Re: Monitoring access

Inline.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Javi" <Javi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DEA0FFA1-6851-4D71-8B21-D803B7B6FC92@xxxxxxxxxxxxxxxx
I'm not sure if it appears in any of the regulations thrown around, but
one
aspect of IT security is ensuring only valid users have access to your
systems.

Part of this involves blocking inactive users (such as those that have not
logged on in the last three months).

You should be managing this proactively through administrative practices.
Some companies assign expiry dates on accounts so that they have to be
actively renewed. But you can monitor logons to the domain. See below.

During our inactive user audits on our active directory, we have blocked
users which we thought were inactive but in fact were very active. These
are
users that do not log on to their active directory accounts, but DO access
their exchange account via OWA.

OWA uses the Active Directory account. The key to auditing accounts is that
you must query every domain controller to find the last logon date because
this attribute is not replicated. Perhaps that's why you're not seeing it.

There is no way of seeing when one of these
users last logged on (the domain controllers don't record it their logons,

I beg to differ. A logon is a logon whether through OWA, a MAPI client, or
directly to Windows. If they log on through Outlook (and its logon dialog
box) or OWA, Exchange logs on for them by proxy. But it is still a logon.

and the last logon exchange provides is useless as it does not record the
user's last logon, rather, the last time their mailbox was accessed (by
any
user).

Agreed.

As a result, I have no way of determining if a user is inactive.

See above.

Am I not looking in the right place? How can I get the last logon for a
user
that does not log on to AD, but does access his/her exchange account?

Again, all users log onto AD.

Thanks for the info,
Regards,

"Ed Crowley [MVP]" wrote:

Even though that is not a quote of the laws, I don't see anything in
there
that dictates the requirement what you state.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Random" <random.nick@xxxxxxxxx> wrote in message
news:1142354104.701238.221950@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I don't have the text, but Microsoft does.

Supporting Regulatory Compliance with Exchange Server 2003
Published: April 19, 2004
* *
Download
Download Compliance.doc
191 KB
Microsoft Word file
* *
Summary

Such regulations as Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and SEC
Rule 17A- 4 set new data retention requirements for organizations,
particularly in the financial services and healthcare industries.
Exchange Server 2003 makes complying with data retention regulations
easy by enabling organizations to create a reliable archival and
compliance system.

From this document:

Sarbanes-Oxley Act
The Sarbanes-Oxley Act requires that:
· Companies implement extensive policies, procedures, and tools to
prevent fraudulent activities

Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (Financial Institution Privacy
Protection Act of 2001), amended in 2003 to enhance the protection of
nonpublic personal information, requires that financial records be
properly secured, safeguarded...

Healthcare Insurance Portability and Accountability Act of 1996
The Healthcare Insurance Portability and Accountability Act of 1996
requires that:
· Security standards be adopted to control who can access health
information to provide audit trails for computerized record systems...
· Health data is isolated and inaccessible to unauthorized access
· Transmission of health information is physically, electronically,
and administratively safeguarded to ensure the confidentiality of data


If email is involved in the business process, then the Exchange mail
server inability* (*please see below) to record who accessed what,
when, with or without success, I don't see how can be valid security
audit established
+ "to prevent fraudulent activities" - Sarbanes-Oxley
+ " the protection of nonpublic personal information, requires
that financial records be properly secured, safeguarded" -
Gramm-Leach-Bliley
+ "control who can access health information to provide audit
trails for computerized record systems" - HIPAA
+ "Transmission of health information is physically,
electronically, and administratively safeguarded to ensure the
confidentiality of data" - HIPAA

Regards,
Nick


*
"Although you can use Mailbox Resources to see when someone logs on to
their mailbox or to another mailbox, Mailbox Resources has some
important limitations that you must know about. Following are these
limitations:
· Mailbox Resources does not show which folder is being logged on
to.
For example, Mailbox Resources does not indicate whether it is the
Inbox, the Calendar, or the Contacts folder.
· Mailbox Resources does not show whether the logon was
successful or
unsuccessful."





.