Solved

Trap a login by acct name

Posted on 2014-02-06
8
185 Views
Last Modified: 2014-08-19
We have an account that is logging into an exchange server, we know the account is legitimate but no longer required but before we remove it we need to find out what resource it is accessing... looked in service, looked in registry, can't seem to find a good reference.. Any ideas to speedily trap the loin and what it is doing?
0
Comment
Question by:halkuff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39839805
You need to find out what the account/login is looking for on the exchange server? Or are you trying to determine where the requests are coming from?
0
 

Author Comment

by:halkuff
ID: 39839811
Both
0
 
LVL 15

Accepted Solution

by:
jrhelgeson earned 500 total points
ID: 39839919
Both questions can be answered from identifying the device it is logging in from.  I'd start by looking in the security event log on the exchange server. If it is not logging in using NTLM, then you'd need to look in the exchange server log files (the IIS web server logs).

Log files will show you user authentication and limited information on what resource is being accessed/requested by that login.  You can search your logs for that user account to see what it has been accessing in the past.

If the account is not authenticating using HTTP or NTLM, it might just be getting used to authenticate and send mail using basic authentication. If that is the case, it will not show up in the IIS or security event logs.  If that is the case, a packet capture will be your best bet as that authentication will happen in clear text and you'll be able to pull it right out of a packet capture.  I'd check and see if it is being used by fax/copiers/scanners to authenticate and send mail.

Once you get an IP address of the device accessing the account, you can go to that device and see what program is accessing that account.  Check SMTP services, etc.  Then you'll know what the program is doing.  If it still isn't obvious, you can disable the mail account and look in the event log of the target computer for any failed entries related to the mail account.

That's all I can come up with at this time from off the top of my head.

Joel
0
 

Author Comment

by:halkuff
ID: 40227232
I've requested that this question be deleted for the following reason:

No longer an issue
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 40227233
An answer was provided
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question