Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Filtering exchange audit log

Posted on 2014-03-26
6
Medium Priority
?
585 Views
Last Modified: 2014-04-06
Hello experts, we recently had some suspicious activity on our exchange 2K7 server and I'd like to further investigate possible issues. I was wondering how I would go about creating an alert or filter so that I am made aware of any other user accounts logging into somebody else's mailbox. Any help would be deeply and  gratefully appreciated. Thank you
0
Comment
Question by:EmpoweredBiz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 2

Expert Comment

by:ssmith81
ID: 39958122
Do you have audit log enabled ?
If you enable the audit log, you can find out message/folder access and all the other activity in exchange 2007.
Here is step-wise process about "how to enable mailbox auditing in exchange server".
Further, This link would also be a good approach for granular level investigation in exchange server.
0
 
LVL 64

Expert Comment

by:btan
ID: 39960577
There is a technet article on Mailbox Audit Logging which enable you to log mailbox access by mailbox owners, delegates (including administrators with full access permissions to mailboxes), and administrators. That is probably your first starter to know what you can do..

In fact, you can go beyond, as almost all of the configuration information in Exchange is stored in the Active Directory’s configuration partition. This partition is replicated between all domain controllers in the entire organization and the configuration can be changed on any domain controller in the forest. So that can be another indicator but can tend to be noisy esp you can "many" domain admin..

Nonetheless, GPO auditing changes on the Exchange Server will be common like enabling and changing on the Default Domain Controller Policy and this affects domain controllers in each domain. One example is enable the Audit Policy setting ”Audit Directory Service Access” for the domain controllers, not the Exchange Servers as this enable you to track any successful changes to anything in the configuration partition, including the Exchange configuration. In this case, you will want to also enable failure changes to "catch all."

Delving into Exchange System Manager, the two things to look at further on the auditing are Mailboxes and Logons objects that are always found under each mailbox store that admin create on an Exchange.  Why they are useful is that these objects display the Last "Logged on By" showing which account last accessed a particular mailbox. Note Exchange admin are explicitly denied access to all mailboxes by default in Exchange.

But I thought we should drill into monitoring and listing out the privileges assigned so far, who has the "power" and what is "going on" daily and how the "trend of access" is for these folks or even adhoc parties created for that instance or short interim period.

E.g. we can temporarily increase diagnostics logging for the Logons and Access Control categories for mailboxes. Normally done in the Exchange System Manager and having the Logons and Access Control categories set to Maximum. This article describe further. Below is some event id to watch out and may varied if Exchange is of different version..

Event ID 1016 is essentially self-explanatory when you read the description, in that it means that the specified Windows NT account accessed the specified mailbox but is not the primary account for that mailbox.

Event ID 1013 informs you that the specified user account has opened an additional mailbox.

Event ID 1009 is an indication that the specified user account logged into the specified mailbox.

Event ID 1029 tells you that the specified user/mailbox was unsuccessful in its attempt to access a particular folder from another mailbox.

Also note of tool such as Public Folder Distributed Authoring and Versioning (DAV)-based Administration tool (PFDAVAdmin) which can alter permission and right, that account need to be queried so esp if not the admin delegated to perform such privileges.

There is also other market tool and good to check out to understand native audit limitation which is mostly in the details and granularity of checks. See this pdf from Netwrix
0
 
LVL 9

Expert Comment

by:SirtenKen
ID: 39969827
Exmon is a tool that lets you see the IP address of each user connected to a mailbox and may help you to determine if suspicious activity is happening "right now"
technet.microsoft.com/en-us/library/bb508855(EXCHG.65).aspx
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 64

Expert Comment

by:btan
ID: 39970984
Maybe old but useful - How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server

Also how to View Windows NT Accounts that Access Mailboxes in Exchange Server.

To view this information, follow these steps:
-Start the Microsoft Exchange Administrator program.
-In the console tree, double-click Servers, right-click the server object, and then click Properties.
-Click the Diagnostic Logging tab, and then in Services, click MSExchangeIS - Private.
-In Categories, click Logons and Access Control, and then set the logging level to Maximum.
-Click OK to apply the settings. You do not have to restart any of the services for event messages to be logged.

Some key event id to note

-Event 1009 message indicates that a Windows NT account has logged into a particular Exchange Server mailbox

-Event 1013 message indicates that an account has opened its primary mailbox, and that it has opened an additional mailbox.

-Event 1016 message indicates that a Windows NT account accessed an Exchange mailbox, but that it is not the primary account for that mailbox

-Event 1029 message indicates that a particular mailbox was unable to gain access to a folder after it logged into another mailbox.
0
 
LVL 7

Accepted Solution

by:
EmpoweredBiz earned 0 total points
ID: 39971403
0
 
LVL 7

Author Closing Comment

by:EmpoweredBiz
ID: 39981026
Did the job I needed
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question