Mailbox Access Auditing with Exchange 2007 SP2
As soon as you update your Exchange 2007 current version to SP2 your exchange organization is ready for Mailbox Access Auditing.
Who opened my mailbox??
I am sure people who have worked on exchange would have enabled Diagnostics logging at least once for troubleshooting purposes. For people who haven’t, Diagnostics logging is a feature in exchange with which we can monitor a particular service by enabling extensive logging so that it will log each and every actions performed in form of events in event viewer.
To name some, if the System Attendant service is not staring we could enable logging for DSAccess under MSExchangeSA (mad.exe) who is responsible for topology discovery in AD. Similarly we can enable logging for Move mailbox failures, Calendar issues, MS Exchange Transport etc. For auditing purpose we never had anything handy apart from Logons which come under MSExchangeIS (store.exe). But logons are not gonna tell me anything solid because if I try to access my CEO’s Free/Busy information, it’s gonna log an event stating:
Event ID: 1016
Event Source: MSExchangeIS Mailbox Store
Event Type: Success Audit
Event Category: Logons
Description: User Domain\Username logged on to firstname.lastname@example.org mailbox, and is not the primary Windows 2000 account on this mailbox.
If you want to know more about it:
How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server: http://support.microsoft.com/kb/867640
Also this process does not indicate whether it is the Inbox, the Calendar, or the Contacts folder the user tried to access and whether the logon was successful or unsuccessful.
Well but the truth is with E2K3 being an exchange admin, you can still prove that User A opened User B’s mailbox with evidence. The process is hectic, but the result is worth trying. Open IIS Logs on the Backend server and do a “Find” for the user alias that you suspect would have opened someone’s mailbox. I have pasted an example in which you can clearly see that the event logged states that User meera accessed user ratish’s mailbox and read a particular message.
2009-10-12 23:27:49 W3SVC101 22.214.171.124 GET /email@example.com/Sent+Items/RE:+Exchange+2007+KnowHow.EML Cmd=open 80 MSEXCHANGEGURU\meera 126.96.36.199 Exchange-Server-Frontend-Proxy/6.5+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0
On “2009-10-12 at 23:27:49” from “firstname.lastname@example.org’s mailbox”, the message “RE:Exchange 2007 KnowHow” was accessed by user “MSEXCHANGEGURU\meera” and the same was a success with code “200 0 0”
But this is again possible only with logon using OWA since MAPI requests are not logged in IIS Logs. Too much of confusion, right??
With E2K7 SP2 in spotlight, we can now enable diagnostics logging for a set of specific attributes and will know who opened what, when and stuff in the form of a proper event id.
Sounds good…. How to set it up??
The main focus is on:
1. Folder Access – logs an event for a user activity like opening folders, such as the Inbox, Outbox, or Sent Items folders.
2. Message Access – log events that correspond to explicitly opening messages.
3. Extended Send As – logs events that correspond to sending a message as a mailbox-enabled user.
4. Extended Send on Behalf Of – logs events that correspond to sending a message on behalf of a mailbox-enabled user.
Before I get into details on how to configure this, will let you know the difference between Send As and Send on Behalf permission.
If a message is sent from User A on Behalf of User B, the recipient will see:
1. User A send on behalf of User B in the from field–> Send on behalf permission
2. User B in the from field wherein the message was sent by User A–> Send As permission.
Enabling mailbox auditing:
1. Open Server Configuration in EMC
2. Select the mailbox server
3. Right click & say “Manage Diagnostic Logging Properties”
4. Expand MSExchangeIS (The information store)
5. Select 9000 Private
We now have the 4 options; Folder Access, Message Access, Extended Send As and Extended Send on behalf As. Logging is being categorized into 5.
1 – Lowest
2 – Low
3 – Medium
4 – High
5 – Expert
At logging level zero (0), nothing is logged.
At logging level one (1), only actions for which the acting user invoked administrative privileges are logged.
At logging level two (2) and four (4) only access from one mailbox-enabled user to another mailbox is logged.
At logging level three (3) and five (5) access from any user to any mailbox is logged.
Now, set the logging as per your requirement.
Viewing Exchange Auditing logs
Now in Event Viewer, under Applications & Services Log we have “Exchange Auditing”
Folder Access – Event ID: 10100
Message Access – Event ID: 10102
Send As – Event Id: 10106
Send On Behalf Of – Event Id: 10104
Below is an example of how Folder access log look like:
Log name: Exchange Auditing
Source: MSExchangeIS Auditing
Event ID: 10100
Task Category: Mailbox Access Auditing
Description: The folder /Inbox in Mailbox ‘UserA’ was opened by user CONTOSO\UserB
Display Name: Inbox
Accessing User: /o=First Organization/ou=Exchange Administrative Group (Exchange)/cn=Recipients/cn=UserB
Administrative Rights: false
Client Information (if Available)
Process Name: OUTLOOK.EXE
Process Id: 0
Application Id: N/A
Excluding an account from Mailbox Auditing:
Get-MailboxDatabase –identity “server\sg\dbname” | Add-ADPermission –User domain\username –ExtendedRights ms-Exch-Store-Bypass-Access-Auditing –InheritanceType All
### – Restart the Information store service for these changes to take effect.
Also keep it in mind that Exchange Auditing event log may be a high traffic event log, depending on the server configuration, severity of logging enabled and user actions. Therefore, the recommended action is to have the Exchange Auditing event log be located on a dedicated hard disk drive that has sufficient space and that can support fast write operations. It can be changed from Event viewer –> Exchange Auditing logs –> Properties.