An Exchange administrator recently posed the following question to SearchExchange.com resident spam and security expert, Richard Luckett:
"How do I establish audit trails on access to certain Exchange 2003 mailboxes? I want to be able to see if permissions change on a mailbox, or if administration staff is accessing the mailbox itself."
As you allude to in your question, it takes a change in permission to get access to a mailbox. Per Microsoft, administrators are explicitly denied access to all mailboxes except their own on Exchange 2000 and 2003. You should watch out for non-administrator accounts.
Mailbox permissions are stored in Active Directory, so the audit needs to be performed on a domain controller, not an Exchange server.
By default Audit account management is enabled on the Default domain controller's group policy for both Success and Failure events. Event 642 is generated when a user account is changed. Event 668 is generated when a group object is changed.
You might also want to enable Audit object access on the Default domain controller's group policy object. Then you can enable auditing on the user/mailbox objects themselves.
Auditing of users/mailboxes is configured under the Advanced security settings for the user object. A good object access for you to audit would be the successful and failed Modify permissions access.
Exchange also does some auditing of its own. If someone accesses a mailbox, and they are not the primary NT account, Event 1016 will be generated in the application log. See: How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server.
To defend against these actions, you should understand how permissions would need to be changed in the first place. Read: How to assign service account access to all mailboxes in Exchange Server 2003.
Do you have comments on this tip? Let us know.