Establishing mailbox audit trails on Microsoft Exchange Server

Our spam and security expert explains how to audit Microsoft Exchange Server mailbox permissions in Active Directory.

An Exchange administrator recently posed the following question to SearchExchange.com resident spam and security expert, Richard Luckett:

"How do I establish audit trails on access to certain Exchange 2003 mailboxes? I want to be able to see if permissions change on a mailbox, or if administration staff is accessing the mailbox itself."

As you allude to in your question, it takes a change in permission to get access to a mailbox. Per Microsoft, administrators are explicitly denied access to all mailboxes except their own on Exchange 2000 and 2003. You should watch out for non-administrator accounts.

Mailbox permissions are stored in Active Directory, so the audit needs to be performed on a domain controller, not an Exchange server.

By default Audit account management is enabled on the Default domain controller's group policy for both Success and Failure events. Event 642 is generated when a user account is changed. Event 668 is generated when a group object is changed.

You might also want to enable Audit object access on the Default domain controller's group policy object. Then you can enable auditing on the user/mailbox objects themselves.

Auditing of users/mailboxes is configured under the Advanced security settings for the user object. A good object access for you to audit would be the successful and failed Modify permissions access.

Exchange also does some auditing of its own. If someone accesses a mailbox, and they are not the primary NT account, Event 1016 will be generated in the application log. See: How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server.

To defend against these actions, you should understand how permissions would need to be changed in the first place. Read: How to assign service account access to all mailboxes in Exchange Server 2003.

Do you have comments on this tip? Let us know.

This was first published in August 2005

Dig deeper on Microsoft Exchange Server Monitoring and Logging

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close