[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 192
  • Last Modified:

Trap a login by acct name

We have an account that is logging into an exchange server, we know the account is legitimate but no longer required but before we remove it we need to find out what resource it is accessing... looked in service, looked in registry, can't seem to find a good reference.. Any ideas to speedily trap the loin and what it is doing?
0
halkuff
Asked:
halkuff
  • 3
  • 2
1 Solution
 
jrhelgesonCommented:
You need to find out what the account/login is looking for on the exchange server? Or are you trying to determine where the requests are coming from?
0
 
halkuffAuthor Commented:
Both
0
 
jrhelgesonCommented:
Both questions can be answered from identifying the device it is logging in from.  I'd start by looking in the security event log on the exchange server. If it is not logging in using NTLM, then you'd need to look in the exchange server log files (the IIS web server logs).

Log files will show you user authentication and limited information on what resource is being accessed/requested by that login.  You can search your logs for that user account to see what it has been accessing in the past.

If the account is not authenticating using HTTP or NTLM, it might just be getting used to authenticate and send mail using basic authentication. If that is the case, it will not show up in the IIS or security event logs.  If that is the case, a packet capture will be your best bet as that authentication will happen in clear text and you'll be able to pull it right out of a packet capture.  I'd check and see if it is being used by fax/copiers/scanners to authenticate and send mail.

Once you get an IP address of the device accessing the account, you can go to that device and see what program is accessing that account.  Check SMTP services, etc.  Then you'll know what the program is doing.  If it still isn't obvious, you can disable the mail account and look in the event log of the target computer for any failed entries related to the mail account.

That's all I can come up with at this time from off the top of my head.

Joel
0
 
halkuffAuthor Commented:
I've requested that this question be deleted for the following reason:

No longer an issue
0
 
jrhelgesonCommented:
An answer was provided
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now