Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 201
  • Last Modified:

exchange security.

Hi,
i have a situation, mix between active directry, exchange and security.

Server windows 2003 ENT.
exchange 2003 ENT.

it had been access one of the account, and send an email, its look like by OWA, because it had been sent at 04:00 am.

the user of thats email, telling that he didnt send thats email, and he claim that some one reset his password and send the email.

is there is any way we can trace reset password, or changing password???
and how can we make sure not the user sent thats mail, and change his password after that?

0
al_ghamdi
Asked:
al_ghamdi
  • 4
  • 2
3 Solutions
 
r-kCommented:
You need to be sure that the mail was sent from your server. It is all too easy to attach a fake return address with any email.

If you haven't already, then enable message tracking:

 http://www.msexchange.org/tutorials/The_Exchange_Message_Tracking_Center_or_How_to_Save_Your_A_in_a_Pinch.html

You may want to audit logon events:

 http://technet2.microsoft.com/windowsserver/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true
 http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html
0
 
al_ghamdiAuthor Commented:
Hello
the email had been sent from the server, because we found it in the sent item of thats account.

for thats i ignore the fake mail option.
:)
0
 
r-kCommented:
I guess that proves that it was sent from your server, but to know who might have sent it you'd need to have auditing turned on, and even then it would be hard to know who exactly did it if passwords are compromised.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
al_ghamdiAuthor Commented:
i was checking deep, and i belive changing the password is registered in the event view in the domain controller, and i can see how thats user password had been changed,

if it had been changed my him self, it mean that he did it, and he is trying to play.

if one of the administrator did it, so we can see him, then he is the one playing in the network,

:)
correct me if iam wrong,!!!
0
 
r-kCommented:
I haven't played with this lately, but apparently:

"When a user changes his own password Windows Server 2003 logs event ID 627, Change Password Attempt..."

and

"When an administrator resets some other users password such as in the case of forgotten password support calls, Windows Server 2003 logs event ID 628."

The above is from: http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html

Audit account management must be enabled for these events to be logged.
0
 
r-kCommented:
Thanks. Wish you success in your search :)
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now