Solved

Unauthorized log on in MS Exchange 2003

Posted on 2014-04-17
4
299 Views
Last Modified: 2014-05-05
I have a MS exchanger server. In its Application Event Log, there is a sequence of strange events, Event Log ID 1013, 1016 and 10129. Basically, it tells me “user1” logons “user2” email account but failed without appropriate authority. Although I have done some background survey, I can't figure out what user1 did. User1 is a normal user without Administrator right and he is not a technical person.

Furthermore, it is not a single case. I find a similar event on other user.

I wonder there is some false setting on Exchange which causes the warning. If so, I need to find it out and rectify it.

The technical background is : Client - Windows XP with Office 2003. Server - Exchange 2003.
0
Comment
Question by:timothyhung
4 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40007958
i used to see this before when we had exchange 2003
looks like user1 was trying to access the calendar of user2
i wouldn't make a big deal over it; nothing major
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40007997
Event ID 1013 is very much a companion event for event ID 1016. Event ID 1013 informs you that the specified user account has opened an additional mailbox.  ID 1016 is a key event to scan for when reviewing who is accessing other mailboxes

E.g, it can be User1 opened User2’s calendar folder. You normally notice 1013 does not tell you what folders or messages User1 has opened. In other words, you may need to supplement your investigation with additional documentation of exactly what permissions are set on individual mailboxes.

There are indicator such as ID 1009 that is an indication that the specified user account logged into the specified mailbox. And ID 1029  that tells you that the specified user/mailbox was unsuccessful in its attempt to access a particular folder from another mailbox. These are symptom to piece attempts as well to highlight that user accesses
http://support.microsoft.com/kb/274317

To effectively log security changes, you must set the Diagnostic Logging level to Maximum; a lesser setting can cause missed events. You don't need to restart the Directory Services after you enable logging.

These have a good summary of the auditing notes for 2003
http://windowsitpro.com/exchange-server/diagnostics-logging-exchange-server-55
http://exchange-anzy.blogspot.sg/2010/02/auditing-in-exchange-2003.html

But we do want to note limitation of access auditing

- Client programs that do not send the extended client information block generate auditing events that do not populate the client information. These are versions of Outlook that are earlier than Outlook 2003.

- Message Access Auditing cannot detect all the information that is retrieved from a mailbox. This is because access to the folder contents table which is a summary table of commonly used message properties, does not require the user to open a message. The message subject, recipient information, and many basic message properties are part of the message folder table. This information may be read without opening a message and therefore, without generating a message access event.

- If a user is granted the Bypass Auditing extended right, the user is not audited. We may then want to monitor Active Directory ACLs to verify that a user who has Write Security Descriptor access does not grant themselves the Bypass Auditing right.

- Because the diagnostic logging levels control the events that are logged to the Exchange Auditing event log, changing the diagnostic logging level for particular categories may give you unexpected results. For example, certain expected events may no longer be logged. Also, because the Store.exe process cannot identify which user changed the logging levels or even whether the logging levels were changed from an earlier session, the Store.exe process is unable to identify changes to the auditing configuration.

Not a bed of roses to know everything...but in this case, seeing it is not really uncommon just need to make sure those users are the common user and rights for them is legit and access is not done in anomalous timing
0
 

Author Comment

by:timothyhung
ID: 40041490
Thanks breadtan. your information is comprehensive and I think I know what to do next.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question