Tuesday, February 2, 2010

Enabling Auditing in Exchange 2007 SP2

One of great improvements made in Exchange 2007 SP2 is the ability to perform better auditing a feature missing in previous versions of Exchange and this could be performed using the GUI of Exchange Management Console. Before the release of SP2, we had to use shell cmdlets for getting and setting diagnostic logging for various exchange parameters.

Although we can still use these cmdlets for doing the same in SP2, it is now available in the exchange console, which is good news from many admins who are not that comfortable with exchange shell.

In order to increase the logging level for an exchange attribute, launch EMC and navigate to Server Configuration. Right click the server and select “Manage Diagnostic Logging Properties”. You can get the same option by right clicking the server from any nodes under Server Configuration.

Drill down and select the property that you want and set the logging level. The different levels of logging available are lowest, low, medium, high and expert. Once the logging is enabled, detailed information is available in the event viewer.

Once you have finished with increased logging, right click the server and select "Manage Diagnostic Logging Properties” and select “Reset all services to default logging level” to switch logging to the default level.

Access Auditing is controlled by diagnostic categories for Exchange Information Store (MSExchangeIS). We cannot use this feature to audit message deletions, only access is possible. Following are the four actions on which auditing is possible.

• Folder Access - Lets you log events that correspond to opening folders, such as the Inbox, Outbox, or Sent Items folders.

• Message Access - Lets you log events that correspond to explicitly opening messages.

• Extended Send As - Lets you log events that correspond to sending a message as a mailbox-enabled user.

• Extended Send On Behalf Of - Lets you log events that correspond to sending a message on behalf of a mailbox-enabled user.

How To Enable Mailbox Access Auditing?

Launch EMC & navigate to Server Configuration -> Mailbox. Select your mailbox server, right click & select “Manage Diagnostic Logging Properties”. Drill down to MSExchangeIS -> 9000 Private.

Expand the tree to see all the options & you will find the four options mentioned above.

Increase the logging level, depending upon the level of information you need & click Configure. That’s it!

How To Access The Audited Info?

Now that mailbox access auditing is enabled, we need to be able to get the information logged. SP2 creates a separate area for logging information related to mailbox access & it is named Exchange Auditing. Navigate to Event Viewer -> Applications & Services Log -> Exchange Auditing.

How To Change The Default Properties?

By default, the location for storing the the logs is in the exchange server installation directory, Drive\Program Files\Microsoft\Exchange Server\Logging\AuditLogs to be precise. The default behaviour is to archive the logs when it gets full. Hence, the location of the logs should be changed to a drive that has enough free space. You can achieve this by selecting the properties of Exchange Audting & changing the options.

What About Service Accounts?

Any organization will have service accounts which have full access to the mailboxes, like accounts used to run backups. As this type of accounts will be used on a daily basis, we don’t need information about these accounts to fill up our mailbox access log. To overcome this issue, SP2 extends the schema with a new right named “Bypass Auditing”. Run the following command to exclude service accounts from being audited.

Get-MailboxDatabase –identity “server\sg\dbname”
Add-ADPermission –User “service account” –ExtendedRights ms-Exch-Store-Bypass-Access-Auditing –InheritanceType All

Configure Auditing to Track Exchange Server Usage

Auditing lets you track what’s happening with Exchange Server. You can use auditing to collect information related to information logons and logoffs, permission use, and much more. Any time an action that you’ve configured for auditing occurs, this action is written to the system’s security log. You can then access the security log from Event Viewer. You enable auditing in the domain through Group Policy.

To enable Exchange auditing, follow these steps:

1. Start the Group Policy Management Console by clicking Start, All Programs, Administrative Tools, Group Policy Management. You can now navigate through the forest and domains in the organization to view individual Group Policy Objects.

2. To specifically audit users’ actions on Exchange Server, you should consider creating an organizational unit (OU) for Exchange servers and then define auditing policy for a Group Policy Object applied to the OU. After you’ve created the OU or if you have an existing OU for Exchange servers, right-click the related policy object, and then select Edit to open the policy object for editing in Group Policy Management Editor.

3. Access the Audit Policy node by working your way down through the console tree. Expand Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies. Then select Audit Policy.

4. You should now see the following auditing options:

• Audit Account Logon Events Tracks user account authentication during logon. Account logon events are generated on the authenticating computer when a user is authenticated.

• Audit Account Management Tracks account management by means of Active Directory Users And Computers. Events are generated any time user, computer, or group accounts are created, modified, or deleted.

• Audit Directory Service Access Tracks access to Active Directory. Events are generated any time users or computers access the directory.

• Audit Logon Events Tracks local logon events for a server or workstation.

• Audit Object Access Tracks system resource usage for mailboxes, information stores, and other types of objects.

• Audit Policy Change Tracks changes to user rights, auditing, and trust relationships.

• Audit Privilege Use Tracks the use of user rights and privileges, such as the right to create mailboxes.

• Audit Process Tracking Tracks system processes and the resources they use.

• Audit System Events Tracks system startup, shutdown, and restart, as well as actions that affect system security or the security log.

5. To configure an auditing policy, double-click or right-click its entry, and then select Security. This opens a Properties dialog box for the policy.

6. Select the Define These Policy Settings check box, and then select the Success check box, the Failure check box, or both. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.

7. Repeat steps 5 and 6 to enable other auditing policies. The policy changes won’t be applied until the next time you start the Exchange server.

No comments:

Post a Comment