Possible security breach: Question about where emails are being being read from
Posted on 2011-05-04
We have a senior management end user that has reported his emails have all of the sudden been marked as unread from Outlook. It has happened a handful of times and on different days and different times. I want to be able to make sure no one is reading his emails.
We are running an Exchange 2003 environment.
The first thing I had him do was reset his password in case someone was logging into OWA and viewing the emails from there. I also enabled logging on the IIS server(it was disabled before). I then attempted a successful login to OWA. When I checked the logs I was able to see the successful login. I then attempted an unsuccessful login to OWA. However, when I checked the logs I never saw any new log entries pointing to an unsuccessful login attempt. How could I track unsuccessful authentication attempts in OWA? Any suggestions?
Besides from OWA the other way someone could be reading the end users email is via a mapi connection. Is it possible to see if someone is accessing his email from another computer in our environment via a mapi connection?
I know this could also be an buggy issue with Outlook as well. But this is a senior employee and I want to take all of the necessary security precautions so I can ensure him that his email is not being read by someone else.
Thank you for your help!