Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Unauthorized log on in MS Exchange 2003

Posted on 2014-04-17
4
Medium Priority
?
306 Views
Last Modified: 2014-05-05
I have a MS exchanger server. In its Application Event Log, there is a sequence of strange events, Event Log ID 1013, 1016 and 10129. Basically, it tells me “user1” logons “user2” email account but failed without appropriate authority. Although I have done some background survey, I can't figure out what user1 did. User1 is a normal user without Administrator right and he is not a technical person.

Furthermore, it is not a single case. I find a similar event on other user.

I wonder there is some false setting on Exchange which causes the warning. If so, I need to find it out and rectify it.

The technical background is : Client - Windows XP with Office 2003. Server - Exchange 2003.
0
Comment
Question by:timothyhung
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40007958
i used to see this before when we had exchange 2003
looks like user1 was trying to access the calendar of user2
i wouldn't make a big deal over it; nothing major
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40007997
Event ID 1013 is very much a companion event for event ID 1016. Event ID 1013 informs you that the specified user account has opened an additional mailbox.  ID 1016 is a key event to scan for when reviewing who is accessing other mailboxes

E.g, it can be User1 opened User2’s calendar folder. You normally notice 1013 does not tell you what folders or messages User1 has opened. In other words, you may need to supplement your investigation with additional documentation of exactly what permissions are set on individual mailboxes.

There are indicator such as ID 1009 that is an indication that the specified user account logged into the specified mailbox. And ID 1029  that tells you that the specified user/mailbox was unsuccessful in its attempt to access a particular folder from another mailbox. These are symptom to piece attempts as well to highlight that user accesses
http://support.microsoft.com/kb/274317

To effectively log security changes, you must set the Diagnostic Logging level to Maximum; a lesser setting can cause missed events. You don't need to restart the Directory Services after you enable logging.

These have a good summary of the auditing notes for 2003
http://windowsitpro.com/exchange-server/diagnostics-logging-exchange-server-55
http://exchange-anzy.blogspot.sg/2010/02/auditing-in-exchange-2003.html

But we do want to note limitation of access auditing

- Client programs that do not send the extended client information block generate auditing events that do not populate the client information. These are versions of Outlook that are earlier than Outlook 2003.

- Message Access Auditing cannot detect all the information that is retrieved from a mailbox. This is because access to the folder contents table which is a summary table of commonly used message properties, does not require the user to open a message. The message subject, recipient information, and many basic message properties are part of the message folder table. This information may be read without opening a message and therefore, without generating a message access event.

- If a user is granted the Bypass Auditing extended right, the user is not audited. We may then want to monitor Active Directory ACLs to verify that a user who has Write Security Descriptor access does not grant themselves the Bypass Auditing right.

- Because the diagnostic logging levels control the events that are logged to the Exchange Auditing event log, changing the diagnostic logging level for particular categories may give you unexpected results. For example, certain expected events may no longer be logged. Also, because the Store.exe process cannot identify which user changed the logging levels or even whether the logging levels were changed from an earlier session, the Store.exe process is unable to identify changes to the auditing configuration.

Not a bed of roses to know everything...but in this case, seeing it is not really uncommon just need to make sure those users are the common user and rights for them is legit and access is not done in anomalous timing
0
 

Author Comment

by:timothyhung
ID: 40041490
Thanks breadtan. your information is comprehensive and I think I know what to do next.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question