This is another popular doc. I have seen it at a number of customers blown to A0 size and mounted on a wall!
You can get it here: http://files.flaphead.dns2go.com/exchange_2000_Message_Flow_v1.4.zip
It still applies to Exchange 2003, but NOT Exchange 2007.
You can get the Exchange 2007 Exchange2007_EdgeTransportRoleArchitecture and Exchange2007_HubTransportRoleArchitecture ones here: http://www.microsoft.com/downloads/details.aspx?FamilyID=612f811d-2953-4c08-945e-833c17150083&DisplayLang=en
I have been asked for this a few times, so I have posted it here:
http://files.flaphead.dns2go.com/exchange_2003_SMTP_filtering_flow.zip
I knocked this up a while back and was expecting it to be put on the msexchangeteam blog, but it didn’t appear. So here it is instead ;-) I have only tried this on Exchange 2003. In the next month or so I will get a chance to see what Exchange 2007 does. Enjoy and let me know what you think. Hope it helps anyway!
UPDATE: You can download the word document here: http://files.flaphead.dns2go.com/auditing_exchange.zip
Auditing has become an essential part of Exchange management. In any Exchange deployment, it is critical to understand what changes to the Exchange topology are taking place to ease troubleshooting efforts and to document changes in your environment. Exchange does not directly have its own internal auditing, but relies on the auditing in Active Directory due to the fact that all configuration data for Exchange is stored there. This auditing information is stored in the SACL for each object in Active Directory.
The AD Security Part 1 document located at http://www.microsoft.com/downloads/details.aspx?FamilyID=f937a913-f26e-49b5-a21e-20ba5930238d&displaylang=en explains how to audit Active Directory as a whole. Exchange on the other hand, requires its own auditing to track any Deletions, Creations, or Modifications of any object within your Exchange Organization.
Proactively enabling auditing before a major incident within the organisation will not only save time and money in investigating issues, removing one or more administrators from daily operations, but maintain business continuity while an investigating is underway.
With Exchange you need to audit in potentially three places. The Active Directory, each Exchange Database Store and the local Exchange server. Each has a different place to enable auditing and a limited selection of things you can actually audit.
NOTE: Logging you can’t actually prove that someone has done something wrong. It can really only be used to indicate something is not right and needs to be investigated further
This document outlines how to enable auditing in Active Directory to log when a user or administrator creates/deletes/modifies an Exchange System object
The Active Directory (AD) contains all the configuration data that Exchange will use. You can configure Auditing in Windows using Group Polices and the Audit Policy.
You should enable Success and Failure for Audit directory service access
To Enable Auditing for the Exchange container in Active Directory do the following:
1. Open up the Domain Controller Security Policy
a. Click on Start; Administrative Tools; Domain Controller Security Policy
2. Expand Local Policies and Select Audit Policies
3. Right click on Audit Directory Service Access and select properties
4. Make sure the following are checked:
a. Define these policy settings
b. Success
c. Failure
5. Click Apply and then OK
6. Do the same for Audit policy change
Note: The below audit settings will generate the majority of the events for changed and deleted objects within the Exchange Configuration Container in Active Directory. This requires that inheritance is set properly for every configuration object under the Services/Microsoft Exchange container. The table following this section shows the available auditing options to track newly created Exchange objects as the baseline auditing does not log most creations of Exchange objects.
1. Start ADSIEdit, and then connect to the domain controller that you want to view.
2. Connect to the configuration container, and then browse to the following level:
CN=Services. Right Click on Microsoft Exchange and then click Properties.
3. Click the Security tab, click Advanced, click the Auditing tab, click Add, enter Everyone for the object and then click OK.
4. Under the Successful column, Check the following object access auditing.
Write All Properties
Delete
Delete Subtree
Modify Permissions
Modify Owner
All Validated Writes
All Extended Writes
Create All Child Objects
Delete All Child Objects
NOTE: The rest of the objects in the list should now be checked
5. Repeat for the failed column
6. Click OK and then OK again.
Now you can test with this Exchange System Manager. Change something. On a GC you should see something similar to this in the Security Log:
Event Type: Success Audit
Event Source: SecurityEvent Category: Directory Service Access
Event ID: 566
Date: 20/07/2006
Time: 14:52:56
User: CONTOSOAdministrator
Computer: GC
Description:Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: msExchOmaConfigurationContainer
Object Name: CN=Outlook Mobile Access,CN=Global Settings,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=comHandle ID: –
Primary User Name: GC$
Primary Domain: CONTOSO
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: CONTOSO
Client Logon ID: (0x0,0x5BF2F)
Accesses: Write Property
Properties:Write Property
Public Information
msExchOmaAdminWirelessEnable
Default property set
msExchOmaExtendedProperties
msExchOmaConfigurationContainerAdditional Info:
Additional Info2:
Access Mask: 0x20
Having enabled auditing for the Exchange configuration changes in the Active Directory we can do similar within user. As an example, the user auditing will allow administrators to capture permission changes made at a mailbox level.
Auditing user changes is easier to enable it on a per OU basis. This can accomplished using AD Users & Co
mputers. Navigate to the OU you want to enable auditing on and right click on it and select properties. Now follow from step 9 in the Active Directory session above
Exchange auditing will record access of a mailbox by an account which is not the primary account for the mailbox.
867640 How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server [http://support.microsoft.com/kb/867640]
In addition to this you can also log the NT User account that attempted to access the mailbox. Again this KB Explain how to enable this:
274317 XADM: How to View Windows NT Accounts that Access Mailboxes in Exchange Server [http://support.microsoft.com/kb/274317/]
Once enabled if someone tries to open a mailbox and they are not allowed to, you will get:
Event Type: Warning
Event Source: MSExchangeIS Mailbox Store
Event Category: Access Control
Event ID: 1029
Date: 20/07/2006
Time: 15:15:17
User: N/A
Computer: BE
Description:twoman@contoso.com failed an operation because the user did not have the following access rights:
‘Delete’ ‘Read Property’ ‘Write Property’ ‘Create Message’ ‘View Item’ ‘Create Subfolder’ ‘Write Security Descriptor’ ‘Write Owner’ ‘Read Security Descriptor’ ‘Contact’
The distinguished name of the owning mailbox is /O=CONTOSO/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=WYPFL9. The folder ID is in the data section of this event.
For more information, click http://www.microsoft.com/contentredirect.asp.
Data:
0000: 02 00 00 00 00 00 2f f3 ……/ó
If you do have access you will get the following is logged on the mailbox server of the mailbox you are accessing:
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Event ID: 1016
Date: 20/07/2006
Time: 16:45:36
User: N/A
Computer: BE
Description:Windows 2000 User CONTOSOtwoman logged on to wypfl9@contoso.com mailbox, and is not the primary Windows 2000 account on this mailbox.
Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Event ID: 1013
Date: 20/07/2006
Time: 16:45:36
User: N/A
Computer: BE
Description:CONTOSOtwoman was validated as /o=Contoso/ou=First Administrative Group/cn=Recipients/cn=twoman and logged on to /o=Contoso/ou=First Administrative Group/cn=Recipients/cn=wypfl9 on database “First Storage GroupSecond Mailbox Store”.
To summarise these, set the following for each server you want to monitor:
MSExchangeISMailboxLogons = Maximum
MSExchangeISMailboxAccess Control = Maximum
Additionally you should also enable the following:
MsExchangeISMailboxSend On Behalf Of = Minimum
This will track every time some used the Send On Behalf Of permission
MSExchangeISMailboxSend As = Minimum
This will track every time some used the Send As permission
All of this diagnostic logging is great, but you are only changing registry values. So, you now need to enable auditing for the Exchange Servers Registry to make sure none of the diagnostic values are changed .
To do this, logon each Exchange server and run regedt32.
Now the Keys we want to watch are:
HKLMSYSTEMCurrentControlSetServicesIMAP4Svc
HKLMSYSTEMCurrentControlSetServicesMasSync
HKLMSYSTEMCurrentControlSetServicesMSExchange ActiveSyncNotify
HKLMSYSTEMCurrentControlSetServicesMSExchangeADDXA
HKLMSYSTEMCurrentControlSetServicesMSExchangeAL
HKLMSYSTEMCurrentControlSetServicesMsExchangeDSAccess
HKLMSYSTEMCurrentControlSetServicesMSExchangeES
HKLMSYSTEMCurrentControlSetServicesMSExchangeFBPublish
HKLMSYSTEMCurrentControlSetServicesMSExchangeIS
HKLMSYSTEMCurrentControlSetServicesMSExchnageMGNT
HKLMSYSTEMCurrentControlSetServicesMSExchangeMTA
HKLMSYSTEMCurrentControlSetServicesMSExchangeMU
HKLMSYSTEMCurrentControlSetServicesMSExchangeOMA
HKLMSYSTEMCurrentControlSetServicesMSExchangeSA
HKLMSYSTEMCurrentControlSetServicesMSExchangeSRS
HKLMSYSTEMCurrentControlSetServicesMSExchangeTransport
HKLMSYSTEMCurrentControlSetServicesMsExchangeWeb
HKLMSYSTEMCurrentControlSetServicesPOP3Svc
1. Navigate to the first one on the list above, then Right Click on the key and select permissions.
2. Click the advanced button
3. Select the Auditing Tab
4. Click on Add
5. In the Select User, Computer, or Group Dialog enter everyone and click on Check Names and then OK
6. Make sure “Apply onto:” is set to “This key and subkeys”
7. Select Successful and Failed for:
Set Value; Create Subkey; Delete; Write DAC; Write Owner
Once you have done this, you need modify the Local Audit Policy, and enable Audit Object Access for Success and Failure.
It is actually easier to set these setting by using a group policy, as you would need put these settings on ALL exchange servers. To do this, open up the default domain secu
rity policy and navigate to registry. Then add the keys listed above in the same way.
Now you need to enable the actual logging. To do this, open up the default domain security policy and navigate to Local PolicesAudit Policies and enable Success & failure for Audit Object Access
Now when someone changes for one of these registry keys you see an entry similar to this in the
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 21/07/2006
Time: 14:58:36
User: NT AUTHORITYSYSTEM
Computer: BE
Description:Object Open:
Object Server: Security
Object Type: Key
Object Name: REGISTRYMACHINESYSTEMControlSet001ServicesMSExchangeISParametersSystem
Handle ID: 8152
Operation ID: {0,8701893}
Process ID: 2752
Image File Name: C:Program FilesExchsrvrbinstore.exe
Primary User Name: BE$
Primary Domain: CONTOSO
Primary Logon ID: (0x0,0x3E7)
Client User Name: –
Client Domain: –
Client Logon ID: –
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Privileges: –
Restricted Sid Count: 0
Access Mask: 0xF003F
With a local change made using Exchange System Manager, you will also need to look for the Logon Event to see which user made the change
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 7/21/2006
Time: 3:52:32 PM
User: CONTOSOAdministrator
Computer: FE
Description:Successful Logon:
User Name: Administrator
Domain: CONTOSO
Logon ID: (0x0,0x42EE29)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: FE
Logon GUID: {493bcc05-cefd-df56-9eef-a0ee3ab36ec3}
Caller User Name: FE$
Caller Domain: CONTOSO
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 376
Transited Services: –
Source Network Address: 127.0.0.1
Source Port: 0
If you change a value locally using regedit or remotely you actually get the additional user information:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 21/07/2006
Time: 15:48:27
User: CONTOSOAdministrator
Computer: BE
Description:Object Open:
Object Server: Security
Object Type: Key
Object Name: REGISTRYMACHINESYSTEMControlSet001ServicesIMAP4SvcDiagnostics
Handle ID: 256
Operation ID: {0,9059113}
Process ID: 1436
Image File Name: C:WINDOWSsystem32svchost.exe
Primary User Name: LOCAL SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E5)
Client User Name: Administrator
Client Domain: CONTOSO
Client Logon ID: (0x0,0x8A39D6)
Accesses: Query key value
Set key value
Enumerate sub-keys
Privileges: –
Restricted Sid Count: 0
Access Mask: 0xB
Okay so all this auditing is fine, but you really need a way to capture & report when something has happened. As all the events appear in the Event Logs we can trawl the logs for events.
This code sample uses WMI to look in the security event log and pull out Event ID 566 where it contains msExch in the Event Description.
On Error Resume Next
Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
arrComputers = Array(“exbe01”)
For Each strComputer In arrComputers
WScript.Echo
WScript.Echo “==========================================”
WScript.Echo “Computer: ” & strComputer
WScript.Echo “==========================================”
Set objWMIService = GetObject(“winmgmts:\” & strComputer & “rootCIMV2”)
Set colItems = objWMIService.ExecQuery(“SELECT * FROM Win32_NTLogEvent where logfile = ‘Security’ AND EventCode=566 AND Message like ‘%msExch%'”, “WQL”, wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem In colItems
WScript.Echo “Category: ” & objItem.Category
WScript.Echo “CategoryString: ” & objItem.CategoryString
WScript.Echo “ComputerName: ” & objItem.ComputerName
‘strData = Join(objItem.Data, “,”)
‘ WScript.Echo “Data: ” & strData
WScript.Echo “EventCode: ” & objItem.EventCode
‘WScript.Echo “EventIdentifier: ” & objItem.EventIdentifier
WScript.Echo “EventType: ” & objItem.EventType
‘strInsertionStrings = Join(objItem.InsertionStrings, “,”)
‘ WScript.Echo “InsertionStrings: ” & strInsertionStrings
WScript.Echo “Logfile: ” & objItem.Logfile
WScript.Echo “Message: ” & objItem.Message
WScript.Echo “RecordNumber: ” & objItem.RecordNumber
WScript.Echo “SourceName: ” & objItem.SourceName
WScript.Echo “TimeGenerated: ” & WMIDateStringToDate(objItem.TimeGenerated)
‘WScript.Echo “TimeWritten: ” & WMIDateStringToDate(objItem.TimeWritten)
WScript.Echo “Type: ” & objItem.Type
WScript.Echo “User: ” & objItem.User
WScript.Echo
Next
Next
Function WMIDateStringToDate(dtmDate)
WScript.Echo dtm:
WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & “/” & _
Mid(dtmDate, 7, 2) & “/” & Left(dtmDate, 4) _
&” ” & Mid (dtmDate, 9, 2) & “:” & Mid(dtmDate, 11, 2) & “:” & Mid(dtmDate,13, 2))
End Function
The above code was originally generated using scritpmatic2 and then modified.
http://www.microsoft.com/technet/scriptcenter/tools/scripto2.mspx
You can also use EventCombMT to parse the EventLogs. You can get EventCombMT from here: http://www.microsoft.com/technet/scriptcenter/tools/scripto2.mspx
This code sample uses Windows PowerShell to look in the security event log and pull out Event ID 566 where it contains msExch in the Event Description.
1)
c:powershell
2)
[PS] c:Get-eventlog security | where {($_.Message –ilike “*msExch*”) –and ($_.EventID –eq 566)} | ft
Additionally you can use MOM to monitor and generate an event when an audited event occurs. To this you should create two computer groups and two rule groups to capture events on Exchange Servers and Domain Controllers. Then for each rule group, create an alert rule
1) Create two new Computer Groups:
1. Open the MOM 2005 Administrator Console
2. Expand Management Packs
3. Expand Computer Groups
4. Right Click on Computer Groups and select Create Computer Group
5. “Create Computer Group Wizard – Welcome”
a. Click Next
6. “Create Computer Group Wizard – General”
a. In Name enter: Auditing: Active Directory
b. Click Next
7. “Create Computer Group Wizard – Included Subgroups”
a. Click Add and select “Windows Server 2003 Domain Controller”
b. Click Next
c. “Create Computer Group Wizard – Included Computers”
d. Click Next
8. “Create Computer Group Wizard – Excluded Computers”
a. Click Next
9. “Create Computer Group Wizard – Search for Computers”
a. Click Next
10. “Create Computer Group Wizard – Formula”
a. Click Next
11. “Create Computer Group Wizard – State Roll-up Policy”
a. Select “the worst state of any member computer or subgroup”
b. Click Next
12. “Create Computer Group Wizard – Confirm Choices”
a. Click Next
13. “Create Computer Group Wizard – Completion Page”
a. Click Finish
Do the same but substitute the following:
– Under – “Create Computer Group Wizard – General” set the name to Auditing: Exchange
– under – “Create Computer Group Wizard – Included Subgroups” add Microsoft Exchange installed Computers
2) Create two new Rules groups
1. Right Click on Rule Groups and select Create Rule Group
2. “Rule Group Properties – General”
3. in Name enter: Auditing: Active Directory
a. Click Next
4. “Rule Group Properties – Knowledge Base”
a. You can enter some text here if you wish
b. Click Next
5. You should then see a dialog box that says
a. Would you like to deploy the rules in this newly create Rule Group to a group of computers?
b. Select Yes
6. You will be presented with the Computer Groups tab of the rules properties.
a. Click Add and select Auditing: Active Directory
b. Click Apply then OK
Do the same but substitute the following:
Under – “Rule Group Properties – General” set the name to Auditing: Exchange
under – “Computer Groups tab” add Auditing: Exchange
3) For both groups, create an Alert for each Rule Group
1. Expand the Auditing: Exchange rule.
2. Right Click on Alert Rules and select Create Alert Rule
3. “Alert Rule Properties – Alert Criteria”
a. Select only match alters generated by rules in the following group
b. Click browse and select Auditing: Exchange rule.
c. Click Next
4. Alert Rule Properties – Schedule”
a. Click Next
5. Alert Rule Properties – Responses”
a. Click Add
b. Select Send a notification to a Notification Group
c. Select a group and click OK
d. Click Next
6. “Alert Rule Properties – Knowledge Base”
a. Click Next
7. “Alert Rule Properties – General”
a. Enter a rule name
b. Click Finis
h
Do the same for Auditing: Active Directory
4) Create events for each of the rules
1. Expand the Auditing: Exchange rule.
2. Right Click on Event Rules and select Create Event Rule
3. “Select Event Rule Type”
a. Select Alert on or Respone to Event (Event)
b. Click Next
4. “Event Rule properties – Data Provider”
a. Select the event log you want to alter on, so with System, Application or Security
b. Click Next
5. “Event Rule Properties – Criteria”
a. Enter the details from the list below
b. Click Next
6. “Event Rule Properties – Schedule”
a. Click Next
7. “Event Rule Properties – Alert”
a. Click Next
8. “Event Rule Properties – Alert Suppression”
a. Click Next
9. “Event Rule Properties – Responses”
a. Click Next
10. “Event Rule Properties – Knowledge Base”
a. Enter some text if you wish
b. Click Next
11. “Event Rule Properties – General”
a. Enter a Rule Name
b. Click Finish
When you are ready to create event rules you should substitute the following:
Auditing: Active Directory
Rule: Audit changes to Exchange AD Attributes
Provider: Security
Criteria: with event id=566
-> Advanced: description contain substring *msExch*
Auditing: Exchange
Rule: Audit mailbox access
Provider: Application
Criteria: with event id=1029
Criteria: of type: Warning
Criteria: from source: MSExchangeIS Mailbox Store
Rule: Audit exchange configuration changes
Provider: Security
Criteria: with event id=560
-> Advanced: description contain substring *exch*
There are number of companies that provide tools to help in auditing systems and capturing data from the event logs. Here is a list that is by no means exhaustive:
· Journaling will keep a copy of every email that is send in/out of your exchange organisation.
Journaling with Exchange Server 2003
[http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/journaling.mspx]
Read an advert in today’s London Lite that says from June 1st 2007 every home on the market will have a Home Information Pack that rates its energy efficiency. (I wonder who will pay for it?)
Included is a rating of the home’s energy efficiency and recommendations that could help cur CO2 emmisions and fuel bills!!
Want to know more, check out http://www.homeinformationpack.gov.uk
Well I didn’t know that this was coming out.
A half page advert in the metro today leads you to an exclusive preview on msn.co.uk
Looks like the film will be out in London on July 6 2007
Guess what, at 0850 london time, the trailer is not on msn.
The other link to try is http://www.diehard4.co.uk
UPDATE: Just watched the trailer. It’s actually Die Hard 4.0 and is all about computer hacking .. the trailer looks very matrixy with lots of stunts and CGI by the looks of it!
UPDATE2: You can see the trailer here: http://www.diehard4.co.uk/trailer_hi.html
flaphead.com 