Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Unauthorized log on in MS Exchange 2003

Posted on 2014-04-17
4
Medium Priority
?
309 Views
Last Modified: 2014-05-05
I have a MS exchanger server. In its Application Event Log, there is a sequence of strange events, Event Log ID 1013, 1016 and 10129. Basically, it tells me “user1” logons “user2” email account but failed without appropriate authority. Although I have done some background survey, I can't figure out what user1 did. User1 is a normal user without Administrator right and he is not a technical person.

Furthermore, it is not a single case. I find a similar event on other user.

I wonder there is some false setting on Exchange which causes the warning. If so, I need to find it out and rectify it.

The technical background is : Client - Windows XP with Office 2003. Server - Exchange 2003.
0
Comment
Question by:timothyhung
3 Comments
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 40007958
i used to see this before when we had exchange 2003
looks like user1 was trying to access the calendar of user2
i wouldn't make a big deal over it; nothing major
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40007997
Event ID 1013 is very much a companion event for event ID 1016. Event ID 1013 informs you that the specified user account has opened an additional mailbox.  ID 1016 is a key event to scan for when reviewing who is accessing other mailboxes

E.g, it can be User1 opened User2’s calendar folder. You normally notice 1013 does not tell you what folders or messages User1 has opened. In other words, you may need to supplement your investigation with additional documentation of exactly what permissions are set on individual mailboxes.

There are indicator such as ID 1009 that is an indication that the specified user account logged into the specified mailbox. And ID 1029  that tells you that the specified user/mailbox was unsuccessful in its attempt to access a particular folder from another mailbox. These are symptom to piece attempts as well to highlight that user accesses
http://support.microsoft.com/kb/274317

To effectively log security changes, you must set the Diagnostic Logging level to Maximum; a lesser setting can cause missed events. You don't need to restart the Directory Services after you enable logging.

These have a good summary of the auditing notes for 2003
http://windowsitpro.com/exchange-server/diagnostics-logging-exchange-server-55
http://exchange-anzy.blogspot.sg/2010/02/auditing-in-exchange-2003.html

But we do want to note limitation of access auditing

- Client programs that do not send the extended client information block generate auditing events that do not populate the client information. These are versions of Outlook that are earlier than Outlook 2003.

- Message Access Auditing cannot detect all the information that is retrieved from a mailbox. This is because access to the folder contents table which is a summary table of commonly used message properties, does not require the user to open a message. The message subject, recipient information, and many basic message properties are part of the message folder table. This information may be read without opening a message and therefore, without generating a message access event.

- If a user is granted the Bypass Auditing extended right, the user is not audited. We may then want to monitor Active Directory ACLs to verify that a user who has Write Security Descriptor access does not grant themselves the Bypass Auditing right.

- Because the diagnostic logging levels control the events that are logged to the Exchange Auditing event log, changing the diagnostic logging level for particular categories may give you unexpected results. For example, certain expected events may no longer be logged. Also, because the Store.exe process cannot identify which user changed the logging levels or even whether the logging levels were changed from an earlier session, the Store.exe process is unable to identify changes to the auditing configuration.

Not a bed of roses to know everything...but in this case, seeing it is not really uncommon just need to make sure those users are the common user and rights for them is legit and access is not done in anomalous timing
0
 

Author Comment

by:timothyhung
ID: 40041490
Thanks breadtan. your information is comprehensive and I think I know what to do next.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
In this article, I will demonstrate that how to do a PST migration from Exchange Server to Office 365. This method allows importing one single PST, or multiple PST's at once.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question