30 Jan 2012

Changes not Visible in the Exchange Audit Log

Posted by Juergen

I am currently working in a project where the customer will move their mailboxes to a private cloud operated by a service provider. The customer is concerned that the service provider staff might read his mails.

In Exchange Server 2010 you can use Mailbox Audit Logging to log access to a mailbox. You have to enable mailbox audit logging upfront per mailbox if you want to know who accessed a specific mailbox. You can use Administrator Audit Logging to log the commands that an Exchange administrator executed via the Exchange Management Shell, Exchange Management Console, or the Exchange Control Panel. If an administrator assigns someone full access rights to a mailbox, then the Administrator Audit Log would contain the corresponding command entry.

However, it is very important to realize that Administrator Audit Logging does not audit changes made via non Exchange management tools, for example, Active Directory management tools.

I would like to provide a simple example. Let’s assume you have a mailbox called “Big Boss” and there is a malicious administrator called “BadAdmin”.

Initially the Active Directory attributes of the user account Big Boss looks like this.

clip_image001

Figure 1: Initial Active Directory Attributes

Now the BadAdmin performs the changes shown in Figure 2 and Figure 3 using Active Directory Users and Computers.

clip_image002

Figure 2: AltRecipeint

clip_image003

Figure 3: DeliverAndRedirect

I am sure you can guess the consequence of this modification.

These two changes will not be logged in the Exchange Administrator Audit Log. Therefore, it is important to add auditing of changes made to Active Directory objects to your plan.

Comments are closed.

  • Browse

    or
  • Calendar

    August 2022
    M T W T F S S
    1234567
    891011121314
    15161718192021
    22232425262728
    293031  
  • Tag Cloud

  • Categories