If you would like to read the next part in this article series please go to Exchange 2007 Mailbox Access Auditing (Part 2).
Important:
Before you read this article any further, please read this blog post on the Exchange Team Blog:
Raising diagnostic logging for Message Access might cause calendar issues with Exchange 2007 SP2
In a previous article here on MSExchange.org, I covered how to perform basic auditing of mailbox access in Exchange 2003 using the Exchange System Manager and the event viewer. If you have already read that article, you may well remember that several limitations of this auditing process were exposed. For example, the Last Logged On By column in Exchange System Manager often references a Windows account that is different to the account that actually owns the mailbox. Furthermore, if the diagnostics logging level for access control is increased, event log entries will often be recorded that show one particular user accessing a mailbox for which they are not the primary Active Directory account. Although all of this may initially sound suspicious, it was often the case that someone had merely accessed someone else’s calendar folder, thereby triggering the event log entry to be created or the Last Logged On By column to update accordingly. This issue was often compounded by service accounts for applications such as antivirus and backup that had the need to log into all mailboxes. Auditing Exchange in a full and deep manner was therefore quite difficult.
Enter Exchange 2007 Service Pack 2 and the new mailbox access auditing feature. This is a brand new feature that allows the administrator of an Exchange organization to implement a new set of diagnostics logging categories that allow for detailed auditing event log entries to be recorded when various resources are accessed. The resources accessed that can be logged include messages, folders and the ability for users to send as another user, either directly or using the send on behalf of feature. In this two-part article series we will look at how to enable this new feature and give examples of what to expect to see in the event log.
The Exchange Auditing Event Log
Rather than record these new event log entries into the application event log, the mailbox access auditing feature writes these event log entries into a new event log called the Exchange Auditing event log. You can see this new event log in Figure 1 although it is currently empty; we will see how the new events look as we go through this article. In my lab environment running Exchange 2007 SP2, the new event log file called ExchangeAuditing.evtx is stored in the \Program Files\Exchange Server\Logs\AuditLogs folder.
Figure 1: Exchange Auditing Event Log
Enabling Mailbox Access Auditing
Let us look at how we can access the configuration area for mailbox access auditing. We will use the Exchange Management Console first and then move on to using the Exchange Management Shell later in part two of this article series. If you run the Exchange Management Console after applying Exchange 2007 Service Pack 2, you will likely notice a few subtle changes that let you know that Service Pack 2 has been applied. The first is the fact that you can see an additional action pane menu item when highlighting one of your Exchange 2007 servers. In Figure 2, you can see the new Manage Diagnostic Logging Properties menu option.
Figure 2: Manage Diagnostics Logging Properties Menu Option
To configure mailbox access auditing on a particular mailbox server, first select that server in the Exchange Management Console and then choose the Manage Diagnostics Logging Properties menu option from the action pane. Doing so will bring up the Manage Diagnostics Logging Properties screen as you can see in Figure 3. In this screen, expand the MSExchangeIS category and then expand the 9000 Private category.
Figure 3: Manage Diagnostics Logging Properties Configuration Screen
Under the MSExchangeIS\9000 Private category you will see many different areas for which you can configure the diagnostics logging level. As this article is focused on the mailbox access auditing feature, the particular categories that we are interested in are, in order that they are presented in the configuration screen, Extended Send As, Extended Send On Behalf Of, Folder Access and Message Access. Let’s first look at the Folder Access category to see what happens when one user accesses the inbox folder of another user. First, select the Folder Access category in the configuration screen and then choose the relevant diagnostics logging level that you want to set this to. We’ll set this to the Medium level as you can see in Figure 4. We’ll discuss what all the various diagnostics logging levels mean later in this article but for the moment you should understand that setting the level to medium will log basic events when a user accesses folders of their own mailbox or someone else’s mailbox. Once the configuration level has been chosen, click the Configure button.
Figure 4: Folder Access Diagnostics Logging Level Modification
If all goes well, you should be presented with a completion screen indicating that the event log level has been successfully set. However, the configuration is not complete yet as you must restart the Microsoft Exchange Information Store service before the changes will take effect.
Auditing Folder Access
Let us now look at a situation where one user called Mark first logs into his own mailbox and then proceeds to open the inbox folder of another user called Rob. In this particular example, Mark has already been allowed by the administrator to open Rob’s mailbox and therefore has been granted Full Access permission against Rob’s mailbox. Consequently, access by Mark to Rob’s mailbox is to be expected but nevertheless access is also to be recorded. Now that we have configured the Folder Access category in the Manage Diagnostics Logging Properties configuration screen, let us see what information is logged into the Exchange Auditing event log. The moment Mark logs into his own mailbox, you will see many new event log entries added to the Exchange Auditing log as you can see from Figure 5. In Figure 5, you can see that these new event log entries have an event ID of 10100, a source of MSExchangeIS Auditing and a category of Mailbox Access Auditing.
Figure 5: Exchange Auditing Event Log Entries
An example of one of these event log entries is shown below in Figure 6 where you can see that the description of the event log reveals that Mark has accessed his own inbox folder. Other fields that you can see included within the event description include the display name of the folder as it appears in Outlook or OWA, the distinguished name of the accessing user, whether the access was performed with administrative rights and at the bottom the start of additional client information. We’ll have a closer look at the additional client information in part two of this article.
Figure 6: Event ID 10100 – Own Mailbox Access
When Mark accesses Rob’s inbox folder a new event log entry is recorded and obviously this has the same event ID, source and category as the entry recorded when Mark accessed his own mailbox. You can see this additional event log entry in Figure 7. Of course, with Full Mailbox Access permissions against Rob’s mailbox, Mark is free to access any folder he likes and as you might expect the auditing will log access to any folder, including any custom folders that Rob has created.
Figure 7: Event ID 10100 – Different Mailbox Access
Summary
That completes part one of this two-part article series where we have seen which Exchange auditing categories are available for us to record as well as sample event log entries that are recorded when a user accesses their own mailbox or the mailbox of another user. In part two we will complete our look at this new feature of Exchange 2007 Service Pack 2 by looking at controlling the feature using the Exchange Management Shell as well as the event logs recorded by the Message Access and Send As logging categories.
If you would like to read the next part in this article series please go to Exchange 2007 Mailbox Access Auditing (Part 2).
