Solved

Trap a login by acct name

Posted on 2014-02-06
8
182 Views
Last Modified: 2014-08-19
We have an account that is logging into an exchange server, we know the account is legitimate but no longer required but before we remove it we need to find out what resource it is accessing... looked in service, looked in registry, can't seem to find a good reference.. Any ideas to speedily trap the loin and what it is doing?
0
Comment
Question by:halkuff
  • 3
  • 2
8 Comments
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39839805
You need to find out what the account/login is looking for on the exchange server? Or are you trying to determine where the requests are coming from?
0
 

Author Comment

by:halkuff
ID: 39839811
Both
0
 
LVL 15

Accepted Solution

by:
jrhelgeson earned 500 total points
ID: 39839919
Both questions can be answered from identifying the device it is logging in from.  I'd start by looking in the security event log on the exchange server. If it is not logging in using NTLM, then you'd need to look in the exchange server log files (the IIS web server logs).

Log files will show you user authentication and limited information on what resource is being accessed/requested by that login.  You can search your logs for that user account to see what it has been accessing in the past.

If the account is not authenticating using HTTP or NTLM, it might just be getting used to authenticate and send mail using basic authentication. If that is the case, it will not show up in the IIS or security event logs.  If that is the case, a packet capture will be your best bet as that authentication will happen in clear text and you'll be able to pull it right out of a packet capture.  I'd check and see if it is being used by fax/copiers/scanners to authenticate and send mail.

Once you get an IP address of the device accessing the account, you can go to that device and see what program is accessing that account.  Check SMTP services, etc.  Then you'll know what the program is doing.  If it still isn't obvious, you can disable the mail account and look in the event log of the target computer for any failed entries related to the mail account.

That's all I can come up with at this time from off the top of my head.

Joel
0
 

Author Comment

by:halkuff
ID: 40227232
I've requested that this question be deleted for the following reason:

No longer an issue
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 40227233
An answer was provided
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Mysterious disks wanting to be formatted 6 38
non-domain members are not prompted for credentials 18 37
Inactive computer in domain 7 59
outlook 6 35
Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question