming to be that site since the certificate used can’t be validated by a third party (the “Trustad Authorities”). This way , phishing attacks (“phising” is when you “phish” for a users valid credentials to use them later at the users real websites)

It’s absolutely no guarantee even if you do use a valid certificate since also the “Trusted Authorities” can be hacked and therefore all of their certificates can be compromised (yes, it’s already happened a few time in the past year, GoDaddy, Verisign and even Microsoft themselves realized they had a bug in how Windows Update actually validates that it is connecting to the Windows Update site and nowhere else.)

Brute force attacks

Another method of rendering you server useless is to use a brute force attack on the usernames (sometimes also known as a “dictionary attack” ) .

If you know the naming convention of the usernames used at the company (quite often as easy as the email addresses of the employees or compaynameusername) you can keep on pounding the server with valid usernames and wrong passwords , hopefully rendering the user accounts to become locked out all the time by triggering the Account Lockout Policy. An easy entry point to this is the .. *tadaa* .. yes, you guessed it, the Microsoft Exchange Webmail/OWA interface (or for instance a Sharepoint login interface) .

It’s always there, it’s fairly easy to find (, , and so on. Tekkies might be good at tekkie stuff but we do lack imagination when it comes to naming stuff. And we are lazy 🙂

It’s not that difficult to find out what mail server a company is using (easiest way is to use the NSLOOKUP command and search for the MX record, start a telnet session to the server and see what it presents itself as . It’s usually in cleartext what kind of server you “talking” to )

Once you know this , you also know a few other things automatically.

Practical use for the information

By default , there are two valid usernames in a Windows Active Directory (I will stick to 2008+ AD here)

First, it’s the older naming that quite a few still uses. This is the COMPANYNAMEUSERNAME naming convention . These usernames can be difficult to guess , it could be the users first name (COMPANYNAMESAMUEL) or the the first characters of the first name and surname (COMPANYNAMESAMSMIi) and so on. It’s basically more or less a question of how large the company is.

The larger it is, the longer the username but also , much more standardized in naming since otherwise it becomes an administrative nightmare for the system administrators and we are a lazy bunch really. We want to be able to find our user quickly and and easily in order to support them and keep track.*grin*

The easier approach is to attack the user account using their mail addresses. Quite a few sysadmins don’t realize that the mail address is also a valid logon name since they are used to thinking of logins using the the old naming convention.

Since they also want to provide access to webmail , and usually, 97 times out of a 100 (no, I just guessed a number, I have no statistics to support it, it’s just a gut feeling, ok ? ) they don’t require any special VPN software for their user to access the webmail (OWA)  interface since the whole idea is to let users easily connect to their mail, wherever they are.

This means that the OWA interface is reachable for the entire world to try and login into and thus leaving you open for DOS, DDOS, brute force attacks and so on .

SPAM and overload

There’s also so the various methods of overloading our server with SPAM and viruses.

It’s not unusual to use the secondary MX record (which is used for failover in case the usual mail server has some issues)  for your mail domain actually. Most companies that have secondary MX in place have a more or less effective defense on the primary MX but the secondary is often forgotten and is a popular way to over flood a server with various SPAM.

Quite often , they’ve set it up in the way that the primary MX might point to the secured, external provider or the secured, primary mail server interface and the secondary points directly to the mail server, thus not taking the way through the washing and security mechanisms in place but instead be delivered directly to the mail server.

A few countermeasures then .. 

So , what can be done then? Should you close down the OWA / webmail interface? Stop using email? Revert to faxing?

No, of course not

Here’s a few pointers on what I’d suggest on securing and managing your Exchange servers. It’s not all the tricks in the book and I’m sure I’ve missed out on quite a few ones really but it’s a start I guess. Just, remember, there is no such as thing as absolute security.

1. Minimize the attack surface behind a good firewall that can deal with the SYN Floods and port scans and stuff. Be cautious not to open up anything more than what’s absolutely necessary to and from the outside world.

If you’re using an external “mail cleaning service”, don’t allow port 25 from any other IP/IP ranges than them. If your users are to use your Exchange Server for relaying , set up a connector with SSL and SMTP authentication on other port and enable logging on it. Protect it by using Syspeace (yes, here the first commercial part so you’ll see where this is headed 🙂 )

Also, best practices is to use a DMZ (Demilitarized Zone) for any of your serevr facing the Internet although when I start to think of , I’m not sure if that’s necessary. There’s different opinions in the matter really. The idea is to have the attacker not being able to come in further into you network, should they succeed in gaining control over the server on he DMZ. Unfortunately, I’m fairly sure that somewhere on the those servers there are administrator password and stuff that’s useful knowledge for further access into your network.

2. Get valid, proper, shiny and bonafide certificates for your communications. It’s not costly and not complicated to implement. Its mainly the hassle of you having to remember when to renew them, otherwise stuff will stop working when they expire.

3. Use an automatic brute force prevention software ( I highly recommend Syspeace since it also protects, Sharepoint, Citrx, Terminal Server, CRM , RDWEB, basically anything that uses Windows Authentication ) to get rid of the DOS attack where username/password is hammered onto you servers (brute force attacks / dictionary attacks) . (I’ve written an earlier entry on why firewalls, VPNS, account lockout polices and so on aren’t enough here: ).

4. Enforce an Account Lockout Policy and enforce complex password. Yes, people will hate you but they will hate you even more if someone actually succeeds in hacking your users data.  Have a look at the link above about Account Lockout Policies though. Do not have local users more than necessary on the Exchange Server itself.

5. Verify all of the websites with the NTFS permissions when it comes to file access, remove the IISTART from the root and remove any default .HTML and .ASPX pages that don’t need to be there.. Don’t let he attackers realize you’re lazy and using default values everywhere. I’ve seen so many servers withe default start page on IIS and that’s just not right.

6. Verify also you’re not open for relaying ( this is usually default nowadays) . Anything that is installed by default by the IIS , take good look at it and decide if it really needs to be there, If not remove it!

7. Redirect all of the 404 and other serious html errors to somewhere else. Google, your worst competitor, your mother-in-law, , anywhere really , just get rid of the traffic from your own site. A lot of 404 errors could mean that someone is trying to find out stuff about your server and if you have any default installed scripts or pages in place that can be used to gain access to your server .

8. Antivirus of course.If you’re not using one today, well.. maybe you shouldn’t be reading this at all but you should be out looking for another job really. I hear there’s good money in flipping burgers.

I’ve used most of them , some are good and some .. well , just aren’t. For the moment I do use Fsecure or Trend a lot. I’m not a big fan of McAfee due the fact they’ve released a few .. not so good updates the recent years that crashed servers around the world. I’m sure they a great product, it’s the product testing and quality verification that needs improvement. Just remember , the same thing goes for antivirus as for 0day attacks, if you antivirus provider hasn’t released any protection against that virus you just got into your system , there’s not that much you can do about it, more than start cleaning your server once you the antivirus updated or even restore your server to a state prior to the virus. An antivirus is not the single point of protection. Common sense is the best antivirus protection in the world.

9. Also, as a complement, use an online service also that filters all of your incoming and outgoing mail from viruses and SPAM and also have you secondary MX records point to it. Usually these services also hold you mail in queue if they cant’ be delivered, buying you time to change the IP addresses or server if you are under attack and not losing any mails.

10. Set up DNS Blacklisting and DNS GREY Listing. It’s not very complicated to do really and you do get rid of a lot of unwanted traffic.

11. Don’t use the “validate reverse DNS” options since a lot of companies haven’t actually set it up correctly so you’ll just risk not getting email from them. The idea is good but it doesn’t work in real life.

12. Enable logging on the connectors and basically enable logging on everything. READ!! the log files. Don”t just turn on logging and let it be. At least once a day , have someone read the (or script queries against the log files ) and see what’s really going on. Search for anything out of the ordinary.

13. Remember to check your mail queues on a regular basis  If you’re starting to have loads of undelivered mail to and from various domains you could actually have a DNS server that’s under attack , not being able to service your Exchange server with required information . On the subject of DNS servers. There’s absolutely no point in having your DNS servers reachable through the firewall thus enabling attackers to flood it with DNS queries and UDP floods. Also, you external DNS server needs to be secured! Have a word with your ISP or whoever is running the external DNS server and see what they’ve got in place.

14. Patch you servers with all of the security patches that are released.  Do it as quickly as possible. There’s is absolutely no defense against 0day attacks.

A 0day is a security bug in the software of the server your running and they vary on how much impact they may have. The name comes from that it is day 0 of it’s public release and the manufacturer, in this case Microsoft, hasn’t released any patch against it leaving you vulnerable no matter what you do. Some of them are even just a nifty way of adding stuff (specific strings ) to the URL or the service the attacker wants to reach and bypassing all of the built in security by “fooling” the server.

15. Disable services that don’t need to be running, DHCP client and stuff. Although they’re not reachable from the Internet , they quite often are reachable from the inside and should you have an attacker on the inside of your network or a virus infected computer , you might be having a bad day.

Minimize attack surfaces, once again  And keep the server resources to actually servicing what they’re supposed to instead of having unnecessary stuff in RAM / CPU .  This is of course valid for any servers, Citrix, terminal servers, domain controllers, Sharepoint and so on.

16. I’m fairly sure you’ve set the ActiveSync functionality for your users since it is an effective and easy way for them to synchronize their iPads, iPhone, Androids and so on . Beware that you also remember to periodically check the various devices associated with the users. If you’ve got a user synchronizing more than 10 devices at the same time from different parts of the world, well.. either he or she is really into gadgets or their user validation information may have leaked (username / password)

17. If someone quits the company, be sure to use the mechanism for clearing the remote device from calendar entries, contacts and email using the built in mechanism in the Exchange server (it’s really easy to do ) . And, of course, if a user reports they’ve lost the devices, same thing, Clear the old device and unpair it from the Exchange server. Unfortunately, users don’t always tell you when they’ve lost stuff . They just buy a new gadget, set it up, synchronize and don’t think twice about the old one and what i actually contains.

18. A bot off topic but it has to do with BCP mentioned earlier. Be sure , please, be supersure even , you have adequate backups , containing multiple generations of data and have at least three or four of theses complete generations stored offisite in some way. Using an online backup service or just moving your tapes/disk manually out of the building. Test your DR Plan (Disaster Recovery plan) at least  once a year to verify that your backups contain all you need if something happens. Be sure o have an updated technical description of how to restore your entire environment.

  • Who?
  • Where?
  • How?
  • What?
  • In which order?

Onto what hardware/virtual machines?

That’s six quite easy questions that sum up what that technical restore plan should contain. It should be able to be read even be outside consultants in case of your entire IT department got killed in a freak barbecue accident the night before.
Keep it simple but detailed.
Include all necessary background info such as server configurations, IP plans, passwords and where the data is stored. a Network map explaining dependencies might also be useful. Don’t use in house mumbo jumbo and nicknames describing various systems and stuff.
Write your DRP from the perspective that you’re gone (in the freak barbecue accident) and the person reading it has never ever heard of your internal system before.

If you don’t have all of these things in place, the day something really happens you will regret you didn’t take the time to do it. Trust me. I’ve worked as a Disaster Recover Technician and Consultant at SunGard Availability Services in Sweden for 8 years . I’ve seen grown men cry and unless it’s not for the unexpected death of their favorite dog or a lost game for their favorite sports team , it’s not a pretty sight.

19. Also a bit off topic but still important. Be sure to have a good monitoring on the hardware aspects of your server and operating system aspects (running services, disk space used and so on ) . Personally I’m fond of Spiceworks för monitoring server health, licenses and inventory but it all boils down to resources and taking the time to set it up. As long as you have some working monitoring and someone who actually deals with the alerts that come up.

20. Sign up for the Microsoft Security Bulletin newsletter (and all similar that has to to do with your environment). Stay up to date and up to speed on what’s going on out there. Being a sysadmin is not a 9-5 job, it’s a lifestyle and the ones who do all of these things will be better protected once they’re attacked.


And onto the unmasked commercial part then ..

Since the focus on this article was to write in general about Exchange Server security and the hidden agenda was to mention Syspeace I’ll get back to it .  *smooth, eh ? 🙂 *

Syspeace will help you in some of the scenarios above, particularly in the brute force prevention department. It’s easy to use and you’re instantly protected from the moment you’ve set it up)

It protects you from any brute force hacking attempts using Windows Authentication ( Terminal Server, OWA, RDWEB, Sharepoint, CRM, RDP, netlogon and so on ) and it also contains a Global Blacklist to have you preemptively protected from known attackers around the world.

It will not help you in all of the scenarios described above  but it will absolutely make you life as a sysadmin much easier since it automatically blocks the attack, tracks it down and reports it. For the sysadmin it’s just an email telling him or her that
“This IP address with this DNS name from this COUNTRY tried logging in using this USERNAME and is now blocked according to this rule you’ve set up ”

The cost is equivalent to any antivirus so I’d hardly call it costly.
It’s easy to set up so you won’t be needing to redesign your infrastructure or call on expensive consultants to get it up and running. You’re done in 5 minutes. Tops.

Download a free, fully functional trial of Syspeace for yourself and see what I mean.


This “blogomercial” was written by

Syspeace - brute force protection for Windows

Syspeace – bruteforce prevention for Windows servers

Juha Jurvanen, Senior IT consultant in backup. security, server operations and cloud @

Drop me an email if you’re interested in getting help in any of these matters. Or if you just want to say hi.