If you would like to read the other parts in this article series please go to:
Improving Security around Discovery Mailboxes and Multi-Mailbox Search…
In this article series we have examined the power of the Multi-Mailbox Search functionality however, can you imagine the security implications if such feature is not used properly? In this part of our series we can check some of the built-in features that help administrators handle the security concerns related to Multi-Mailbox Search feature.
Let’s start simple and look at how we can retrieve changes performed on the Role Groups. Logged into the Exchange Control panel using Auditing access permissions (by default, Organization Management and Records Management Role Groups), click on Options, click See All Options, and then select Manage My Organization located on the Options area (upper left corner). Click Roles & Auditing, then Auditing icon and finally the Run an administrator role group report… (Figure 01). Based on defined dates we are able to keep track of all changes to a Role Group.
Figure 01
If you are not seeing any changes in the logs, you may have to enable the AdminAuditLog feature using the following cmdlet: Set-AdminAuditLogConfig –AdminAuditLogEnabled:$true. It may take a while to enable it.
Another built-in feature that can be used is the Audit at mailbox level to make sure that a mailbox is being used properly. Depending on the company security concerns/requirements it may be a best practice to enable Audit and in our case we are going to enable even AuditOwner to make sure that any information is being logged. By default, Owner access is not logged and it shouldn’t be for Discovery Mailboxes since they are disabled accounts, but we don’t want users enabling the account and having access without logging in.
Using the following syntax (Figure 02), we will be able to turn on Audit and enforce Owner Audit on the mailbox as follows:
Set-Mailbox <Mailbox-Name> -AuditEnabled:$True -AuditOwner:Create,SoftDelete,HardDelete,Update,Move,MoveToDeletedItems
Figure 02
We can search through the logs generated on that specific mailbox by running the following syntax:
Search-MailboxAuditLog -Identity <Discovery-Mailbox-Name> -StartDate ‘<Date>’ -EndDate ‘<Date>’ –ShowDetails
In just one entry of the logs, we can find out that a folder was deleted, by which user and additional information, as shown in Figure 03.
Figure 03
Bear in mind that there are several ways to retrieve the Mailbox Audit Log and in the previous example we are using just a single mailbox and –ShowDetails switch, as we want to make sure that Owner activities are also listed. Also, we can take advantage of PowerShell and use Where-Object, Select, Sort-Object to narrow down the search or even create reports using Exchange Management Shell.
Managing users that left the organization…
During this article series we saw how the Multi-Mailbox Search feature can help an organization to discovery items that may be required by HR, Legal or any other department. However, all that data must be accessible and stored on Exchange Server, otherwise the Multi-Mailbox Search won’t work properly.
Some companies have the solution of creating a PST for each user leaving the organization, which works fine if you need to restore a message from that specific person. However, when you reach the number of let’s say 150 PSTs and your Legal department says that you need to do a search on all existent mailboxes and all saved PSTs, then you may regret not having kept the mailboxes around. What could be worse than the previous tedious task? You may be wondering, jail time, no internet for a month, right? I think the worst is that after all that hard work the same guy that created that requirement asks you to do a new search just in case… and here you are with that universe of PSTs to work on again.
Based on the previous scenario, what is the best practice when a user leaves the company? Unfortunately, there is no final or even right answer for that because it is based on your company requirements. Some companies require X number of years just for Directors and above while other companies require all mailboxes for X years and so forth. At the end, a good suggestion is to make sure that you know for how long you should keep those mailboxes and then apply a few good practices as follows:
-
Create a Database for those mailboxes
-
You may enable circular logging on those databases, after all you won’t have data flowing all the time on those mailboxes
-
Disable the user account in Active Directory but do not remove or disable the mailbox
-
If you can, keep the Database for those users in a DAG which improves the High Availability and resiliency for that data
-
Remove the users that left the company from the Global Address List
-
Prohibit the mailboxes that are no longer in use to send and receive new messages, this can be done in several different ways (Transport Rules, Message Size limits, message size restrictions)
-
Some companies change the SMTP with a pattern to make sure that the SMTP is not valid and does not generate a NDR
-
Remove the terminated user from all groups that he belongs to
After defining the proper procedure of terminated users, you can create a script to perform all changes required by that procedure.
Using Multi-Mailbox Search to delete messages…
We can also take advantage of Multi-Mailbox Search feature to address a common issue where we want to delete a message from all mailboxes. Let’s say that a regular user sent a message containing a webpage to spread a virus to several internal users.
Before you start deleting mails all over the place we can run a quick Mailbox Search Request containing the keyword for the malicious page that was sent (for example http://www.givemeavirus.com) and let’s use the Estimate the search results option. Then, in a single glance we can determine how that message (Figure 04) is spreading on our network and if it is really an issue. Bear in mind that those results are based on the current information, if you don’t take action and if the users keep forwarding the message you may need to run the search again to get updated results.
Figure 04
If we use the option to copy the search results to the Discovery Mailbox we will be able to check which mailboxes have such message and then we can use the Search-Mailbox cmdlet with –DeleteContent parameter to go to each affected mailbox and remove the message using the SearchQuery attribute to narrow down the results. Note: The user must be part of the Mailbox Import Export role to be able to run the command.
Figure 05
Another possible way to track down the messages is using Message Tracking, but the idea here is to give you visibility on how to use the Multi-Mailbox Search feature to control the process.
Conclusion
We went over the process to use Multi-Mailbox Search to control the spread of a single message like a virus and also some built-in capabilities in the product to protect the Discovery Mailboxes.
If you would like to read the other parts in this article series please go to:
