RE: security issues

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Lee Li [MSFT] (v-leeli_at_online.microsoft.com)
Date: 10/25/04 

Date: Mon, 25 Oct 2004 07:18:40 GMT

Dear Customer,

Thank you for posting here.

Based on my knowledge, I would like to answer your question as following.

First, based on my knowledge, the known cause for such issue is not the
mails read by another people, but is third party service installed in
Exchange Server side, such as Nextel Blackberry, or Antivirus Service,
which will scan the message from the Information Store in Exchange Server
Side. This may lead to some unexpected behaviors, such as the symptom what
unread mail auto turns to read mail. So first if you installed the third
party services mentioned above, please temporarily uninstall it and verify
whether the issue disappears.

In fact, the most efficient way to audit mailbox access is the Security Log
as you mentioned, which records all the actions on the mailboxes. Please
ensure you have done the following steps to enable the mailbox security
logging.

Step 1:

Please enable auditing on the Exchange Server that hosts the mailboxes you
want to monitor. To do so, please follow these steps:

Note: If the Exchange server is a member server, please enable auditing
from Local Security Policy.

1. Log on to Exchange Server by using a domain admin user account.
2. Click Start, point to All Programs->Administrative Tools->Local Security
Policy.

Note: If the Exchange server is a Domain controller, please click Domain
controller Security Policy in Administrative Tools.

3. Under "\Security Settings\Local Policies\Audit Policy", please double
click on "Audit object access" and check "Define these policy settings" and
check both "Success" and "Failure".
4. Click OK to save the settings.
5. Please double click on "Audit logon events" and check "Define these
policy settings" and check both "Success" and "Failure".
6. Click OK to save the settings.

Note: You may need to wait for a while to ensure the policy was applied to
Exchange Server.

Step 2:

Add auditing to the mailbox store via Exchange System Manager. To do so,
please follow these steps:

1. Open Exchange System Manager (ESM).
2. Navigate to <Organization>\Administrative
Groups\<domain>\servers\<Exchange server>\First Storage Group\, right click
on Mailbox Store where CEO and higher officers' mailboxes locate, and then
click Properties.
3. On the Security page, click on the "Advanced" button.
4. On the Auditing tab, please click Add and type "everyone" (without
quotation marks), and then click OK.
5. On the "Auditing Entry for" dialog box, please choose "This object,
sub-containers, and children objects" in the "Apply onto" list.
6. You can check all check boxes in the "Access" list. (Successful and
Failed).

Step 3: Examine Event Viewer:

1. Use some account to log into their mailbox.
2. Open Event Viewer and see the Security Log. Please notice the entries
similar to the following one. If the "User" and the "Object Name" is
different, we can infer the "user" is accessing the "Object Name" mailbox.

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 565
Date: 1/12/2004
Time: 10:25:22 AM
User: MILIN2000\administrator
Computer: 2000DC
Description:
Object Open:
         Object Server: Microsoft Exchange
         Object Type: Microsoft Exchange Logon
         Object Name: /o=MilinOrg/ou=First Administrative
Group/cn=Recipients/cn=Administrator
         New Handle ID: 66459248
         Operation ID: {0,9452622}
         Process ID: 1956
         Primary User Name: 2000DC$
         Primary Domain: MILIN2000
         Primary Logon ID: (0x0,0x3E7)
         Client User Name: administrator
         Client Domain: MILIN2000
         Client Logon ID: (0x0,0x184A4)
         Accesses Unknown specific access (bit 0)
                        
         Privileges -

Please let me know the results so that I can provide further assistance on
this problem. I am looking forward to your reply.

Thanks & Regards,

Lee Li
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Quantcast