wyrickits
asked on
Possible security breach: Question about where emails are being being read from
We have a senior management end user that has reported his emails have all of the sudden been marked as unread from Outlook. It has happened a handful of times and on different days and different times. I want to be able to make sure no one is reading his emails.
We are running an Exchange 2003 environment.
The first thing I had him do was reset his password in case someone was logging into OWA and viewing the emails from there. I also enabled logging on the IIS server(it was disabled before). I then attempted a successful login to OWA. When I checked the logs I was able to see the successful login. I then attempted an unsuccessful login to OWA. However, when I checked the logs I never saw any new log entries pointing to an unsuccessful login attempt. How could I track unsuccessful authentication attempts in OWA? Any suggestions?
Besides from OWA the other way someone could be reading the end users email is via a mapi connection. Is it possible to see if someone is accessing his email from another computer in our environment via a mapi connection?
I know this could also be an buggy issue with Outlook as well. But this is a senior employee and I want to take all of the necessary security precautions so I can ensure him that his email is not being read by someone else.
Thank you for your help!
We are running an Exchange 2003 environment.
The first thing I had him do was reset his password in case someone was logging into OWA and viewing the emails from there. I also enabled logging on the IIS server(it was disabled before). I then attempted a successful login to OWA. When I checked the logs I was able to see the successful login. I then attempted an unsuccessful login to OWA. However, when I checked the logs I never saw any new log entries pointing to an unsuccessful login attempt. How could I track unsuccessful authentication attempts in OWA? Any suggestions?
Besides from OWA the other way someone could be reading the end users email is via a mapi connection. Is it possible to see if someone is accessing his email from another computer in our environment via a mapi connection?
I know this could also be an buggy issue with Outlook as well. But this is a senior employee and I want to take all of the necessary security precautions so I can ensure him that his email is not being read by someone else.
Thank you for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for everyone's help.
No delegates are assigned. I also checked permissions they seemed okay.
I enabled auditing for both successful and failed logins. This is very helpful and will allow me to view failed logins from OWA.
I can view successful connections to OWA via the IIS logs.
Using EXMOn is also very helpful. It allows me to see mapi connections per user and their ip addresses.
Thanks!
No delegates are assigned. I also checked permissions they seemed okay.
I enabled auditing for both successful and failed logins. This is very helpful and will allow me to view failed logins from OWA.
I can view successful connections to OWA via the IIS logs.
Using EXMOn is also very helpful. It allows me to see mapi connections per user and their ip addresses.
Thanks!
http://office.microsoft.com/en-us/outlook-help/demo-track-when-messages-are-delivered-or-opened-HA010096691.aspx