[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

Exchange 2010 Security Monitoring

Hi,

We are looking to implement security monitoring over Exchange 2010.
Some events we would like to monitor for are:
1. Mailbox Creation
2. Mailbox Deletion
3. Admins reading other users emails
4. Change of permissions to mailboxes.

Has anyone implemented this type of monitoring?
Does anyone know the event ID's associated with these events?
Is there a list somewhere of all event id's for Exchange 2010?

Thanks for the help
0
neoptoent
Asked:
neoptoent
  • 5
  • 4
  • 2
1 Solution
 
davorinCommented:
HI,

Here you have two options:
1. administrator audit logging - it makes logs of mostly every command/change in EMC and EMS.
http://technet.microsoft.com/en-us/library/dd335144.aspx

2. Message audit logging - logs changes to messages in mailboxes.
http://technet.microsoft.com/en-us/library/ff459237.aspx

But here you have a problem with your wish no. 3 - admin reading the other users mails.
You can enable message auditing, but normally when another user (admin) tries to access another user mailbox sets to itself full access permissions. That it is called delegation and in delegation MessageBind (When an item is accessed in the reading pane or opened) is not logged, as it will have to log a huge amount of data. But with admin auditing you can see that admin had set itsefl full access permissions to another mailbox. All other actions are logged (copy, create, send,... took at table in second link.)
0
 
Deepu ChowdaryCommented:
In the MAPI property of the Mailbox, you will see a property "PR_Creation_Time" in which it shows its creation date. Incase the mailbox was moved recently, old time will not reflect but it will now show the last mailbox moved time. You can check the event logs for created mailboxes.

Enable the auditing of Directory Service Access (KB 232714), which will give us the success/failure attempts by any user to access the AD. In success event it generates event 565 and 566, which can tell us the name of the person who delete the mailbox and the name of the person whose mailbox has been deleted.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Deepu ChowdaryCommented:
0
 
neoptoentAuthor Commented:
Hi,

Thanks for the responses. I think I will need to enable auditing and parse out the info I need.

Is there any place that lists all the event ID's associated with audit logging and the parameters?


Thanks
0
 
davorinCommented:
this logs are not stored in event viewer. You get access to them using Exchange Control Panel. They are exported in XML format. You get a list of complete commands issued plus info about who and when issued it.
0
 
neoptoentAuthor Commented:
These dont write to the event log viewer?
0
 
neoptoentAuthor Commented:
we need to use a third party tool to parse the data... can it store it in a windows event log or a text file?
0
 
davorinCommented:
Please take a look at this article for export/serach options of admin audit logs:
http://technet.microsoft.com/en-us/library/ff459262.aspx

I'm not aware that storing that logs in event viewer is possible. Well, XML files are text files with special format.
0
 
neoptoentAuthor Commented:
Do you know where that XML file sits?
0
 
davorinCommented:
"The procedure in that section sends an XML file as an e-mail attachment to the recipients you specify"
from previous link.
Sorry, I can not find where exchange server stores the source log files. But anyway I also never needed that information.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now