I'll believe it when I see it. Ed Crowley MCSE+Internet MVP Time Magazine's Person of the Year! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Harris Sent: Thursday, June 07, 2007 11:04 AM To: Exchange Discussions Subject: RE: Last Logged on
Unless you're all about 80 years old, I think you're in for a pleasant surprise. "Real" auditing is quickly making its way up the priority list. Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Thursday, June 07, 2007 1:57 PM To: Exchange Discussions Subject: RE: Last Logged on The underlying theme that it would be desirable if Exchange supported the kind of auditing he seeks is something I agree with, but it's a fact that it doesn't, and likely won't during our lifetimes. Ed Crowley MCSE+Internet MVP Time Magazine's Person of the Year! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Scharff Sent: Thursday, June 07, 2007 8:09 AM To: Exchange Discussions Subject: RE: Last Logged on Your first response is that you'd be worried if someone accessed a resource. Maybe I'm just more secure with regards to the permissions structure on my resources. If a user accesses a resource in Exchange it's because they had permissions to it. So checking permissions seems ineffective. If I wanted access to a resource that I didn't have permissions to I can guarantee that my non-benign activities wouldn't point back to my account directly. There's behavior that might presume intrusion, successful access to a resource one has access to isn't one that happens to meet my bar. Like I said, if it did I'd need to audit success and failure logs for all of the resources on my network and that's not a practical or effective security mechanism. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Posted At: Wednesday, June 06, 2007 9:38 PM Posted To: swynk Conversation: Last Logged on Subject: Re: Last Logged on ouch! ... ...BUT, please note that the first level of my suggested investigation was 'delegates' and 'permissions' . It's only after those benign factors are ruled out that one escalates into shadier aspects, where it is correct to presume intrusion. OK, so I shorthanded it, and maybe my segways were not elegant. But I don't see that I offered any bad advice. ----- Original Message ----- From: "Chris Scharff" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[email protected]> Sent: Wednesday, June 06, 2007 8:39 AM Subject: RE: Last Logged on Intruder? If the user opens a calendar and checks the free/busy information for a DL it can cause that entry as can any variety of other conditions. No one can access any resource in Exchange or AD they don't have access to. Unless you expend the same level of effort auditing and tracking down every access and failed access to network resources across the enterprise it seems to be a bit of overkill. It's pretty easy to verify permissions exist or do not exist to allow a user access to a given resource. If they don't exist there is no intrusion. If they do exist there may still be no intrusion (I allow Everyone view access to my calendar, if they open it it's not an intrusion, it's utilization of a granted permission. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Posted At: Wednesday, June 06, 2007 10:13 AM Posted To: swynk Conversation: Last Logged on Subject: Re: Last Logged on I would be. Did you check delegations on the 9? How about permissions? Can you impersonate the intruder and try to replicate? Is your password policy such that its formula can easily be guessed? If not, I would scan the intruder's computer for password cracking software. I'd also monitor the intruder very closely, with tracking, exmerge, whatever... ----- Original Message ----- From: "Jean-Paul Natola" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[email protected]> Sent: Wednesday, June 06, 2007 7:45 AM Subject: Last Logged on Hi everyone, I have about 9 mailboxes that were all last logged on by one employee- Googling showed that it may occur if someone did a meeting request, I checked with with one of the users , and they said they did not even get an email from the user, much less a meting request. Should I be concerned? Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
