Solved

Unauthorized log on in MS Exchange 2003

Posted on 2014-04-17
4
296 Views
Last Modified: 2014-05-05
I have a MS exchanger server. In its Application Event Log, there is a sequence of strange events, Event Log ID 1013, 1016 and 10129. Basically, it tells me “user1” logons “user2” email account but failed without appropriate authority. Although I have done some background survey, I can't figure out what user1 did. User1 is a normal user without Administrator right and he is not a technical person.

Furthermore, it is not a single case. I find a similar event on other user.

I wonder there is some false setting on Exchange which causes the warning. If so, I need to find it out and rectify it.

The technical background is : Client - Windows XP with Office 2003. Server - Exchange 2003.
0
Comment
Question by:timothyhung
4 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40007958
i used to see this before when we had exchange 2003
looks like user1 was trying to access the calendar of user2
i wouldn't make a big deal over it; nothing major
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40007997
Event ID 1013 is very much a companion event for event ID 1016. Event ID 1013 informs you that the specified user account has opened an additional mailbox.  ID 1016 is a key event to scan for when reviewing who is accessing other mailboxes

E.g, it can be User1 opened User2’s calendar folder. You normally notice 1013 does not tell you what folders or messages User1 has opened. In other words, you may need to supplement your investigation with additional documentation of exactly what permissions are set on individual mailboxes.

There are indicator such as ID 1009 that is an indication that the specified user account logged into the specified mailbox. And ID 1029  that tells you that the specified user/mailbox was unsuccessful in its attempt to access a particular folder from another mailbox. These are symptom to piece attempts as well to highlight that user accesses
http://support.microsoft.com/kb/274317

To effectively log security changes, you must set the Diagnostic Logging level to Maximum; a lesser setting can cause missed events. You don't need to restart the Directory Services after you enable logging.

These have a good summary of the auditing notes for 2003
http://windowsitpro.com/exchange-server/diagnostics-logging-exchange-server-55
http://exchange-anzy.blogspot.sg/2010/02/auditing-in-exchange-2003.html

But we do want to note limitation of access auditing

- Client programs that do not send the extended client information block generate auditing events that do not populate the client information. These are versions of Outlook that are earlier than Outlook 2003.

- Message Access Auditing cannot detect all the information that is retrieved from a mailbox. This is because access to the folder contents table which is a summary table of commonly used message properties, does not require the user to open a message. The message subject, recipient information, and many basic message properties are part of the message folder table. This information may be read without opening a message and therefore, without generating a message access event.

- If a user is granted the Bypass Auditing extended right, the user is not audited. We may then want to monitor Active Directory ACLs to verify that a user who has Write Security Descriptor access does not grant themselves the Bypass Auditing right.

- Because the diagnostic logging levels control the events that are logged to the Exchange Auditing event log, changing the diagnostic logging level for particular categories may give you unexpected results. For example, certain expected events may no longer be logged. Also, because the Store.exe process cannot identify which user changed the logging levels or even whether the logging levels were changed from an earlier session, the Store.exe process is unable to identify changes to the auditing configuration.

Not a bed of roses to know everything...but in this case, seeing it is not really uncommon just need to make sure those users are the common user and rights for them is legit and access is not done in anomalous timing
0
 

Author Comment

by:timothyhung
ID: 40041490
Thanks breadtan. your information is comprehensive and I think I know what to do next.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now