Solved

Mailboxes: Audit access and check non-default permissions

Posted on 2011-09-23
9
1,829 Views
Last Modified: 2012-06-27
Hello,

I would like to get some suggestion about monitoring non-owners access to user mailboxes on Exchange 2010 SP1.
In most cases only users (should) have access to their mailboxes and I want to monitor if some unauthorized configuration changes or mailbox access have occurred.
On the server I have enabled Set-AdminAuditLogConfig, so every configuration change should be logged.
But here I need two more things:
- From EMS I would like to get the list of mailboxes which has (non-default) additional users added with full-access permissions set. How should look the command?
- Get things logged when non-owner get access to mailbox and just opens/reads mail. I'm not sure this is possible as MessageBind is not applicable for delegates.
Any other idea?

Thank you!
0
Comment
Question by:davorin
  • 4
9 Comments
 
LVL 13

Expert Comment

by:Govvy
Comment Utility
0
 
LVL 27

Author Comment

by:davorin
Comment Utility
Govvy, thanks for comment, but I'm using Exchange 2010 SP1. Posted link is for Exchange 2007 SP2. Exchange 2010 have no audit logging at all. Exchange 2010 SP1 introduces new mailbox audit logging which is completely different from Exchange 2007 SP2.
0
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 500 total points
Comment Utility
First of all, I'm not sure the reverse lookup is part of the built in system.  That said, I've never investigated it thoroughly so it may well be.

This script should do the trick for you though: http://www.stevieg.org/2010/12/report-exchange-mailboxes-group-members-full-access/

On top of this, you should be able to check delegate access and what they did using the examples here: http://exchangeserverpro.com/exchange-2010-mailbox-audit-logging

If this is no help then let me know and I will do sone tests when I am back in front of an Exchange server on Monday.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 27

Accepted Solution

by:
davorin earned 0 total points
Comment Utility
Hi demazter,

The script looks very promising, but it would need some work - the part of workgroup I don't need.

Just yesterday I have found this link: http://www.howexchangeworks.com/2009/07/exchange-shell-finding-mailboxes-with.html  (Thanks to fresh EE member Morasiva).

But I needed to change the command a little bit  to:
Get-Mailbox | Get-MailboxPermission | Where-Object { ($_.AccessRights -eq "fullaccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "*nt authority\self*") } | select Identity, User

The original gave me no output ( with "*fullaccess*").
Only one little thing that bothers me - Identity gives sometimes too long output and the actual mailbox name is cut off. Other options like alias or displayname give me blank value...

For delegates you can check 10 different action, except MessageBind (An item is accessed in the reading pane or opened.). On the other side, it is logical that this is not logged for owner of delegates, because exchange would have to log a lot of information.
Some would like this option in case someone accesses their mailbox without authorization, they would like to know in what he/she was interested.
On your opinion, this can be done or I should focus just on configuration changes log and access permissions?

0
 
LVL 27

Author Comment

by:davorin
Comment Utility
I guess the answer to the second part of my question is "not possible".
Demazter, thank you for your comment.   At least for the first part it could take me in the right direction.
0
 
LVL 27

Author Closing Comment

by:davorin
Comment Utility
I'm closing this one as I don't expect any new comments. thx
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now