Solved

Filtering exchange audit log

Posted on 2014-03-26
6
569 Views
Last Modified: 2014-04-06
Hello experts, we recently had some suspicious activity on our exchange 2K7 server and I'd like to further investigate possible issues. I was wondering how I would go about creating an alert or filter so that I am made aware of any other user accounts logging into somebody else's mailbox. Any help would be deeply and  gratefully appreciated. Thank you
0
Comment
Question by:EmpoweredBiz
6 Comments
 
LVL 2

Expert Comment

by:ssmith81
ID: 39958122
Do you have audit log enabled ?
If you enable the audit log, you can find out message/folder access and all the other activity in exchange 2007.
Here is step-wise process about "how to enable mailbox auditing in exchange server".
Further, This link would also be a good approach for granular level investigation in exchange server.
0
 
LVL 63

Expert Comment

by:btan
ID: 39960577
There is a technet article on Mailbox Audit Logging which enable you to log mailbox access by mailbox owners, delegates (including administrators with full access permissions to mailboxes), and administrators. That is probably your first starter to know what you can do..

In fact, you can go beyond, as almost all of the configuration information in Exchange is stored in the Active Directory’s configuration partition. This partition is replicated between all domain controllers in the entire organization and the configuration can be changed on any domain controller in the forest. So that can be another indicator but can tend to be noisy esp you can "many" domain admin..

Nonetheless, GPO auditing changes on the Exchange Server will be common like enabling and changing on the Default Domain Controller Policy and this affects domain controllers in each domain. One example is enable the Audit Policy setting ”Audit Directory Service Access” for the domain controllers, not the Exchange Servers as this enable you to track any successful changes to anything in the configuration partition, including the Exchange configuration. In this case, you will want to also enable failure changes to "catch all."

Delving into Exchange System Manager, the two things to look at further on the auditing are Mailboxes and Logons objects that are always found under each mailbox store that admin create on an Exchange.  Why they are useful is that these objects display the Last "Logged on By" showing which account last accessed a particular mailbox. Note Exchange admin are explicitly denied access to all mailboxes by default in Exchange.

But I thought we should drill into monitoring and listing out the privileges assigned so far, who has the "power" and what is "going on" daily and how the "trend of access" is for these folks or even adhoc parties created for that instance or short interim period.

E.g. we can temporarily increase diagnostics logging for the Logons and Access Control categories for mailboxes. Normally done in the Exchange System Manager and having the Logons and Access Control categories set to Maximum. This article describe further. Below is some event id to watch out and may varied if Exchange is of different version..

Event ID 1016 is essentially self-explanatory when you read the description, in that it means that the specified Windows NT account accessed the specified mailbox but is not the primary account for that mailbox.

Event ID 1013 informs you that the specified user account has opened an additional mailbox.

Event ID 1009 is an indication that the specified user account logged into the specified mailbox.

Event ID 1029 tells you that the specified user/mailbox was unsuccessful in its attempt to access a particular folder from another mailbox.

Also note of tool such as Public Folder Distributed Authoring and Versioning (DAV)-based Administration tool (PFDAVAdmin) which can alter permission and right, that account need to be queried so esp if not the admin delegated to perform such privileges.

There is also other market tool and good to check out to understand native audit limitation which is mostly in the details and granularity of checks. See this pdf from Netwrix
0
 
LVL 9

Expert Comment

by:SirtenKen
ID: 39969827
Exmon is a tool that lets you see the IP address of each user connected to a mailbox and may help you to determine if suspicious activity is happening "right now"
technet.microsoft.com/en-us/library/bb508855(EXCHG.65).aspx
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 63

Expert Comment

by:btan
ID: 39970984
Maybe old but useful - How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server

Also how to View Windows NT Accounts that Access Mailboxes in Exchange Server.

To view this information, follow these steps:
-Start the Microsoft Exchange Administrator program.
-In the console tree, double-click Servers, right-click the server object, and then click Properties.
-Click the Diagnostic Logging tab, and then in Services, click MSExchangeIS - Private.
-In Categories, click Logons and Access Control, and then set the logging level to Maximum.
-Click OK to apply the settings. You do not have to restart any of the services for event messages to be logged.

Some key event id to note

-Event 1009 message indicates that a Windows NT account has logged into a particular Exchange Server mailbox

-Event 1013 message indicates that an account has opened its primary mailbox, and that it has opened an additional mailbox.

-Event 1016 message indicates that a Windows NT account accessed an Exchange mailbox, but that it is not the primary account for that mailbox

-Event 1029 message indicates that a particular mailbox was unable to gain access to a folder after it logged into another mailbox.
0
 
LVL 7

Accepted Solution

by:
EmpoweredBiz earned 0 total points
ID: 39971403
0
 
LVL 7

Author Closing Comment

by:EmpoweredBiz
ID: 39981026
Did the job I needed
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question