Auditing mailbox actions for security and accountability
I was facing with a challenge. A company VIP with a few secretaries, and a few mobile devices was facing a serious issue. Calendar items were changing by themselves. Updates were sent to attendees but something changed the meeting date / time on the owner mailbox.
I was asked to find out what is the root cause.
In order to do that, there are two tools:
- The Microsoft Exchange Troubleshooting Assistant (Extra.exe) which will allow you to gather the information, but you will have to open a case with MS in order to get the results.
The process requires to start the tool on the mailbox server of the effected user and target the user mailbox to perform a trace up until the issue occurs
. - Enable Mailbox Audit on the Exchange Server (2010)
This will be the path we will investigate
Enabling mailbox auditing is something that you can do by yourself. The audit can be used for security reasons (see who is abusing his/her assigned permissions to do something that they are not supposed to do), this includes Admins as well as Delegates, but also you can configure to audit the mailbox owner actions which can help with troubleshooting.
The Audit is enabled per user mailbox and is saved as a part of the mailbox.
The audit log needs to be enabled, the amount of days to save the audit can be specified (90 days by default), and most importantly, you must configure what to audit.
In my case, the default owner audit setting did not include all types of operations so it was difficult at first to track the problem. (which was discovered by the trace due to the lack of information). However, after enabling additional audit items on the mailbox owner, it enabled tracking all actions and associating specific calendar actions with a specific ActiveSync mobile device.
This eventually was found to be the cause of the above problem.
So... Lets start this thing:
First, log on with a user with administrative rights to the Exchange server to enable auditing for the user mailbox you would like to investigate.
Now, Enable auditing on the mailbox with the command:
Set-Mailbox UserName -AuditEnabled $true
This command will enable auditing for Admin actions as will as Delegate actions, but not for mailbox owner actions.
If you run the command Get-Mailbox UserName | select *audit*
you will see exactly what is audited and what is not:
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate : {Update, SoftDelete, HardDelete, FolderBind, SendAs, Create}
AuditOwner : {}
You may notice that by default the mailbox owner is not edited.
If you will run the command: Set-Mailbox Username -auditowner $true
you will see that the AuditOwner setting changes to:
AuditOwner : {Update}
This is nice, but may not be enough to get all the information you want.
Lets enable auditing for all options for both Admin, Delegate and owner:
Set-Mailbox UserName -AuditEnabled $true -AuditAdmin Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,FolderBind,SendAs,SendOnBehalf,Create -AuditDelegate Update,SoftDelete,HardDelete,FolderBind,SendAs,Create
-AuditOwner Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,Create
Of course this will consume more space, however you only need to enable this when you need to investigate an issue or on a regular basis for specific users.
Now, allow some time for the information to be collected.
When you want to investigate, you will need to view or export the information in order to filter them more easily.
The command that is used to retrieve the data is:
Search-MailboxAuditLog UserName -ShowDetails
This will give you tons of lines if information on every every action performed on every item.
You can either use powershell to filter the output sent to the screen, or you can more easily send everything (filter or unfiltered) to a CSV file later to be opened in Excel or your favorite spreadsheet.Search-MailboxAuditLog UserName -LogonTypes Admin,Delegate,Owner -ShowDetails | export-csv c:\UserName.csv -Encoding utf8
Please note that you can specify all type of logon types (as shown in the command above) or just specific logon type such as Delegate if you only want to get data about actions performed by the delegates.
The command -Encoding utf8 will allow exporting of characters that can be identified for non-English (in my case Hebrew) in the item subject.
You can additionally filter based of available properties, for example, add the following pipe between the Search section and the Export section in order to filter audit items in the calendar folder only
If English is NOT your default folder language you will need to modify the folder name based on your folder language.
In the CSV file you will get all the detailed information on the actions performed.
The information also include the client type, such as Outlook and even ActiveSync.
The ClientInfoString provides the full Device information so you will be able to tell which device performed the action (this is very helpful in case that a few devices are user to sync with the same mailbox).
Another option to view and filter audit logs for a specific mailbox is using the Exchange Control Panel (ECP) on your exchange server. For example user https://yourserver/ecp
However, based on available options, it doesn't seem you can view owner actions using this interface.
I hope this article will provide you with valuable information for troubleshooting.
If you like this article you are welcome to drop me a line at: liranzamir@gmail.com
No comments:
Post a Comment