From: "Clishe, Jason" <[EMAIL PROTECTED]> Reply-To: "Exchange Discussions" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Subject: RE: Tracking and auditing Exchange administrators Date: Wed, 4 Jun 2003 11:21:25 -0400
I know that an admin can't read someone elses email by default. But they *can* if they want to, and we simply want a way to audit this. Like I said, this is a law firm and they are very particular about stuff like this.
Jason
> > -----Original Message----- > From: Hurst, Paul [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 04, 2003 5:24 AM > To: Exchange Discussions > > Jason, > > By default the Exchange admin cannot read Emails (same as > GroupWise), only if he has implemented the Q article on how > to get round this security. I would say to set it back so > they cannot go into emails. > > Cheers > > Paul > > Standards are like toothbrushes, > everyone wants one but not yours > > > > -----Original Message----- > From: Clishe, Jason [mailto:[EMAIL PROTECTED] > Sent: 03 June 2003 19:58 > To: Exchange Discussions > Subject: Tracking and auditing Exchange administrators > > > I have a client that is in the middle of a Groupwise to > Exchange 2000 migration. They were a bit unsettled at the > discovery that an Exchange admin can grant himself permission > to read anyone's mail (something that is completely > impossible in Groupwise, short of changing the users' > password). They want to know how they can audit whether an > admin has modified the ACL on a mailbox store to grant > himself access to anyones mailbox. I know, I know, you should > be able to trust your administrators, but this is a law firm > and it's important that there's a paper trail. > > I've done some testing and come up with the following > results. I wanted to run this by the group to see if anyone > can confirm or deny that I'm using the most appropriate > method to perform the auditing. > > I've set the local policy on the Exchange server to audit > process tracking and privelege use. I then went into ESM and > gave an account full access to a mailbox store, including > send as and receive as rights. > I checked the security logs and found the following 3 events > (I actually found more than 3 events that appeared to be > generated when I modified the permissions, but these 3 seemed > most relevant): > > Event Type: Success Audit > Event Source: Security > Event Category: Privilege Use > Event ID: 577 > Date: 6/3/2003 > Time: 11:08:06 AM > User: DOMAIN\User > Computer: SERVER > Description: > Privileged Service Called: > Server: Security > Service: - > Primary User Name: User > Primary Domain: DOMAIN > Primary Logon ID: (0x0,0x29E68) > Client User Name: - > Client Domain: - > Client Logon ID: - > Privileges: SeIncreaseBasePriorityPrivilege > > -------------------------------------------------------------- > ---------- > ---- > Event Type: Success Audit > Event Source: Security > Event Category: Privilege Use > Event ID: 577 > Date: 6/3/2003 > Time: 11:08:06 AM > User: DOMAIN\User > Computer: SERVER > Description: > Privileged Service Called: > Server: Security > Service: - > Primary User Name: User > Primary Domain: DOMAIN > Primary Logon ID: (0x0,0x29E68) > Client User Name: - > Client Domain: - > Client Logon ID: - > Privileges: SeIncreaseBasePriorityPrivilege > > --------------------------------------------------------------------- > Event Type: Success Audit > Event Source: Security > Event Category: Object Access > Event ID: 565 > Date: 6/3/2003 > Time: 11:08:25 AM > User: DOMAIN\User > Computer: SERVER > Description: > Object Open: > Object Server: Microsoft Exchange > Object Type: Microsoft Exchange Database > Object Name: /o=ORG/ou=First Administrative > Group/cn=Configuration/cn=Servers/cn=SERVER/cn=Microsoft Private MDB > New Handle ID: 0 > Operation ID: {0,227067} > Process ID: 1636 > Primary User Name: SERVER$ > Primary Domain: DOMAIN > Primary Logon ID: (0x0,0x3E7) > Client User Name: User > Client Domain: DOMAIN > Client Logon ID: (0x0,0x29E68) > Accesses Unknown specific access (bit 8) > > Privileges - > > Properties: > Unknown specific access (bit 8) > %{d0780592-afe6-11d2-aa04-00c04f8eedd8} > %{d74a8762-22b9-11d3-aa62-00c04f8eedd8} > %{d74a8774-2289-11d3-aa62-00c04f8eedd8} > %{cf899a6a-afe6-11d2-aa04-00c04f8eedd8} > %{cffe6da4-afe6-11d2-aa04-00c04f8eedd8} > %{cfc7978e-afe6-11d2-aa04-00c04f8eedd8} > %{d03a086e-afe6-11d2-aa04-00c04f8eedd8} > %{d74a875e-22b9-11d3-aa62-00c04f8eedd8} > %{cf4b9d46-afe6-11d2-aa04-00c04f8eedd8} > %{cf0b3dc8-afe6-11d2-aa04-00c04f8eedd8} > %{d74a8766-22b9-11d3-aa62-00c04f8eedd8} > %{d74a8769-22b9-11d3-aa62-00c04f8eedd8} > %{d74a876f-22b9-11d3-aa62-00c04f8eedd8} > > --------------------------------------------------------- > > Does this behavior seem correct? It appears that there's > multiple entries that need to be tracked in order to tell the > whole story: Event ID 577 signifies that privileges have been > modified, and then event ID > 565 lists the objects that were accessed at the time the > privileges were modified. Not exactly as clean as I had > hoped, but it'll do. > > Jason > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > ************************************************************** > ********************************* > The information contained in this message or any of its > attachments may be confidential and is intended for the > exclusive use of the addressee(s). Any disclosure, > reproduction, distribution or other dissemination or use of > this communication is strictly prohibited without the express > permission of the sender. The views expressed in this email > are those of the individual and not necessarily those of Sony > or Sony affiliated companies. Sony email is for business use only. > > This email and any response may be monitored by Sony United > Kingdom Limited. > (6) > ************************************************************** > ********************************* > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] >
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
_________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
