Possible security breach: Question about where emails are being being read from

Posted on 2011-05-04
Last Modified: 2012-05-11
We have a senior management end user that has reported his emails have all of the sudden been marked as unread from Outlook.  It has happened a handful of times and on different days and different times.  I want to be able to make sure no one is reading his emails.

We are running an Exchange 2003 environment.

The first thing I had him do was reset his password in case someone was logging into OWA and viewing the emails from there.  I also enabled logging on the IIS server(it was disabled before).  I then attempted a successful login to OWA.  When I checked the logs I was able to see the successful login.  I then attempted an unsuccessful login to OWA.  However, when I checked the logs I never saw any new log entries pointing to an unsuccessful login attempt.  How could I track unsuccessful authentication attempts in OWA?  Any suggestions?  

Besides from OWA the other way someone could be reading the end users email is via a mapi connection.  Is it possible to see if someone is accessing his email from another computer in our environment via a mapi connection?

I know this could also be an buggy issue with Outlook as well.  But this is a senior employee and I want to take all of the necessary security precautions so I can ensure him that his email is not being read by someone else.

Thank you for your help!
Question by:wyrickits
    LVL 14

    Accepted Solution

    Few points to check first

    * Any delegated access. Assistants for Senior Management users will have delegated access even on the inbox in some cases.
    * Folder level permission set by mistake - Assume that the user set permission for another user for some reason so that the third user can directly access his mailbox

    And now enable audit for logons on this exchange server. This will mark an entry on event viewer for any access happening on the mailbox hosted on this server.

    LVL 41

    Assisted Solution

    Use EXMON for Exchange. You can collect the data also who connected and when
    LVL 41

    Expert Comment


    Author Closing Comment

    Thanks for everyone's help.

    No delegates are assigned.  I also checked permissions they seemed okay.

    I enabled auditing for both successful and failed logins.  This is very helpful and will allow me to view failed logins from OWA.

    I can view successful connections to OWA via the IIS logs.

    Using EXMOn is also very helpful.  It allows me to see mapi connections per user and their ip addresses.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Hire Top Freelancers to Complete Exchange Projects

    Source the talented Expert Exchange community
    for top quality work on your Exchange projects.

    Hire the best. Collaborate easily. Get quality work.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
    In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now