Changes not Visible in the Exchange Audit Log

I am currently working in a project where the customer will move their mailboxes to a private cloud operated by a service provider. The customer is concerned that the service provider staff might read his mails.

In Exchange Server 2010 you can use Mailbox Audit Logging to log access to a mailbox. You have to enable mailbox audit logging upfront per mailbox if you want to know who accessed a specific mailbox. You can use Administrator Audit Logging to log the commands that an Exchange administrator executed via the Exchange Management Shell, Exchange Management Console, or the Exchange Control Panel. If an administrator assigns someone full access rights to a mailbox, then the Administrator Audit Log would contain the corresponding command entry.

However, it is very important to realize that Administrator Audit Logging does not audit changes made via non Exchange management tools, for example, Active Directory management tools.

I would like to provide a simple example. Let’s assume you have a mailbox called “Big Boss” and there is a malicious administrator called “BadAdmin”.

Initially the Active Directory attributes of the user account Big Boss looks like this.

Figure 1: Initial Active Directory Attributes

Now the BadAdmin performs the changes shown in Figure 2 and Figure 3 using Active Directory Users and Computers.

Figure 2: AltRecipeint

Figure 3: DeliverAndRedirect

I am sure you can guess the consequence of this modification.

These two changes will not be logged in the Exchange Administrator Audit Log. Therefore, it is important to add auditing of changes made to Active Directory objects to your plan.