Claude_Cardinal
asked on
Exchange 2003 mailbox access audit
Hi everyone. We're using Exchange 2003 (SP2) and I have an Exchange administrator whom I think is accessing other users mailboxes without authorization (in diagnostic logging, mailbox logons are set to minimum). I have event ID's 1009, 1013, 1016 showing up, similar to below:
Event ID: 1009
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Description: DOMAIN\User1 logged on as /o=ORG/ou=SITE/cn=Recipien
Event ID: 1013
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Description: DOMAIN\User1 was validated as /o=ORG/ou=SITE/cn=Recipien
Event ID: 1016
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Description: Windows 2000 User DOMAIN\User1 logged on to User2 mailbox, and is not the primary Windows 2000 account on this mailbox
As I understand it, event ID 1013 and 1016 could simply indicate the calendar was accessed (possibly for an meeting request?), and doesn't necessarily mean that the Exchange admin in question opened the mailbox.
Would event ID 1009 be a clear indication of the Exchange admin accessing the mailbox (as in opening the mailbox as it were his own and going through the contents)? If not, how would I be able to validate the mailbox was in fact accessed?
Event ID: 1009
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Description: DOMAIN\User1 logged on as /o=ORG/ou=SITE/cn=Recipien
Event ID: 1013
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Description: DOMAIN\User1 was validated as /o=ORG/ou=SITE/cn=Recipien
Event ID: 1016
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Description: Windows 2000 User DOMAIN\User1 logged on to User2 mailbox, and is not the primary Windows 2000 account on this mailbox
As I understand it, event ID 1013 and 1016 could simply indicate the calendar was accessed (possibly for an meeting request?), and doesn't necessarily mean that the Exchange admin in question opened the mailbox.
Would event ID 1009 be a clear indication of the Exchange admin accessing the mailbox (as in opening the mailbox as it were his own and going through the contents)? If not, how would I be able to validate the mailbox was in fact accessed?
ASKER
I've read those articles, and understand that event ID 1013 and 1016 could mean that only the calendar was accessed, but not necessarily the entire mailbox. What I am trying to determine, is if the mailbox was accessed, for example opening it as a second mailbox in Outlook (or even a primary mailbox). I am still unclear from those articles if event ID 1009 falls into the same category as 1013 and 1016. Is event ID 1009 enough proof to go to management and say "hey, this exchange admin is going through other users mailboxes".
I read about the tool PFDAVadmin and turning logging to the max, but is this absolutely necessary and the only way to prove unauthorized mailbox access? (this also means I can't use my logs from the past few months to prove anything??)
Has anyone else had a similar situation and had to prove somehow that someone was accessing someone else's mailbox. How did you do it?
Regards,
I read about the tool PFDAVadmin and turning logging to the max, but is this absolutely necessary and the only way to prove unauthorized mailbox access? (this also means I can't use my logs from the past few months to prove anything??)
Has anyone else had a similar situation and had to prove somehow that someone was accessing someone else's mailbox. How did you do it?
Regards,
Event ID 1013 informs you that the specified user account has opened an additional mailbox. Event ID 1016 doesn't confirm that some one has opend the mail box.But definately 1013.Also 1009 confirms that the admin has opened some one else mail box.
ASKER
Because of the severity of the implications, we felt it necessary to place a call with Microsoft for validation since any documentation on this is not very clear in my opinion.
Event ID 1016, 1013 and 1009 DO NOT necessarily mean a user with Exchange Admin rights did in fact open another users mailbox. It could simply mean a meeting request in the calendar (I did a test and validated this). So really, what is the point of logging these events, not to mention how misleading they are?? There is no way to audit and solidly determine if an admin is abusing his/her power. This is a big shortcoming if you ask me.
Event ID 1016, 1013 and 1009 DO NOT necessarily mean a user with Exchange Admin rights did in fact open another users mailbox. It could simply mean a meeting request in the calendar (I did a test and validated this). So really, what is the point of logging these events, not to mention how misleading they are?? There is no way to audit and solidly determine if an admin is abusing his/her power. This is a big shortcoming if you ask me.
Claude
I haven't tried this in a real time scenario.you might right.
I haven't tried this in a real time scenario.you might right.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.msexchange.org/tutorials/Auditing-Mailbox-Access-Exchange-System-Manager-Event-Viewer.html
http://support.microsoft.com/kb/867640