Establishing mailbox audit trails on Microsoft Exchange Server

An Exchange administrator recently posed the following question to SearchExchange.com resident spam and security expert, Richard Luckett:

"How do I establish audit trails on access to certain Exchange 2003

    Requires Free Membership to View

mailboxes? I want to be able to see if permissions change on a mailbox, or if administration staff is accessing the mailbox itself."

As you allude to in your question, it takes a change in permission to get access to a mailbox. Per Microsoft, administrators are explicitly denied access to all mailboxes except their own on Exchange 2000 and 2003. You should watch out for non-administrator accounts.

Mailbox permissions are stored in Active Directory, so the audit needs to be performed on a domain controller, not an Exchange server.

By default Audit account management is enabled on the Default domain controller's group policy for both Success and Failure events. Event 642 is generated when a user account is changed. Event 668 is generated when a group object is changed.

You might also want to enable Audit object access on the Default domain controller's group policy object. Then you can enable auditing on the user/mailbox objects themselves.

Auditing of users/mailboxes is configured under the Advanced security settings for the user object. A good object access for you to audit would be the successful and failed Modify permissions access.

Exchange also does some auditing of its own. If someone accesses a mailbox, and they are not the primary NT account, Event 1016 will be generated in the application log. See: How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server.

To defend against these actions, you should understand how permissions would need to be changed in the first place. Read: How to assign service account access to all mailboxes in Exchange Server 2003.

Do you have comments on this tip? Let us know.

This was first published in August 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.