Solved

Filtering exchange audit log

Posted on 2014-03-26
6
536 Views
Last Modified: 2014-04-06
Hello experts, we recently had some suspicious activity on our exchange 2K7 server and I'd like to further investigate possible issues. I was wondering how I would go about creating an alert or filter so that I am made aware of any other user accounts logging into somebody else's mailbox. Any help would be deeply and  gratefully appreciated. Thank you
0
Comment
Question by:EmpoweredBiz
6 Comments
 
LVL 2

Expert Comment

by:ssmith81
ID: 39958122
Do you have audit log enabled ?
If you enable the audit log, you can find out message/folder access and all the other activity in exchange 2007.
Here is step-wise process about "how to enable mailbox auditing in exchange server".
Further, This link would also be a good approach for granular level investigation in exchange server.
0
 
LVL 61

Expert Comment

by:btan
ID: 39960577
There is a technet article on Mailbox Audit Logging which enable you to log mailbox access by mailbox owners, delegates (including administrators with full access permissions to mailboxes), and administrators. That is probably your first starter to know what you can do..

In fact, you can go beyond, as almost all of the configuration information in Exchange is stored in the Active Directory’s configuration partition. This partition is replicated between all domain controllers in the entire organization and the configuration can be changed on any domain controller in the forest. So that can be another indicator but can tend to be noisy esp you can "many" domain admin..

Nonetheless, GPO auditing changes on the Exchange Server will be common like enabling and changing on the Default Domain Controller Policy and this affects domain controllers in each domain. One example is enable the Audit Policy setting ”Audit Directory Service Access” for the domain controllers, not the Exchange Servers as this enable you to track any successful changes to anything in the configuration partition, including the Exchange configuration. In this case, you will want to also enable failure changes to "catch all."

Delving into Exchange System Manager, the two things to look at further on the auditing are Mailboxes and Logons objects that are always found under each mailbox store that admin create on an Exchange.  Why they are useful is that these objects display the Last "Logged on By" showing which account last accessed a particular mailbox. Note Exchange admin are explicitly denied access to all mailboxes by default in Exchange.

But I thought we should drill into monitoring and listing out the privileges assigned so far, who has the "power" and what is "going on" daily and how the "trend of access" is for these folks or even adhoc parties created for that instance or short interim period.

E.g. we can temporarily increase diagnostics logging for the Logons and Access Control categories for mailboxes. Normally done in the Exchange System Manager and having the Logons and Access Control categories set to Maximum. This article describe further. Below is some event id to watch out and may varied if Exchange is of different version..

Event ID 1016 is essentially self-explanatory when you read the description, in that it means that the specified Windows NT account accessed the specified mailbox but is not the primary account for that mailbox.

Event ID 1013 informs you that the specified user account has opened an additional mailbox.

Event ID 1009 is an indication that the specified user account logged into the specified mailbox.

Event ID 1029 tells you that the specified user/mailbox was unsuccessful in its attempt to access a particular folder from another mailbox.

Also note of tool such as Public Folder Distributed Authoring and Versioning (DAV)-based Administration tool (PFDAVAdmin) which can alter permission and right, that account need to be queried so esp if not the admin delegated to perform such privileges.

There is also other market tool and good to check out to understand native audit limitation which is mostly in the details and granularity of checks. See this pdf from Netwrix
0
 
LVL 9

Expert Comment

by:SirtenKen
ID: 39969827
Exmon is a tool that lets you see the IP address of each user connected to a mailbox and may help you to determine if suspicious activity is happening "right now"
technet.microsoft.com/en-us/library/bb508855(EXCHG.65).aspx
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 61

Expert Comment

by:btan
ID: 39970984
Maybe old but useful - How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server

Also how to View Windows NT Accounts that Access Mailboxes in Exchange Server.

To view this information, follow these steps:
-Start the Microsoft Exchange Administrator program.
-In the console tree, double-click Servers, right-click the server object, and then click Properties.
-Click the Diagnostic Logging tab, and then in Services, click MSExchangeIS - Private.
-In Categories, click Logons and Access Control, and then set the logging level to Maximum.
-Click OK to apply the settings. You do not have to restart any of the services for event messages to be logged.

Some key event id to note

-Event 1009 message indicates that a Windows NT account has logged into a particular Exchange Server mailbox

-Event 1013 message indicates that an account has opened its primary mailbox, and that it has opened an additional mailbox.

-Event 1016 message indicates that a Windows NT account accessed an Exchange mailbox, but that it is not the primary account for that mailbox

-Event 1029 message indicates that a particular mailbox was unable to gain access to a folder after it logged into another mailbox.
0
 
LVL 7

Accepted Solution

by:
EmpoweredBiz earned 0 total points
ID: 39971403
0
 
LVL 7

Author Closing Comment

by:EmpoweredBiz
ID: 39981026
Did the job I needed
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now