Exchange 2010 Mailbox Access Auditing Part I

  MS Exchange 2010 SP1 introduced, among other things, mailbox access audit feature that should help system administrators track users’ mailbox activity. While testing Exchange auditing capabilities I quite often bumped into some various issues and would like to present you with a series of articles about my mailbox access audit tests and their results. We can walk together through the steps of setting up a mailbox access auditing for the particular actions and compare the test results with the expected ones.
  From my point of view one of the most important user actions an administrator should be able to audit is Delegate mailbox access. For instance, if I give User1 Full Access permission to User2’s mailbox I’d like to know what actions (and when) will be accomplished by User1 in the Users2’s mailbox. In this article I want to focus on some practical approaches to mailbox access audit for delegate users.
  The first question I want answered is “who and when accessed a delegated mailbox”.
Consider this situation: User1 needs access to User2’s mailbox. Let’s walk through the steps necessary for granting the requested access and monitoring its usage.

1) In Exchange Management Console we give User1 Full Access permission to User2’s mailbox:

2) …then turn on mailbox access audit for User2’s mailbox:
Set-Mailbox -Identity User2 -AuditEnabled $true
3) …and check whether mailbox access auditing is turned on:
Get-Mailbox User2 |FL *audit*

4) Pay close attention to what actions are audited by default: as we’re going to use the delegate access Update, SoftDelete, HardDelete, SendAs and Create actions will be audited by default once mailbox access is enabled for a particular mailbox. So to be able to audit the access to User2’s mailbox we must add FolderBind action to the list of already audited actions

Set-Mailbox -Identity User2 -AuditDelegate Update,SoftDelete,HardDelete,SendAs,Create,FolderBind -AuditEnabled $true
and check they have been applied correctly:
Get-Mailbox User2 |FL *audit*

5) Now let’s start Outlook and log on to User1’s mailbox. Outlook will open the additional User2’s mailbox for User1 automatically:

5) Now let’s check if any log records was generated when Outlook was started:
Search-MailboxAuditLog -Identity User2 -LogonTypes Delegate -StartDate 6/14/2012 -EndDate 6/15/2012 -ResultSize 2000

  Yes, here we can see a brief description of the fact that someone accessed User2’s mailbox. As our goal is to get all availabale information about Delegate access to User2’s mailbox we should add -ShowDetails to the previuos command:

6) Search-MailboxAuditLog -Identity User2 -LogonTypes Delegate -StartDate 6/14/2012 -EndDate 6/15/2012 -ResultSize 2000 -ShowDetails

  What is it? Search-MailboxAuditLog cmdlet stops producing any output should I add -ShowDetails switch!

The output expected should contain the following fields: Operation, OperationResult, LogonType, …, ClientIPAddress and many others as described here: http://technet.microsoft.com/en-us/library/ff459237.aspx

 I know for sure that at least in some cases Search-MailboxAuditLog cmdlet with the swith -ShowDetails works correctly but I can’t explain why it does not work in this particular test.

 However, let’s try to use the other tool for reading mailbox access audit log – the Exchange Control Panel.

Log in to ECP under account that is a member of Exchange Organization Management group or Records Management group (for instance, Administrator account) and click “Run a non-owner mailbox access report”

 

  Here it is! This report contains a bit more information about the FolderBind action, at least we can see which user (User1) opened User2’s mailbox.

  Look! There are multiple occurrences of Delegate Access actions at 6:08Am. This is because FolderBind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of three hours.

Summary

This was the first test for Exchange Server 2010 SP1 mailbox auditing.  In the next article we’ll continue to work with the mailbox Delegate Access.
The new article on the Exchange Server 2013 describing the same test is now available here:  https://michaelfirsov.wordpress.com/exchange-2013-mailbox-auditing-part-i/
Advertisements

5 responses

  1. samual hassi | Reply

    A very informative article !
    Though, due to lack of time I use Lepide exchange server auditor(http://www.lepide.com/exchange-server-audit/) to audit who is accessing the mailboxes without prior assigned permission. It provide the auditing report at granular level with with real time monitoring and instantly alerts for all critical changes by sending customized email notification.
    However, this article seems to be a good help to enhance my work-station performance in coming future.

    1. Thank you very much, Samual!

  2. Thank you very much, Samual – I’m happy this article could be of help to you!
    And it’s very interesting for me to know about Lepide exchange server auditor – thank you for that information!

    Regards,
    Michael

  3. I view something really special in this internet site.

    1. Thank you very much Margie,
      You’re always welcome!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: