Solved

Trap a login by acct name

Posted on 2014-02-06
8
187 Views
Last Modified: 2014-08-19
We have an account that is logging into an exchange server, we know the account is legitimate but no longer required but before we remove it we need to find out what resource it is accessing... looked in service, looked in registry, can't seem to find a good reference.. Any ideas to speedily trap the loin and what it is doing?
0
Comment
Question by:halkuff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39839805
You need to find out what the account/login is looking for on the exchange server? Or are you trying to determine where the requests are coming from?
0
 

Author Comment

by:halkuff
ID: 39839811
Both
0
 
LVL 15

Accepted Solution

by:
jrhelgeson earned 500 total points
ID: 39839919
Both questions can be answered from identifying the device it is logging in from.  I'd start by looking in the security event log on the exchange server. If it is not logging in using NTLM, then you'd need to look in the exchange server log files (the IIS web server logs).

Log files will show you user authentication and limited information on what resource is being accessed/requested by that login.  You can search your logs for that user account to see what it has been accessing in the past.

If the account is not authenticating using HTTP or NTLM, it might just be getting used to authenticate and send mail using basic authentication. If that is the case, it will not show up in the IIS or security event logs.  If that is the case, a packet capture will be your best bet as that authentication will happen in clear text and you'll be able to pull it right out of a packet capture.  I'd check and see if it is being used by fax/copiers/scanners to authenticate and send mail.

Once you get an IP address of the device accessing the account, you can go to that device and see what program is accessing that account.  Check SMTP services, etc.  Then you'll know what the program is doing.  If it still isn't obvious, you can disable the mail account and look in the event log of the target computer for any failed entries related to the mail account.

That's all I can come up with at this time from off the top of my head.

Joel
0
 

Author Comment

by:halkuff
ID: 40227232
I've requested that this question be deleted for the following reason:

No longer an issue
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 40227233
An answer was provided
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question