Auditing within Exchange 200x

I knocked this up a while back and was expecting it to be put on the msexchangeteam blog, but it didn’t appear.  So here it is instead ;-)  I have only tried this on Exchange 2003.  In the next month or so I will get a chance to see what Exchange 2007 does.  Enjoy and let me know what you think.  Hope it helps anyway!

UPDATE: You can download the word document here: http://files.flaphead.dns2go.com/auditing_exchange.zip


Auditing has become an essential part of Exchange management. In any Exchange deployment, it is critical to understand what changes to the Exchange topology are taking place to ease troubleshooting efforts and to document changes in your environment. Exchange does not directly have its own internal auditing, but relies on the auditing in Active Directory due to the fact that all configuration data for Exchange is stored there. This auditing information is stored in the SACL for each object in Active Directory.

The AD Security Part 1 document located at http://www.microsoft.com/downloads/details.aspx?FamilyID=f937a913-f26e-49b5-a21e-20ba5930238d&displaylang=en explains how to audit Active Directory as a whole. Exchange on the other hand, requires its own auditing to track any Deletions, Creations, or Modifications of any object within your Exchange Organization.

Proactively enabling auditing before a major incident within the organisation will not only save time and money in investigating issues, removing one or more administrators from daily operations, but maintain business continuity while an investigating is underway.

With Exchange you need to audit in potentially three places. The Active Directory, each Exchange Database Store and the local Exchange server. Each has a different place to enable auditing and a limited selection of things you can actually audit.

NOTE: Logging you can’t actually prove that someone has done something wrong. It can really only be used to indicate something is not right and needs to be investigated further

This document outlines how to enable auditing in Active Directory to log when a user or administrator creates/deletes/modifies an Exchange System object

The Active Directory

The Active Directory (AD) contains all the configuration data that Exchange will use. You can configure Auditing in Windows using Group Polices and the Audit Policy.

You should enable Success and Failure for Audit directory service access

To Enable Auditing for the Exchange container in Active Directory do the following:

1. Open up the Domain Controller Security Policy

a. Click on Start; Administrative Tools; Domain Controller Security Policy

2. Expand Local Policies and Select Audit Policies

3. Right click on Audit Directory Service Access and select properties

4. Make sure the following are checked:

a. Define these policy settings

b. Success

c. Failure

5. Click Apply and then OK

6. Do the same for Audit policy change

Enable baseline Auditing for Exchange Configuration Objects

Note: The below audit settings will generate the majority of the events for changed and deleted objects within the Exchange Configuration Container in Active Directory. This requires that inheritance is set properly for every configuration object under the Services/Microsoft Exchange container. The table following this section shows the available auditing options to track newly created Exchange objects as the baseline auditing does not log most creations of Exchange objects.

1. Start ADSIEdit, and then connect to the domain controller that you want to view.

2. Connect to the configuration container, and then browse to the following level:
CN=Services. Right Click on Microsoft Exchange and then click Properties.

3. Click the Security tab, click Advanced, click the Auditing tab, click Add, enter Everyone for the object and then click OK.

4. Under the Successful column, Check the following object access auditing.

Write All Properties

Delete

Delete Subtree

Modify Permissions

Modify Owner

All Validated Writes

All Extended Writes

Create All Child Objects

Delete All Child Objects

NOTE: The rest of the objects in the list should now be checked

5. Repeat for the failed column

6. Click OK and then OK again.

Now you can test with this Exchange System Manager. Change something. On a GC you should see something similar to this in the Security Log:

Event Type: Success Audit
Event Source: Security

Event Category: Directory Service Access
Event ID: 566
Date: 20/07/2006
Time: 14:52:56
User: CONTOSOAdministrator
Computer: GC
Description:

Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: msExchOmaConfigurationContainer
Object Name: CN=Outlook Mobile Access,CN=Global Settings,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com

Handle ID: –
Primary User Name: GC$
Primary Domain: CONTOSO
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: CONTOSO
Client Logon ID: (0x0,0x5BF2F)
Accesses: Write Property
Properties:

Write Property
Public Information
msExchOmaAdminWirelessEnable
Default property set
msExchOmaExtendedProperties
msExchOmaConfigurationContainer

Additional Info:

Additional Info2:

Access Mask: 0x20

Users

Having enabled auditing for the Exchange configuration changes in the Active Directory we can do similar within user. As an example, the user auditing will allow administrators to capture permission changes made at a mailbox level.

Auditing user changes is easier to enable it on a per OU basis. This can accomplished using AD Users & Co
mputers. Navigate to the OU you want to enable auditing on and right click on it and select properties. Now follow from step 9 in the Active Directory session above

Exchange Server

Exchange auditing will record access of a mailbox by an account which is not the primary account for the mailbox.

867640 How to monitor mailbox access by auditing or by viewing Mailbox Resources in Exchange Server [http://support.microsoft.com/kb/867640]

In addition to this you can also log the NT User account that attempted to access the mailbox. Again this KB Explain how to enable this:

274317 XADM: How to View Windows NT Accounts that Access Mailboxes in Exchange Server [http://support.microsoft.com/kb/274317/]

Once enabled if someone tries to open a mailbox and they are not allowed to, you will get:

Event Type: Warning
Event Source: MSExchangeIS Mailbox Store
Event Category: Access Control
Event ID: 1029
Date: 20/07/2006
Time: 15:15:17
User: N/A
Computer: BE
Description:

twoman@contoso.com failed an operation because the user did not have the following access rights:

‘Delete’ ‘Read Property’ ‘Write Property’ ‘Create Message’ ‘View Item’ ‘Create Subfolder’ ‘Write Security Descriptor’ ‘Write Owner’ ‘Read Security Descriptor’ ‘Contact’

The distinguished name of the owning mailbox is /O=CONTOSO/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=WYPFL9. The folder ID is in the data section of this event.

For more information, click http://www.microsoft.com/contentredirect.asp.

Data:
0000: 02 00 00 00 00 00 2f f3 ……/ó

If you do have access you will get the following is logged on the mailbox server of the mailbox you are accessing:

Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Event ID: 1016
Date: 20/07/2006
Time: 16:45:36
User: N/A
Computer: BE
Description:

Windows 2000 User CONTOSOtwoman logged on to wypfl9@contoso.com mailbox, and is not the primary Windows 2000 account on this mailbox.

 

Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Event ID: 1013
Date: 20/07/2006
Time: 16:45:36
User: N/A
Computer: BE
Description:

CONTOSOtwoman was validated as /o=Contoso/ou=First Administrative Group/cn=Recipients/cn=twoman and logged on to /o=Contoso/ou=First Administrative Group/cn=Recipients/cn=wypfl9 on database “First Storage GroupSecond Mailbox Store”.

To summarise these, set the following for each server you want to monitor:

MSExchangeISMailboxLogons = Maximum

MSExchangeISMailboxAccess Control = Maximum 

Additionally you should also enable the following:

MsExchangeISMailboxSend On Behalf Of = Minimum

This will track every time some used the Send On Behalf Of permission

MSExchangeISMailboxSend As = Minimum
This will track every time some used the Send As permission

Local Server

All of this diagnostic logging is great, but you are only changing registry values. So, you now need to enable auditing for the Exchange Servers Registry to make sure none of the diagnostic values are changed .

To do this, logon each Exchange server and run regedt32.

Now the Keys we want to watch are:

HKLMSYSTEMCurrentControlSetServicesIMAP4Svc

HKLMSYSTEMCurrentControlSetServicesMasSync

HKLMSYSTEMCurrentControlSetServicesMSExchange ActiveSyncNotify

HKLMSYSTEMCurrentControlSetServicesMSExchangeADDXA

HKLMSYSTEMCurrentControlSetServicesMSExchangeAL

HKLMSYSTEMCurrentControlSetServicesMsExchangeDSAccess

HKLMSYSTEMCurrentControlSetServicesMSExchangeES

HKLMSYSTEMCurrentControlSetServicesMSExchangeFBPublish

HKLMSYSTEMCurrentControlSetServicesMSExchangeIS

HKLMSYSTEMCurrentControlSetServicesMSExchnageMGNT

HKLMSYSTEMCurrentControlSetServicesMSExchangeMTA

HKLMSYSTEMCurrentControlSetServicesMSExchangeMU

HKLMSYSTEMCurrentControlSetServicesMSExchangeOMA

HKLMSYSTEMCurrentControlSetServicesMSExchangeSA

HKLMSYSTEMCurrentControlSetServicesMSExchangeSRS

HKLMSYSTEMCurrentControlSetServicesMSExchangeTransport

HKLMSYSTEMCurrentControlSetServicesMsExchangeWeb

HKLMSYSTEMCurrentControlSetServicesPOP3Svc

1. Navigate to the first one on the list above, then Right Click on the key and select permissions.

2. Click the advanced button

3. Select the Auditing Tab

4. Click on Add

5. In the Select User, Computer, or Group Dialog enter everyone and click on Check Names and then OK

6. Make sure “Apply onto:” is set to “This key and subkeys”

7. Select Successful and Failed for:

Set Value; Create Subkey; Delete; Write DAC; Write Owner

Once you have done this, you need modify the Local Audit Policy, and enable Audit Object Access for Success and Failure.

It is actually easier to set these setting by using a group policy, as you would need put these settings on ALL exchange servers. To do this, open up the default domain secu
rity policy and navigate to registry. Then add the keys listed above in the same way.

Now you need to enable the actual logging. To do this, open up the default domain security policy and navigate to Local PolicesAudit Policies and enable Success & failure for Audit Object Access

Now when someone changes for one of these registry keys you see an entry similar to this in the

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 21/07/2006
Time: 14:58:36
User: NT AUTHORITYSYSTEM
Computer: BE
Description:

Object Open:
Object Server: Security
Object Type: Key
Object Name: REGISTRYMACHINESYSTEMControlSet001ServicesMSExchangeISParametersSystem
Handle ID: 8152
Operation ID: {0,8701893}
Process ID: 2752
Image File Name: C:Program FilesExchsrvrbinstore.exe
Primary User Name: BE$
Primary Domain: CONTOSO
Primary Logon ID: (0x0,0x3E7)
Client User Name: –
Client Domain: –
Client Logon ID: –
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Privileges: –
Restricted Sid Count: 0
Access Mask: 0xF003F

With a local change made using Exchange System Manager, you will also need to look for the Logon Event to see which user made the change

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 7/21/2006
Time: 3:52:32 PM
User: CONTOSOAdministrator
Computer: FE
Description:

Successful Logon:
User Name: Administrator
Domain: CONTOSO
Logon ID: (0x0,0x42EE29)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: FE
Logon GUID: {493bcc05-cefd-df56-9eef-a0ee3ab36ec3}
Caller User Name: FE$
Caller Domain: CONTOSO
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 376
Transited Services: –
Source Network Address: 127.0.0.1
Source Port: 0

If you change a value locally using regedit or remotely you actually get the additional user information:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 21/07/2006
Time: 15:48:27
User: CONTOSOAdministrator
Computer: BE
D
escription:

Object Open:
Object Server: Security
Object Type: Key
Object Name: REGISTRYMACHINESYSTEMControlSet001ServicesIMAP4SvcDiagnostics
Handle ID: 256
Operation ID: {0,9059113}
Process ID: 1436
Image File Name: C:WINDOWSsystem32svchost.exe
Primary User Name: LOCAL SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E5)
Client User Name: Administrator
Client Domain: CONTOSO
Client Logon ID: (0x0,0x8A39D6)
Accesses: Query key value
Set key value
Enumerate sub-keys
Privileges: –
Restricted Sid Count: 0
Access Mask: 0xB

Code

Okay so all this auditing is fine, but you really need a way to capture & report when something has happened. As all the events appear in the Event Logs we can trawl the logs for events.

This code sample uses WMI to look in the security event log and pull out Event ID 566 where it contains msExch in the Event Description.

On Error Resume Next

Const wbemFlagReturnImmediately = &h10

Const wbemFlagForwardOnly = &h20

arrComputers = Array(“exbe01”)

For Each strComputer In arrComputers

WScript.Echo

WScript.Echo “==========================================”

WScript.Echo “Computer: ” & strComputer

WScript.Echo “==========================================”

Set objWMIService = GetObject(“winmgmts:\” & strComputer & “rootCIMV2”)

Set colItems = objWMIService.ExecQuery(“SELECT * FROM Win32_NTLogEvent where logfile = ‘Security’ AND EventCode=566 AND Message like ‘%msExch%'”, “WQL”, wbemFlagReturnImmediately + wbemFlagForwardOnly)

For Each objItem In colItems

WScript.Echo “Category: ” & objItem.Category

WScript.Echo “CategoryString: ” & objItem.CategoryString

WScript.Echo “ComputerName: ” & objItem.ComputerName

‘strData = Join(objItem.Data, “,”)

‘ WScript.Echo “Data: ” & strData

WScript.Echo “EventCode: ” & objItem.EventCode

‘WScript.Echo “EventIdentifier: ” & objItem.EventIdentifier

WScript.Echo “EventType: ” & objItem.EventType

‘strInsertionStrings = Join(objItem.InsertionStrings, “,”)

‘ WScript.Echo “InsertionStrings: ” & strInsertionStrings

WScript.Echo “Logfile: ” & objItem.Logfile

WScript.Echo “Message: ” & objItem.Message

WScript.Echo “RecordNumber: ” & objItem.RecordNumber

WScript.Echo “SourceName: ” & objItem.SourceName

WScript.Echo “TimeGenerated: ” & WMIDateStringToDate(objItem.TimeGenerated)

‘WScript.Echo “TimeWritten: ” & WMIDateStringToDate(objItem.TimeWritten)

WScript.Echo “Type: ” & objItem.Type

WScript.Echo “User: ” & objItem.User

WScript.Echo

Next

Next

Function WMIDateStringToDate(dtmDate)

WScript.Echo dtm:

WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & “/” & _

Mid(dtmDate, 7, 2) & “/” & Left(dtmDate, 4) _

&” ” & Mid (dtmDate, 9, 2) & “:” & Mid(dtmDate, 11, 2) & “:” & Mid(dtmDate,13, 2))

End Function

The above code was originally generated using scritpmatic2 and then modified.
http://www.microsoft.com/technet/scriptcenter/tools/scripto2.mspx

You can also use EventCombMT to parse the EventLogs. You can get EventCombMT from here: http://www.microsoft.com/technet/scriptcenter/tools/scripto2.mspx

Windows PowerShell

This code sample uses Windows PowerShell to look in the security event log and pull out Event ID 566 where it contains msExch in the Event Description.

1)
c:powershell

2)

[PS] c:Get-eventlog security | where {($_.Message –ilike “*msExch*”) –and ($_.EventID –eq 566)} | ft

MOM

Additionally you can use MOM to monitor and generate an event when an audited event occurs. To this you should create two computer groups and two rule groups to capture events on Exchange Servers and Domain Controllers. Then for each rule group, create an alert rule

1) Create two new Computer Groups:

1. Open the MOM 2005 Administrator Console

2. Expand Management Packs

3. Expand Computer Groups

4. Right Click on Computer Groups and select Create Computer Group

5. “Create Computer Group Wizard – Welcome”

a. Click Next

6. “Create Computer Group Wizard – General”

a. In Name enter: Auditing: Active Directory

b. Click Next

7. “Create Computer Group Wizard – Included Subgroups”

a. Click Add and select “Windows Server 2003 Domain Controller”

b. Click Next

c. “Create Computer Group Wizard – Included Computers”

d. Click Next

8. “Create Computer Group Wizard – Excluded Computers”

a. Click Next

9. “Create Computer Group Wizard – Search for Computers”

a. Click Next

10. “Create Computer Group Wizard – Formula”

a. Click Next

11. “Create Computer Group Wizard – State Roll-up Policy”

a. Select “the worst state of any member computer or subgroup”

b. Click Next

12. “Create Computer Group Wizard – Confirm Choices”

a. Click Next

13. “Create Computer Group Wizard – Completion Page”

a. Click Finish

Do the same but substitute the following:

– Under – “Create Computer Group Wizard – General” set the name to Auditing: Exchange

– under – “Create Computer Group Wizard – Included Subgroups” add Microsoft Exchange installed Computers

2) Create two new Rules groups

1. Right Click on Rule Groups and select Create Rule Group

2. “Rule Group Properties – General”

3. in Name enter: Auditing: Active Directory

a. Click Next

4. “Rule Group Properties – Knowledge Base”

a. You can enter some text here if you wish

b. Click Next

5. You should then see a dialog box that says

a. Would you like to deploy the rules in this newly create Rule Group to a group of computers?

b. Select Yes

6. You will be presented with the Computer Groups tab of the rules properties.

a. Click Add and select Auditing: Active Directory

b. Click Apply then OK

Do the same but substitute the following:

Under – “Rule Group Properties – General” set the name to Auditing: Exchange

under – “Computer Groups tab” add Auditing: Exchange

3) For both groups, create an Alert for each Rule Group

1. Expand the Auditing: Exchange rule.

2. Right Click on Alert Rules and select Create Alert Rule

3. “Alert Rule Properties – Alert Criteria”

a. Select only match alters generated by rules in the following group

b. Click browse and select Auditing: Exchange rule.

c. Click Next

4. Alert Rule Properties – Schedule”

a. Click Next

5. Alert Rule Properties – Responses”

a. Click Add

b. Select Send a notification to a Notification Group

c. Select a group and click OK

d. Click Next

6. “Alert Rule Properties – Knowledge Base”

a. Click Next

7. “Alert Rule Properties – General”

a. Enter a rule name

b. Click Finis
h

Do the same for Auditing: Active Directory

4) Create events for each of the rules

1. Expand the Auditing: Exchange rule.

2. Right Click on Event Rules and select Create Event Rule

3. “Select Event Rule Type”

a. Select Alert on or Respone to Event (Event)

b. Click Next

4. “Event Rule properties – Data Provider”

a. Select the event log you want to alter on, so with System, Application or Security

b. Click Next

5. “Event Rule Properties – Criteria”

a. Enter the details from the list below

b. Click Next

6. “Event Rule Properties – Schedule”

a. Click Next

7. “Event Rule Properties – Alert”

a. Click Next

8. “Event Rule Properties – Alert Suppression”

a. Click Next

9. “Event Rule Properties – Responses”

a. Click Next

10. “Event Rule Properties – Knowledge Base”

a. Enter some text if you wish

b. Click Next

11. “Event Rule Properties – General”

a. Enter a Rule Name

b. Click Finish

When you are ready to create event rules you should substitute the following:

Auditing: Active Directory

Rule: Audit changes to Exchange AD Attributes
Provider: Security
Criteria: with event id=566
-> Advanced: description contain substring *msExch*

Auditing: Exchange

Rule: Audit mailbox access
Provider: Application
Criteria: with event id=1029
Criteria: of type: Warning
Criteria: from source: MSExchangeIS Mailbox Store

Rule: Audit exchange configuration changes
Provider: Security
Criteria: with event id=560
-> Advanced: description contain substring *exch*

3rd Party Auditing Tools

There are number of companies that provide tools to help in auditing systems and capturing data from the event logs. Here is a list that is by no means exhaustive:

Things to consider

· Journaling will keep a copy of every email that is send in/out of your exchange organisation.

Journaling with Exchange Server 2003
[http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/journaling.mspx]

  • You should make sure that any service accounts you have for applications that need “global administrative rights” over exchange, Like Blackberry Enterprise Server, should be set so you cannot login interactively. This will prevent misuse of the service account.
  • You should protect your Exchange Server backups, as someone could take a backup tape and restore it off site and potentially have access to all the mailboxes on the backup
  • You should put some mechanism in place to make sure that you can audit your auditing, so you know when someone have modified it
  • Ensure your Exchange administrators user their user account for day to day email and use their Exchange Admin account for administration and delegation.
  • To ensure the security of user mailboxes and the confidentiality of its contents, it is imperative that the user who has permissions to a mailbox is also the mailbox owner. To do this, on a regular basis you should generate a report to detail those user mailboxes where permissions (not pushed out by policy on the accounts) have been granted.

Resources:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: