ms exchange server security

Just wondering how hard it would be to crack an exhange server email account
if I already have the username and only had to crack the password.(?)

BFM

BFM wrote:

> Just wondering how hard it would be to crack an exhange server email
> account if I already have the username and only had to crack the
> password.(?)

Certainly having the usernames is helpful...

Depends upon a couple of things

1) What is the password policy? How strong is it?
example: Is it required that passwords have uppercase and numbers?
2) How long is the aging policy? 30 days? 60, 90 days? Never?
3) Do I have access from the "outside" World (ie Internet access) in the
case where you allow authenticated email forwarding.

-Michael

Michael J. Pelletier

BFM wrote:
> Just wondering how hard it would be to crack an exhange server email account
> if I already have the username and only had to crack the password.(?)
>
>
If you don't have access to the server system files and a complex
password was used and you have big pipes and only 1 computer you should
be able to crack it in about 100,000 years or so. If the admins put a 3
missed trys on the password before it locks the account, it may take
somewhat longer. If complex password enforcement is not in place and
the administrators are complete idiots and did not set a max number of
tries before it locks the account...it is an indeterminable variable.

Bear in mind trying to brute force the account should ring off alarm
bells everywhere if even minimal security monitors are in place. A
decent network will lock you safely away from the server at the firewall
if you try cracking too hard. If there is any possibility that the
system is at all sensitive and business or governmental in nature, you
should be safely in jail long before you access the account.

There are far better ways to access exchange servers with much higher
probabilities of success.

Winged

Winged