Exchange security monitoring tools [closed]

security monitoring audit exchange

I am trying to identify tools that can perform security monitoring of Exchange. Ideally, the tools should be able to pick up things like:

  • permission changes for high risk mailboxes
  • multiple connections to same mailbox

Bonus points if it can be deployed without major reconfiguration of exchange.

Is there anything like it?


Solution 1:

If you're running Exchange 2010 you should take a look at Overview of Administrator Audit Logging. You tell Exchange what cmdlets it should audit and it will log various relevant bits of info. It supports wildcard matches on cmdlet names too. Since everything in Exchange 2010 (including the GUI) uses cmdlets, you cannot get around the auditing.

If you installed Exchange 2010 SP1 (as opposed to upgrading from Exchange 2010 RTM) then admin audit logging is already turned on by default. If you need to turn this on, run Set-AdminAuditLogConfig -AdminAuditLogCmdlets *.

As for your second question, I don't think you're going to be able to achieve that one. Outlook alone creates more than its fair share of connections to your mailbox, and some dodgy Outlook plugins create even more, which you might know if you've ever had the "32 maximum connections" problem. Even if you did manage to figure out which connections belonged to a particular "session", have you ever accidentally opened a new instance of Outlook while it's already open? That's going to trip your alarm.

You also don't count on the multitude of ways Exchange allows you to get at your mailbox. I have a laptop, but I often find myself on a separate desktop in our build room for a few hours, and I'll want my emails there too. I've also got my phone connected by ActiveSync, and I check OWA from my personal laptop when I can't be bothered to boot up my work laptop and connect the VPN to do a quick reply to an email in the evening. Less commonly, but it happens, is I also have a utility that I wrote that uses Exchange Web Services to access stuff in my mailbox. If POP3 or IMAP access has been enabled, that's 2 more ways to access your mailbox which will potentially trip your alarm.

Edit: I totally forgot about delegates and shared items. If for example someone has a secretary with delegate access to a mailbox, this will show as more connections to a particular mailbox. Exchange also empowers users to share things between themselves, without administrator intervention. All the shared contacts and shared calendars you have going on will make monitoring this an absolute nightmare.

Related

Can you connect to a TLS FTP site using the Windows command line FTP client?
Apache not starting after upgrade to OpenSuse 12.1
Configuring RAID on a VM Host for best performance of multiple Virtual Machines
iptables-save fails to write to file
Bash-Scripting - Munin Plugin don't work
Recovering linux software RAID array without removing it's items
"nice" for memory management
Is it possible to grant Read-Only Access to all Event Logs on Domain Controllers
Mounting NFSv4 share from Debian Linux 6 to Freebsd 9-RC3 "server requires stronger authentication"
Finding the most recent modification date of all files/subfolders in all top-level directories of a share with PowerShell
Managing consistent mounting of external USB hard drives in Linux (CentOS 5)
MSSQL 2008 R2 server roles: do server roles have implicit privileges over *all databases*?