Solved

Auditing calendar access

Posted on 2004-03-29
16
628 Views
Last Modified: 2010-03-05
I am trying to audit all transactions that occur against an executive's calendar in Exchange 2000.  The executive’s administrative assistant claims that about once a month an appointment will "drop off" this executive’s calendar.  I have configured exchange 2000 properly taking into account all Microsoft and Symantec recommendations (including file level anti virus scanning exclusions for Exchange).  Is there any way to track all transaction that occur to one calendar and then be able to review this log when an appointment drops off?  I am looking to find out:

1) Who is connected to the calendar when the appointment drops off (either IP address, user name, or computer name)?
2) How to get these transactions pushed to some type of log file so that I can specifically show this admin assistant what happened and why.


0
Comment
Question by:hulmic
  • 9
  • 3
  • 3
  • +1
16 Comments
 
LVL 10

Expert Comment

by:OneHump
ID: 10706469
Someone should post a more detailed answer, but it's possible with some work.  First off, whenever an Exchange object is accessed, you'll get an event that says the object was accessed by an account that's not the primary account of the mailbox.  That's the easy part.  The hard part is parsing that event out of your event log for every potential DC used to authenticate that account.  You'll need an event log manager of some sort.

I would google some options.  You could also hook into your event logs using VBScript quite easily.  You could then sent email alerts when the calendar is accessed.  

I would think that simply checking the security on the calendar in Outlook and the mailbox object in AD would be enough.  Unless you have an Admin does bad things, no one would be able to get in there otherwise.

OneHump
0
 

Author Comment

by:hulmic
ID: 10706620
I am familiar with eventcomb that would make searching the logs at little easier.  What event ID is present when this other person logs on to an email account?  Is thi log entry on the email server or DC?
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10707396
You'll find that in the Application Log on the Exchange Server.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10707434
It would be on your DC.  

Event ID: 1016
Source: MSExchangeIS Private
Type: Success Audit
Category: Logons
Windows NT User DOMAIN\username logged on to UserA mailbox, and is not the primary Windows NT account on this mailbox.

OneHump
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10707504
----"You'll find that in the Application Log on the Exchange Server."----

Only in 5.5 visioneer; We're talking 2000.  :)

OneHump
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10707520
That shows up in the Application Log on the Exchange server.
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10707535
Well, it shows up that way on my Exchange 2000 server.  Mine must be from an alternate universe.  :-O
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10707571
Or I could be wrong!  :)

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:hulmic
ID: 10707853
Ok.  This lets me know who is logged on.  It still does not give me the granularity to say exactly how the meeting appointment is being moved/deleted.  Is it the admin assistant's accidental keystroke?  How do I prove this?  Is it Exchange that is the issue?  The output I am really serching for is a log file with, say, three columns that says:  
1) This event happened and here is a description
2) This IP  or user name made the calendar items disappear.
3) All this in some type or chronological order.
This information will allow me to respond to a question like:
"Last night, an appointment dropped off "so and so's" calendar for no reason.  He just missed a meeting and it is the system's fault."  I am trying to prove it is not.  I will need logging like this to prove my case.

Thanks for the comments thus far.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10707910
You won't get that level of detail.  There is no way, off the shelf, to show what account did what once authenticated.

I think you would have to write code that hooks into the database and intercepts access requests to the calendar and proxies for them.  That would be quite a development effort.

OneHump
0
 
LVL 10

Accepted Solution

by:
OneHump earned 125 total points
ID: 10707943
In thinking about this, you might want to monitor who is logged on and who can log on and throw some sort of keylogger on their workstation.  That's not exactly a technical solution, but it's easier then messing with the database engine.

OneHump
0
 
LVL 2

Assisted Solution

by:timiano
timiano earned 125 total points
ID: 10718394
If you can take the storage tradeoff, increase your limits on deleted items on the store.  If the appointment is deleted again, just search the deleted items, where it will tell you exactly when the item was deleted.  You can then cross reference that with any event IDs around that time.  If nothing is there, you've got yourself a good 'ol user error.

Timiano
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10718920
Very very smart idea!
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10815353
Where are we at with this?

OneHump
0
 

Author Comment

by:hulmic
ID: 10815474
I am not really finding what I am looking for.  I am not sure that I would.  I have looked through deleted items and I really can't leverage the key logger idea.  How do I close this question?  I hate to award points for suggestions not solutions.
0
 
LVL 10

Expert Comment

by:OneHump
ID: 10815517
You don't necessarily award points for solutions.  You are typically awarding for assistance.  My goal is to help you, not accumulate points, but it is certainly a good thing to award others that make an effort to help you even though you didnt get what you were looking for.  You are certainly entitled to request that questions be deleted though.  You do this by posted a message in the Community Support Forum.

I will say, however, that this question should be PAQd (archived) because the clear answer to your question was provided.  This will allow others to find the thread in searches and get valuable information without having to open a new question.  The fact that what you are trying to do cannot be done does not mean the question was not answered.

Best of luck.

OneHump
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now