Assume we have a user on our domain with an easy name (i.e. Joe) and an easy password (i.e. P@ssword123). Is it possible for a hacker to gain access to Exchange using that account (using a brute force attack) and send email as that person?
(I assume it is possible since Exchange needs to be exposed publicly over port 25 in order to receive mail.)
Is there a way to protect against this?
Our server runs Windows SBS2003 with Exchange 2003 and ISA server.
It depends. You can configure different SMTP connectors to accept incoming mail in different ways depending on how it is configured. For example, your public facing one might only accept mail sent to valid addresses on your domain. Your internal one is there for your internal mail clients to send mail, and only accepts from a valid user, computer, or internal IP addresses, or all of the above.
You also have the option to enforce complex passwords for all accounts, to mitigate against dictionary attacks. I would do this in addition to the above.
You could also have further protection by having all your incoming mail come in via a spam filtering service, and only accept external SMTP connections from the service providers servers.
Connecting to Exchange counts as a logon, and you can configure your domain to lock accounts out after a certain number of failed attempts. That should stop a brute force attack against the password.
You don't say if this account should be able to send mail or not. If not, then you can just remove email config from that account, and then no-one will be able to send mail as that user, because it's not mail-enabled.
