Re: Someone has meddled with Active Directory users (has set email forwarding to external account)- how can I tell who? - Urgent!

• Previous message: Lanwench [MVP - Exchange]: "Re: ThorConnWndClass Issue"
• In reply to: swilliams_at_cromwells.co.uk: "Someone has meddled with Active Directory users (has set email forwarding to external account)- how can I tell who? - Urgent!"
• Messages sorted by: [ date ] [ thread ]

Date: Sat, 1 Jan 2005 22:07:11 -0500

swilliams@cromwells.co.uk wrote:
> We recently had what appears to be someone logging onto the Exchange
> 2000 server and setting any mail sent to two domain users to be also
> forwarded to an external recipient (Contact) that I had set up
> previously. This is the second time this has happened in 6 months, and
> meant the user whose Contact address this was, was getting mail
> destined for these 2 users- obviously a big security risk. Is there
> ANY way of finding out which domain user might have made the changes
> to the Active Directory objects for these users? Neither previously
> had any forwarding set up in Delivery Options.
>
>
> There doesn't seem to be anything in Event Viewer for this kind of
> change, and I can't see any way at all how Active Directory would
> choose to set up forwarding to an external recipient in this way.
> Furthermore this is the second time this has occurred and there appear
> to be patterns (personnel-wise) linking the two events. I'm almost
> completely certain that this is deliberate. I have been tasked with
> finding out who has done this as quickly as possible.
>
>
> This is extremely urgent, so any help anyone can give me would be much
> appreciated! Please reply to the thread or email me
> (swilli...@cromwells.co.uk). Thanks for your assistance.

This can't happen accidentally. Start with the basics.

Which accounts have permissions to do anything like this?
Who knows the administrator credentials? Change the password.
Who has physical access to the server(s)?
Is terminal services (admin mode) enabled on this server?
What ports are open in your Internet-facing firewall?
Cui bono?

Even if you can set up security auditing to log this specific sort of
change, it's too late now that the horses are out of the barn, as it were.

• Previous message: Lanwench [MVP - Exchange]: "Re: ThorConnWndClass Issue"
• In reply to: swilliams_at_cromwells.co.uk: "Someone has meddled with Active Directory users (has set email forwarding to external account)- how can I tell who? - Urgent!"
• Messages sorted by: [ date ] [ thread ]