Exchange 2010 Security Monitoring

Hi,

We are looking to implement security monitoring over Exchange 2010.
Some events we would like to monitor for are:
1. Mailbox Creation
2. Mailbox Deletion
3. Admins reading other users emails
4. Change of permissions to mailboxes.

Has anyone implemented this type of monitoring?
Does anyone know the event ID's associated with these events?
Is there a list somewhere of all event id's for Exchange 2010?

Thanks for the help
neoptoentAsked:
Who is Participating?
 
davorinCommented:
HI,

Here you have two options:
1. administrator audit logging - it makes logs of mostly every command/change in EMC and EMS.
http://technet.microsoft.com/en-us/library/dd335144.aspx

2. Message audit logging - logs changes to messages in mailboxes.
http://technet.microsoft.com/en-us/library/ff459237.aspx

But here you have a problem with your wish no. 3 - admin reading the other users mails.
You can enable message auditing, but normally when another user (admin) tries to access another user mailbox sets to itself full access permissions. That it is called delegation and in delegation MessageBind (When an item is accessed in the reading pane or opened) is not logged, as it will have to log a huge amount of data. But with admin auditing you can see that admin had set itsefl full access permissions to another mailbox. All other actions are logged (copy, create, send,... took at table in second link.)
0
 
PradeepCommented:
In the MAPI property of the Mailbox, you will see a property "PR_Creation_Time" in which it shows its creation date. Incase the mailbox was moved recently, old time will not reflect but it will now show the last mailbox moved time. You can check the event logs for created mailboxes.

Enable the auditing of Directory Service Access (KB 232714), which will give us the success/failure attempts by any user to access the AD. In success event it generates event 565 and 566, which can tell us the name of the person who delete the mailbox and the name of the person whose mailbox has been deleted.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
PradeepCommented:
0
 
neoptoentAuthor Commented:
Hi,

Thanks for the responses. I think I will need to enable auditing and parse out the info I need.

Is there any place that lists all the event ID's associated with audit logging and the parameters?


Thanks
0
 
davorinCommented:
this logs are not stored in event viewer. You get access to them using Exchange Control Panel. They are exported in XML format. You get a list of complete commands issued plus info about who and when issued it.
0
 
neoptoentAuthor Commented:
These dont write to the event log viewer?
0
 
neoptoentAuthor Commented:
we need to use a third party tool to parse the data... can it store it in a windows event log or a text file?
0
 
davorinCommented:
Please take a look at this article for export/serach options of admin audit logs:
http://technet.microsoft.com/en-us/library/ff459262.aspx

I'm not aware that storing that logs in event viewer is possible. Well, XML files are text files with special format.
0
 
neoptoentAuthor Commented:
Do you know where that XML file sits?
0
 
davorinCommented:
"The procedure in that section sends an XML file as an e-mail attachment to the recipients you specify"
from previous link.
Sorry, I can not find where exchange server stores the source log files. But anyway I also never needed that information.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.