Exchange security monitoring tools [closed]

I am trying to identify tools that can perform security monitoring of Exchange. Ideally, the tools should be able to pick up things like:

  • permission changes for high risk mailboxes
  • multiple connections to same mailbox

Bonus points if it can be deployed without major reconfiguration of exchange.

Is there anything like it?


Solution 1:

If you're running Exchange 2010 you should take a look at Overview of Administrator Audit Logging. You tell Exchange what cmdlets it should audit and it will log various relevant bits of info. It supports wildcard matches on cmdlet names too. Since everything in Exchange 2010 (including the GUI) uses cmdlets, you cannot get around the auditing.

If you installed Exchange 2010 SP1 (as opposed to upgrading from Exchange 2010 RTM) then admin audit logging is already turned on by default. If you need to turn this on, run Set-AdminAuditLogConfig -AdminAuditLogCmdlets *.

As for your second question, I don't think you're going to be able to achieve that one. Outlook alone creates more than its fair share of connections to your mailbox, and some dodgy Outlook plugins create even more, which you might know if you've ever had the "32 maximum connections" problem. Even if you did manage to figure out which connections belonged to a particular "session", have you ever accidentally opened a new instance of Outlook while it's already open? That's going to trip your alarm.

You also don't count on the multitude of ways Exchange allows you to get at your mailbox. I have a laptop, but I often find myself on a separate desktop in our build room for a few hours, and I'll want my emails there too. I've also got my phone connected by ActiveSync, and I check OWA from my personal laptop when I can't be bothered to boot up my work laptop and connect the VPN to do a quick reply to an email in the evening. Less commonly, but it happens, is I also have a utility that I wrote that uses Exchange Web Services to access stuff in my mailbox. If POP3 or IMAP access has been enabled, that's 2 more ways to access your mailbox which will potentially trip your alarm.

Edit: I totally forgot about delegates and shared items. If for example someone has a secretary with delegate access to a mailbox, this will show as more connections to a particular mailbox. Exchange also empowers users to share things between themselves, without administrator intervention. All the shared contacts and shared calendars you have going on will make monitoring this an absolute nightmare.