Solved

Unauthorized log on in MS Exchange 2003

Posted on 2014-04-17
4
302 Views
Last Modified: 2014-05-05
I have a MS exchanger server. In its Application Event Log, there is a sequence of strange events, Event Log ID 1013, 1016 and 10129. Basically, it tells me “user1” logons “user2” email account but failed without appropriate authority. Although I have done some background survey, I can't figure out what user1 did. User1 is a normal user without Administrator right and he is not a technical person.

Furthermore, it is not a single case. I find a similar event on other user.

I wonder there is some false setting on Exchange which causes the warning. If so, I need to find it out and rectify it.

The technical background is : Client - Windows XP with Office 2003. Server - Exchange 2003.
0
Comment
Question by:timothyhung
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40007958
i used to see this before when we had exchange 2003
looks like user1 was trying to access the calendar of user2
i wouldn't make a big deal over it; nothing major
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40007997
Event ID 1013 is very much a companion event for event ID 1016. Event ID 1013 informs you that the specified user account has opened an additional mailbox.  ID 1016 is a key event to scan for when reviewing who is accessing other mailboxes

E.g, it can be User1 opened User2’s calendar folder. You normally notice 1013 does not tell you what folders or messages User1 has opened. In other words, you may need to supplement your investigation with additional documentation of exactly what permissions are set on individual mailboxes.

There are indicator such as ID 1009 that is an indication that the specified user account logged into the specified mailbox. And ID 1029  that tells you that the specified user/mailbox was unsuccessful in its attempt to access a particular folder from another mailbox. These are symptom to piece attempts as well to highlight that user accesses
http://support.microsoft.com/kb/274317

To effectively log security changes, you must set the Diagnostic Logging level to Maximum; a lesser setting can cause missed events. You don't need to restart the Directory Services after you enable logging.

These have a good summary of the auditing notes for 2003
http://windowsitpro.com/exchange-server/diagnostics-logging-exchange-server-55
http://exchange-anzy.blogspot.sg/2010/02/auditing-in-exchange-2003.html

But we do want to note limitation of access auditing

- Client programs that do not send the extended client information block generate auditing events that do not populate the client information. These are versions of Outlook that are earlier than Outlook 2003.

- Message Access Auditing cannot detect all the information that is retrieved from a mailbox. This is because access to the folder contents table which is a summary table of commonly used message properties, does not require the user to open a message. The message subject, recipient information, and many basic message properties are part of the message folder table. This information may be read without opening a message and therefore, without generating a message access event.

- If a user is granted the Bypass Auditing extended right, the user is not audited. We may then want to monitor Active Directory ACLs to verify that a user who has Write Security Descriptor access does not grant themselves the Bypass Auditing right.

- Because the diagnostic logging levels control the events that are logged to the Exchange Auditing event log, changing the diagnostic logging level for particular categories may give you unexpected results. For example, certain expected events may no longer be logged. Also, because the Store.exe process cannot identify which user changed the logging levels or even whether the logging levels were changed from an earlier session, the Store.exe process is unable to identify changes to the auditing configuration.

Not a bed of roses to know everything...but in this case, seeing it is not really uncommon just need to make sure those users are the common user and rights for them is legit and access is not done in anomalous timing
0
 

Author Comment

by:timothyhung
ID: 40041490
Thanks breadtan. your information is comprehensive and I think I know what to do next.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question