Solved

Filtering exchange audit log

Posted on 2014-03-26
6
576 Views
Last Modified: 2014-04-06
Hello experts, we recently had some suspicious activity on our exchange 2K7 server and I'd like to further investigate possible issues. I was wondering how I would go about creating an alert or filter so that I am made aware of any other user accounts logging into somebody else's mailbox. Any help would be deeply and  gratefully appreciated. Thank you
0
Comment
Question by:EmpoweredBiz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 2

Expert Comment

by:ssmith81
ID: 39958122
Do you have audit log enabled ?
If you enable the audit log, you can find out message/folder access and all the other activity in exchange 2007.
Here is step-wise process about "how to enable mailbox auditing in exchange server".
Further, This link would also be a good approach for granular level investigation in exchange server.
0
 
LVL 64

Expert Comment

by:btan
ID: 39960577
There is a technet article on Mailbox Audit Logging which enable you to log mailbox access by mailbox owners, delegates (including administrators with full access permissions to mailboxes), and administrators. That is probably your first starter to know what you can do..

In fact, you can go beyond, as almost all of the configuration information in Exchange is stored in the Active Directory’s configuration partition. This partition is replicated between all domain controllers in the entire organization and the configuration can be changed on any domain controller in the forest. So that can be another indicator but can tend to be noisy esp you can "many" domain admin..

Nonetheless, GPO auditing changes on the Exchange Server will be common like enabling and changing on the Default Domain Controller Policy and this affects domain controllers in each domain. One example is enable the Audit Policy setting ”Audit Directory Service Access” for the domain controllers, not the Exchange Servers as this enable you to track any successful changes to anything in the configuration partition, including the Exchange configuration. In this case, you will want to also enable failure changes to "catch all."

Delving into Exchange System Manager, the two things to look at further on the auditing are Mailboxes and Logons objects that are always found under each mailbox store that admin create on an Exchange.  Why they are useful is that these objects display the Last "Logged on By" showing which account last accessed a particular mailbox. Note Exchange admin are explicitly denied access to all mailboxes by default in Exchange.

But I thought we should drill into monitoring and listing out the privileges assigned so far, who has the "power" and what is "going on" daily and how the "trend of access" is for these folks or even adhoc parties created for that instance or short interim period.

E.g. we can temporarily increase diagnostics logging for the Logons and Access Control categories for mailboxes. Normally done in the Exchange System Manager and having the Logons and Access Control categories set to Maximum. This article describe further. Below is some event id to watch out and may varied if Exchange is of different version..

Event ID 1016 is essentially self-explanatory when you read the description, in that it means that the specified Windows NT account accessed the specified mailbox but is not the primary account for that mailbox.

Event ID 1013 informs you that the specified user account has opened an additional mailbox.

Event ID 1009 is an indication that the specified user account logged into the specified mailbox.

Event ID 1029 tells you that the specified user/mailbox was unsuccessful in its attempt to access a particular folder from another mailbox.

Also note of tool such as Public Folder Distributed Authoring and Versioning (DAV)-based Administration tool (PFDAVAdmin) which can alter permission and right, that account need to be queried so esp if not the admin delegated to perform such privileges.

There is also other market tool and good to check out to understand native audit limitation which is mostly in the details and granularity of checks. See this pdf from Netwrix
0
 
LVL 9

Expert Comment

by:SirtenKen
ID: 39969827
Exmon is a tool that lets you see the IP address of each user connected to a mailbox and may help you to determine if suspicious activity is happening "right now"
technet.microsoft.com/en-us/library/bb508855(EXCHG.65).aspx
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 64

Expert Comment

by:btan
ID: 39970984
Maybe old but useful - How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server

Also how to View Windows NT Accounts that Access Mailboxes in Exchange Server.

To view this information, follow these steps:
-Start the Microsoft Exchange Administrator program.
-In the console tree, double-click Servers, right-click the server object, and then click Properties.
-Click the Diagnostic Logging tab, and then in Services, click MSExchangeIS - Private.
-In Categories, click Logons and Access Control, and then set the logging level to Maximum.
-Click OK to apply the settings. You do not have to restart any of the services for event messages to be logged.

Some key event id to note

-Event 1009 message indicates that a Windows NT account has logged into a particular Exchange Server mailbox

-Event 1013 message indicates that an account has opened its primary mailbox, and that it has opened an additional mailbox.

-Event 1016 message indicates that a Windows NT account accessed an Exchange mailbox, but that it is not the primary account for that mailbox

-Event 1029 message indicates that a particular mailbox was unable to gain access to a folder after it logged into another mailbox.
0
 
LVL 7

Accepted Solution

by:
EmpoweredBiz earned 0 total points
ID: 39971403
0
 
LVL 7

Author Closing Comment

by:EmpoweredBiz
ID: 39981026
Did the job I needed
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question