If you’re running Microsoft Exchange Server your also quite likely to have the Microsoft Exchange OWA (Webmail) interface up & running to enable your users to use Activesync and access their email, calendars and contacts over an easy-to-use web interface accessible over the Internet.
This is just as relevant if you’re managing your own Exchange Server or if it is a hosted Exchange at a service provider. If your provider doesn’t have a solution for this, you may find yourself in a very difficult situation one day as explained further down.
Since the Exchange Webmail (OWA) is reachable and visible over the Internet, this of course also means that anyone is able to try to log in to your Exchange server over the same OWA interface. They may not succeed to login but they may try to overload your server by sending lots of login request or have your users undergo a Denial of Service attack (a DoS attack).
Brute force attacks used as Denial of Service attacks
The OWA in itself (or does Windows Server for that matter) doesn’t have any brute force prevention mechanisms built into it but the actual user validation is done within the Active Directory infrastructure by your domain controller(s). Within the Microsoft line of products this is actually true for most of them such as Terminal Server (RDS, Remote Desktop), Sharepoint, SQL Server and so on and also for Citrix since user validation is done in the same way.
If you have for instance set up Account Lockout Policies to disable a user account after 5 failed attempts, anyone with knowledge of your name standards (email addrees, AD login) can basically run a script against the server using a specicif username (or hundreds of them) and deliberatley usoing wrong passwords, thus locking the legitimate users account and disabling them from loging in at all (in essence, they can’t even login to anything that uses the Active Directory validation, not even their own workstations in the Office)
If such an attack is made from a single IP address, it is fairly easy to block it manually (simply block the attack in either the external firewall or the local firewall of the Exchange server).
In reality though, this is not how such an attack occurs. Should someone really want to disrupt ypur services, they will do this from hundreds or thousands computers at the same time and making it impossible to block manually.
Using Syspeace as a countermeasure
With Syspeace , this is all taken care of automatically. Syspeace monitors the Windows Serevr logs for failed login requests and if an IP address tries to login against your servers ( Exchange, Terminals Server and so on) and fails for instance 5 times within half an hour, the IP address is automatically blocked from communicatingat all with the affected server on any level (so if you’re also running other services , they will not be able to target them either once blocked).
Each attack is blocked, traced and reported via email that contains the source IP address, the username used,country of origin and previous attacks from the same IP address.
Here is actually an example of how the email notification looks like (with IP address and domain name intentionally removed)
Rule used (Winlogon):
Name: Catch All Login
Trigger window: 4.00:30:00
Lockout time: 02:00:00
Previous observations of this IP address:
2015-01-14 16:44:50 ****lab
2015-01-14 16:44:52 ****labroator
2015-01-14 12:53:44 ****ron
2015-01-14 12:53:46 ****demo
2015-01-14 12:53:48 ****canon
Syspeace also delivers daily and weekly reports of blocked threats.
Within Syspeace, there is also reporting tools for access reports, a Global Blacklist for infamous offenders and much more.
Installing and setting ups Syspeace
Setting up Syspeace is very easy and only takes a couple of minutes, without the need for changing your infrastructure or bying very expensive dedicated hardware. Most likely, you will not even need to hire a consultant for it.
Syspeace runs as Windows Service and support a variety of Windows Servers such as Terminal Server, Exchange Server, Sharepointm Windows Serevr 2003 to Windows Serevr 2012 R2 and more and it starts detecting brute force attacks immediately after you set it up and press the start button.
Please download a free, fully functional 30 day trial and see for yourself how a very big problem can be very easily solved.