Article Summary: This article examines the common Exchange Server attacks that result in Active Directory lockouts and effective techniques to prevent Active Directory user accounts lockouts. By deploying intelligent threat detection, enforcing strong password policies, enabling multi-factor authentication, and monitoring signs of compromise, companies can thwart attackers’ efforts to access mailboxes and maintain business continuity.

Exchange Server integrates tightly with Active Directory (AD) for user authentication and authorization. When a user attempts to access their Exchange mailbox, whether through Outlook, OWA, or a mobile device, Exchange will validate the user’s credentials against Active Directory.

If an invalid password is entered repeatedly, this will trigger Active Directory’s account lockout policy, which locks the account after a set number of failed logon attempts within a time period. The default is 5 tries within 30 minutes.

In addition to users manually entering incorrect passwords, lockouts can also be caused by expired passwords, cached credentials and mobile devices that automatically attempt old passwords.

While these harmless actions may trigger lockouts, malicious actions also lead to locked accounts. Exchange Servers are attractive for bad actors looking for internet-exposed targets.

  • Widespread Usage – Exchange is one of the most widely used email platforms, especially in corporate environments. Compromising Exchange Servers give attackers a large target base.
  • Access to Sensitive Data – Emails often contain sensitive information like financial data, trade secrets, customer information, etc. Access to mailboxes is valuable for hackers.
  • Trusted Network Access – A compromised Exchange server allows attackers to easily move laterally across the internal network as a trusted system.
  • Chained Attacks – Exchange is often a steppingstone to compromising other systems.

Common attacks that cause AD Account Lockouts

Brute Force attacks: In a brute force attack, the attacker tries a dictionary of common passwords against a list of known email addresses, until they find a correct username and password.

Denial of Service, Mass AD Lockouts due to Brute Force Attacks:

As a Brute Force attack proceeds, the multiple password guesses results in AD locking out the user. The automated brute force attack simply proceeds to the next user which is quickly locked as well. In a very short time period, a massive user lockout occurs completely stopping all productivity at a business as users are blocked from not only access email, but logging onto their workstations as well.

To illustrate, if you’ve established Account Lockout Policies to trigger an account lock after 5 unsuccessful login attempts, an individual with knowledge of your naming conventions (such as email addresses or AD logins) can deploy a logon / password guessing script against the server. By utilizing a multitude of usernames and deliberately attempting incorrect passwords, the result would be the locking of legitimate user accounts. Consequently, these users would be unable to access any system reliant on Active Directory validation, including their personal office workstations.

Password spray attacks: Rather than brute forcing passwords for a single account, attackers target many accounts with commonly used passwords. Passwords like “Winter2020”, “Password123” are sprayed across thousands of accounts. When a correct password is found, the attacker accesses the mailbox and moves on to spray other passwords. This can lead to account lockouts for legitimate users who are trying to log in with their correct passwords. Password sprays exploit weak password policies and password reuse across an organization.

Credential stuffing: The attacker has a list of compromised username/password pairs from an external breach and tries reusing those credentials to log into other services and accounts.

Attacks like brute force or password spraying can cause these failed logons to occur rapidly, so if an attacker is brute forcing or password spraying logins to Exchange mailboxes, the continuous invalid authentication attempts can quickly lock out Active Directory accounts.

Exchange Server Services: Common Targets

OWA (Outlook Web), ECP (Exchange Control Panel): Both of these Exchange Server Services use a logon form (forms-based authentication). They are common targets for automated scripts attempting brute force and password spraying, commonly leading to AD lockouts.

Example: Try these from a web-browser from a computer of phone that is not logged on to the corporate domain:

  • https://<my-server-url>/ECP
  • https://<my-server-url>/OWA

ActiveSync, REST (Exchange RESTful API): Both of these Exchange Server Services use programmatic logons to validate users. While these are more difficult to manually attack, programs have no issues flooding them with password guesses.

Autodiscover, OAB (Offline Address Book), MAPI (Messaging API, EWS (Exchange Web Services): All of these Exchange Server services can be connected to using programs, scripts, or even directly to their URLs where logon prompts will occur. 

Example: Try these from a web-browser from a computer of phone that is not logged on to the corporate domain:

  • https://<my-server-url>/autodiscover
  • https://<my-server-url>/EWS
  • https://<my-server-url>/mapi
  • https://<my-server-url>/OAB

SMTP (SMTP Auth attacks): Hackers attempt to connect to the SMTP service running on an Exchange server. SMTP refers to the Simple Mail Transfer Protocol used for sending emails. SMTP Auth allows a client to authenticate itself to an SMTP server using a username and password. This is commonly a two-part attack, the first is to validate email addresses and the second part is to guess and validate passwords. When successful, the discovered username and password give attackers everything they need to send emails as if they were a legitimate user, and logon credential that can be used to access the corporate network.

Preventing AD Account Lockouts coming from Exchange Server

Frequent Active Directory account lockouts caused by brute force, password spray and credential stuffing attacks can overburden IT support teams. However, organizations can limit the impact of these threats by applying the following best practices.

Implement Multi-factor Authentication (MFA)

MFA can help mitigate Brute force attacks targeting logon forms as more than the password is required, however MFA generally tests username and password prior to second factor and multiple failed authorization requests still trigger an AD account lockout.

And, MFA does not protect Exchange services and protocols with programmatic logons. They remain vulnerable as they do not interact with the user where they could prompt for the additional factor.

Active Directory Policy hardening

Implementing security best practices in Active Directory is critical to reducing an organization’s attack surface. A robust Active Directory hardening methodology should include:

  • Remove Inactive user accounts in AD: Inactive user accounts can become a security risk as they can be exploited by cybercriminals. Regularly identifying and disabling or deleting these accounts can reduce the risk. Use PowerShell scripts or specialized software to automate this process. Consider implementing a policy where accounts are automatically disabled after a certain period of inactivity.
  • Enforce password complexity requirements: Strong passwords are crucial for preventing unauthorized access. Implement a policy that requires users to create complex passwords. This includes using a mix of uppercase and lowercase letters, numbers, and special characters. The password length should be at least 8 characters, but 12 or more is recommended.
  • Set a password expiration policy: Regularly changing passwords can prevent unauthorized access from someone who has somehow obtained a user’s password. Set a policy for passwords to expire every 60-90 days. However, be aware that too frequent changes can lead to poor password choices, so balance is key.
  • Account Lockout Policies: Implement account lockout policies to prevent brute force attacks. After a certain number of failed login attempts, the account should be locked for a period of time or until an administrator manually unlocks it. Be careful not to set the lockout threshold too low, as this could lead to denial of service if an attacker deliberately locks out many accounts.
  • Enable Auditing for Security Events: Auditing allows you to track security-related events, such as failed login attempts or changes to user privileges. This can help you identify potential security issues or confirm that your security policies are working as expected. Use the built-in Windows auditing features or third-party software to automate this process.
  • Adopt the Principle of Least Privilege: The Principle of Least Privilege (PoLP) means giving users only the permissions they need to perform their tasks and no more. This reduces the risk of unauthorized access or changes. Regularly review user permissions and adjust them as necessary. Implement Role-Based Access Control (RBAC) to manage permissions more easily.

Important: The Account Lockout Threshold is one of three settings for the account lockout policy that can be configured in the Group Policy Object (GPO) by a system administrator. This setting allows the admin to block a user’s access to the system if they fail a certain number of login attempts in a row. If this setting is turned off, it allows an unlimited number of password guesses, which can make the system vulnerable to Brute Force attacks. However, by setting a number for the account lockout threshold, accounts will be locked after that number of failed password attempts, which can make the system vulnerable to Denial-of-Service attacks.

The conundrum is whether to allow automated password attacks or risk massive AD User Lockouts (DoS attack), and neither strategy is attractive.

Exchange Server Configurations, Best Practices

Ensuring the Exchange Server is configured according to the latest best practices can reduce the number of services that can be targeted. For example, moving SMTP Auth to Anonymous, and authentication to ADFS OAuth remove several common vectors.

IP Blocking

Implementing IP allowlists and blocklists enables an additional layer of security by filtering incoming authentication requests.

In cases where the attack originates from a single IP address, manual blocking can be relatively straightforward. You can effectively thwart the attack by implementing a block at either the external firewall level or the local firewall of the Exchange server. However, if a determined threat actor adjust timing and IPs manual blocking is impractical. Automated detection systems and IP reputation lists are key to pro-active blocking.

Mailbox audit logging in Exchange Server

Mailbox audit logging allows you to track mailbox access by mailbox owners, delegates (including administrators with full access permissions), and administrators. When you enable audit logging for a mailbox, you can specify which user actions will be logged for a specific logon type (administrator, delegate user, or owner). Audit log entries also include important information such as the client IP address, host name, and process or client used to access the mailbox.

Mailbox auditing logs can help identify suspicious failures originating from a specific IP address. Since mailboxes may contain sensitive and personally identifiable information, it’s crucial to monitor mailbox access and actions taken by users, particularly delegate users who access mailboxes other than their own.

Third-Party Security Solutions

Consider using third-party security solutions and intrusion detection systems that specialize in detecting and preventing brute force, password spraying, and AD Lockout attacks.

Messageware Exchange Protocol Guard (EPG) can protect Exchange Servers and AD with advanced intelligence to detect threats and apply additional security to suspicious connections, independently lock with Tarpit controls, geo-block and more. With extensive reporting, analytics, and alerts your IT Team can regain control.  Learn about or Trial Messageware EPG for free.

Final Thoughts

Security incidents happen frequently. They cause disruption, loss of data and potentially risk the reputation of your company. However, if you implement these steps, you’re doing more than most other companies. With a layered security strategy, organizations can reduce the disruption caused by credential attacks against Exchange Server. Are you ready for advanced Exchange Server security?  Protect your organization from password guessing attacks, active directory lockouts, and gain extensive analytics, report and real-time alerts: Click here to learn more about Messageware’s Security Software for Exchange Server.