• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 408
  • Last Modified:

Possible security breach: Question about where emails are being being read from

We have a senior management end user that has reported his emails have all of the sudden been marked as unread from Outlook.  It has happened a handful of times and on different days and different times.  I want to be able to make sure no one is reading his emails.

We are running an Exchange 2003 environment.

The first thing I had him do was reset his password in case someone was logging into OWA and viewing the emails from there.  I also enabled logging on the IIS server(it was disabled before).  I then attempted a successful login to OWA.  When I checked the logs I was able to see the successful login.  I then attempted an unsuccessful login to OWA.  However, when I checked the logs I never saw any new log entries pointing to an unsuccessful login attempt.  How could I track unsuccessful authentication attempts in OWA?  Any suggestions?  

Besides from OWA the other way someone could be reading the end users email is via a mapi connection.  Is it possible to see if someone is accessing his email from another computer in our environment via a mapi connection?

I know this could also be an buggy issue with Outlook as well.  But this is a senior employee and I want to take all of the necessary security precautions so I can ensure him that his email is not being read by someone else.

Thank you for your help!
  • 2
2 Solutions
Shabarinath RamadasanInfrastructure ArchitectCommented:
Few points to check first

* Any delegated access. Assistants for Senior Management users will have delegated access even on the inbox in some cases.
* Folder level permission set by mistake - Assume that the user set permission for another user for some reason so that the third user can directly access his mailbox

And now enable audit for logons on this exchange server. This will mark an entry on event viewer for any access happening on the mailbox hosted on this server.

AmitIT ArchitectCommented:
Use EXMON for Exchange. You can collect the data also who connected and when

wyrickitsAuthor Commented:
Thanks for everyone's help.

No delegates are assigned.  I also checked permissions they seemed okay.

I enabled auditing for both successful and failed logins.  This is very helpful and will allow me to view failed logins from OWA.

I can view successful connections to OWA via the IIS logs.

Using EXMOn is also very helpful.  It allows me to see mapi connections per user and their ip addresses.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now