WatchPoint Security Blog

Lock Down Exchange from Brute-Force Attack

Written by Chris Hartwig | March 23, 2016

A brute-force attack is a common threat faced by web developers where an attacker attempts to crack a password by systematically trying every possible combination of letters, numbers, and symbols until finding a combination that works. Think of a boxing match where one opponent has the other up against the ring, knows a knockout is seconds away and just unloads every combination of hooks, jabs, and uppercuts until their opponent has been knocked out. Even if the knock out doesn’t come, the opponent will be so busy trying to block the punches that he is unable to defend himself from the attack.A brute-force attack can quickly have you against the ropes, so you need to take steps now to harden your Exchange Server before it gets knocked out by a DDoS attack. Of course, you may be wishing the attacker was only looking for a knockout once they have successfully cracked a password and have access to your mail system. Once the cybercriminals have a beachhead into your network, they will sit comfortably for up to a year or more monitoring and collecting valuable Personally Identifiable Information, and more specifically, your bank account information. Once they have stolen all of the data they feel is valuable, it will get sold on the dark web, and your bank account will be drained in less time than it takes you or the bank to notice something went terribly wrong. It happens every day, and WatchPoint has documented similar incidents in a previous blog. Let’s discuss how we can help keep you from being the subject of my next article.

Strong Passwords and a Lockout Mechanism

Many of you have already implemented a strong password policy requiring complex passwords and provided a lockout mechanism for a set number of failed login attempts through group policy. That is a great start, but what many people fail to realize is a brute-force attack can quickly turn into a DDoS attack. The server performance can suffer in a large scale attack, and such an attack could lock out all of the legitimate users, effectively stopping all legitimate email communication. For this reason, account lockouts are not recommended. The ideal solution is to use complex passwords with regular password expirations. If you use an enterprise spam filter like Securence, you may be able to restrict your SMTP server to communicating only with the Securence servers and your internal IP address pool. If you do identify an attacker, block the attacker by their IP address.

 Closed Unused Server Ports

Most attacks start with a simple nmap scan of your network to see what ports are open. Once a port is identified as being open, a hacker can use whatever mechanism that service has to offer whether it be telnet on port 23 which can be used to gain remote access to your system or an attack against NetBIOS ports 137, 138 or 139 just to name a few.

 Further Reading

Why Closing Unused Server Ports is Critical to Cyber Security

  WatchPoint Has Your Back!

Another option that will stop a brute-force attack is quite simple. Stop getting pushed into a corner and knocked around by cybercriminals by partnering with WatchPoint. At WatchPoint, forensic experts have the ability to identify a brute-force attack immediately, saving you the time and hassle of combing through server logs for failed login attempts or having to install another complicated set of software that you must administer. We will identify the process under attack, identify the network connections initiated during the attack and help you take the immediate steps necessary to block the attacker.

  With WatchPoint's Security Solution you will:

          Know someone is securing your business.

         Have true visibility into your digital assets.

         Have a support staff dedicated to safeguarding your network.