Auditing Mailbox Access Tech.Genix. Introduction.In every organization, there are always mailboxes with sensitive information.These might be the mailboxes of the CEO, directors, users from the HR or Payroll departments, or simply mailboxes for which you have to perform discovery actions to demonstrate compliance with regulatory or legal requirements.Although normally administrators are not concerned with the content of users mailboxes, there might be someone less honest that attempts to access someones mailbox in order to obtain information of value for their own benefit.Previous versions of Microsoft Exchange did not provide a full range of compliance capabilities.Microsoft Exchange 2010 Mailbox Auditing Standard' title='Microsoft Exchange 2010 Mailbox Auditing Standard' />Each Office 365 Germany plan includes a number of individual services, such as Exchange Online and SharePoint Online.The following table shows the.Mailbox Storage Limits specified using single user modification will be validated based on the version of mailbox Exchange Server.Automatically update email.Managed Folders or Journaling simply were not enough to perform basic audits or to be fully compliant with legislation such as the Sarbanes Oxley Act.Exchange 2. 01. 0 introduces some welcomed new features, including Retention and Litigation Hold, Single Item Recovery or Archiving.Microsoft Exchange 2010 Mailbox Auditing Standard' title='Microsoft Exchange 2010 Mailbox Auditing Standard' />In this article, we will explore yet another new feature introduced in SP1 known as Auditing Mailbox Access, which allows us to record operations on a mailbox such as the deletion or copy of e mails.Accessing Mailboxes.Until Exchange 2.SP2 was released, it was difficult, if not impossible, to provide information regarding who logged on to a certain mailbox or who deleted an e mail from the shared Service Desk mailbox, for example.Exchange 2. 00. 7 SP2 introduced a feature called Mailbox Access Auditing.Although with similar name, this is a complete different way of auditing actions on a mailbox as can be seen in the article Exchange 2.Mailbox Access Auditing by Neil Hobson.With Exchange 2. 01.New Features in Version 11.Features and enhancements in this release are listed here, with a link to full documentation for the feature.To see the new features in.SkillSoft US English IT Skills Course Catalog Includes Project Management Courses NOTE Click on a Solution Area link below to go to that Solution Area.SP1 this task has become much easier and more reliable.Administrators can implement Mailbox Auditing and run audit reports to obtain details regarding actions taken on a mailbox.After enabling audit for one or more mailboxes and configuring the level of detail that we want to capture, audit entries are captured in the Audit subfolder of the Recoverable Items folder known as Dumpster and can be interrogated using the Exchange Management Shell EMS or the Exchange Control Panel ECP as I will demonstrate below.It is possible to configure 3 levels of auditing Administrative, which audits mailbox moves, importsexports to and from PSTs, mailbox discovery searches and actions performed using the MFCMapi tool Owner, where actions taken by the owner of the mailbox are audited Delegates that have the Send.As, Send. On. Behalf or Full.Access permission to someone elses mailbox.The following table shows all the actions that can be audited Action.Description. Admin.Delegate. Owner. 3Copy.An e mail is copied to another folder or to the Personal Archive.Yesnana. Create. An item excluding folders is created in the mailbox a message is sent, for exampleYes.Yes. 1Yes. Folder.Bind. A mailbox folder is accessed.Yes. 1Yes. 2Yes. Hard.Delete. An e mail is permanently deleted.Yes. 1Yes. 1Yes. Message.Bind. An e mail is opened or viewed in the preview pane.Yesnana. Move. An e mail is moved to another folder.Yes. 1Yes. Yes. Move.To. Deleted. Items.An e mail is deleted.Yes. 1Yes. Yes. Send.As. An e mail is sent using Send.As permissions. Yes.Yes. 1NASend. On.Behalf. An e mail is sent using Send.On. Behalf permissions.Yes. 1Yes. NASoft.Delete. An e mail is deleted from the Deleted Items and moved to the Dumpster.Yes. 1Yes. 1Yes. Update.The properties of an item are updated.Yes. 1Yes. 1Yes. These actions are audited by default Folder.Bind actions performed by delegates are consolidated, meaning only one log entry is generated per folder access within three hours As normal users use their mailboxes in a continuous basis, auditing the Owner might not make much sense in most cases as it would capture a lot of information and generate a high volume of audit entries.You might be wondering why we have all these options for Admin if only mailbox moves, exportsimports or discovery searches are logged.If you think about it, a mailbox search is nothing more than a Folder.Bind, followed by a Message.Bind and finally a Copy or Move.Enabling Mailbox Audit Logging.Configuring auditing for mailboxes can only be done using the Set Mailbox cmdlet.By default no mailbox is enabled for auditing, so lets enable one and check the default configuration which should match the previous table Figure 1 Enabling mailbox audit.The Audit. Log. Age.Limit specifies for how long we want to keep these entries in the mailbox.By default, this is set to 9.If set to zero 0.If the default actions are not ideal, we can tweak them to meet our requirements Figure 2 Tweaking mailbox audit settings.How to Access Audit Data To demonstrate audit logging, I first assigned the account Nuno Full.Access and Send. As permissions to the CEOs mailbox.Then, I logged into the CEOs mailbox, read and deleted a couple of e mails.As mentioned previously, audit information is written to the Audit subfolder of the Dumpster, which is hidden to any client, meaning normal users cannot access it.To check if this folder has any logs, we can run the following cmdlet which will show 3.Figure 3 Checking the Audit folder.There are three ways available for administrators to search these logs providing they have Organization Management and Records Management permissions Synchronously, by using the.Search Mailbox. Audit.Log cmdlet which searches one or more mailboxes and displays the results in the EMS window Asynchronously, by using New Mailbox.Audit. Log. Searchto search one or more mailboxes and send the results by e mail to the specified recipients in a XML document By using the Auditing tab in the ECP to run auditing reports or export entries from the mailbox audit log.Lets start with the Search Mailbox.Audit. Log cmdlet and see if we captured Nunos actions Figure 4 Searching the audit log entries. Room War Room Warner . Note that because Message.Bind is not audited for Delegates, the fact that I read a few e mails is not audited.We can see that I deleted an e mail from the Inbox.However, Item. Subject is blank which means we do not know what e mail was actually deleted this also happens for Soft.Delete actions Hopefully this will change in the future.On the other hand, operations like Message.Bind, Sends. As or Create log the Item.Subject as you can see from the screenshot below.It also tells us that the client used was Outlook Web App OWA.In this case I used the Start.Date parameter and refined the search to only show Operations of the type Send.As Figure 5 Filtering the results of the search.Although you can use the Mailboxes parameter to specify more than one mailbox to search, you cannot use Show.Details together with Mailboxes which makes the cmdlet not return any useful information.For this reason, you will have to use one of the following methods if you want to search multiple mailboxes at a time.To test the second search method, well use the New Mailbox.Audit. Log. Search cmdlet to search a couple of mailboxes for any Admin operations and send the results by e mail to the CEO.Remember that this cmdlet performs an asynchronous search, meaning after you execute it you can close the EMS as the search is performed behind the scenes like the New Move.Request cmdlet. To achieve this, we run the following cmdlet New Mailbox.Audit. Log. Search Start.Date 1. 00. 82. End.Date 1. 00. Mailboxes CEO, Nuno Logon.Types Admin Status.Mail. Recipients email protected Show.Details. If no mailboxes are specified, Exchange will perform the search against all mailboxes enabled for auditing.Once the search is finished, an event 4.Application Event Log and an e mail is sent to the e mail address or addresses specified in the Status.Mail. Recipients parameter, which can be distribution groups or external mail enabled contacts as well.This e mail contains the search criteria, such as who requested it, the period searched and which mailboxes were searched.Opening the attached XML file will show all the results.Figure 6 E mail received by the CEO when the search is finished.Figure 7 The XML file with the audit results.As XML files are hard to interpret, you might want to parse it through a graphic formatter or use Power.Shell to make it easier to read Figure 8 Parsing the XML file using Power.Shell. The final method is basically the first two but performed from the ECP.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |