TAZ Forum Community

Aspman · **Posted:** Thu Nov 05, 2009 12:34 pm

Have a naughty exchange admin who has been dipping into other users accounts and copying out emails.

Anything within the exchange logs that would allow us to track admin actions?

How do you ensure your BofHs behave?

Morganlefay · **Posted:** Thu Nov 05, 2009 2:33 pm

How is the admin accessing the email.....through Outlook or OWA???

Is it just some mailboxes? or specific ones?? is it just some email or whole mailboxes?

What version of exchange??

Why do you suspect this?

We have to figure out how his is doing it .....to catch him :cool3:

MLF

Aspman · **Posted:** Thu Nov 05, 2009 3:59 pm

She accessed the mailbox of another IT employee.

Likely by using the domain admin account she legitimately has which has global rights within Exchange. She is the sysadmin for the Exchange servers

Caught because she had copied several emails from his mailbox and stored them on the a shared network drive. Which he then spotted (how stupid can you be?).

Now looking for evidence of similar activities that haven't been found out yet.

Morganlefay · **Posted:** Thu Nov 05, 2009 5:17 pm

http://www.msexchange.org/tutorials/Aud ... iewer.html

Quote:

However, if access rights are giving you cause for concern, one thing you can do is to temporarily increase diagnostics logging for the Logons and Access Control categories for mailboxes. To do this, run Exchange System Manager and keep expanding the tree until you locate your server object. Once you’ve located the server object, right-click it and bring up the properties. On the Diagnostics Logging tab, expand MSExchangeIS and then click the Mailboxes object. Select the Logons and Access Control categories and set them to Maximum.

Kinda stupid....she must be using a client to access the individual mail...

Why?? love triangle???

MLF

Aspman · **Posted:** Thu Nov 05, 2009 5:53 pm

It's a strange one. They are friends so I'm not sure what she would want to access that he wouldn't tell her anyway.

He's gay and she's well...without being too unkind, she's not a head turner. So nothing involving the exchange of body fluids is going on that I'm aware of.

I think we've long lost any logs of the actual event so this is more a thought for the future for tracking admins who go bad.

dinowuff · **Posted:** Thu Nov 05, 2009 6:46 pm

security log on the server by default will create an entry every time anyone other than the owner access' a mail box... Problem is I look at your Free Busy info, there will be an entry that I accessed your mailbox. I could show a pattern since you already know shes being naughty.

Aspman · **Posted:** Thu Nov 05, 2009 7:14 pm

dinowuff wrote:

security log on the server by default will create an entry every time anyone other than the owner access' a mail box... Problem is I look at your Free Busy info, there will be an entry that I accessed your mailbox. I could show a pattern since you already know shes being naughty.

I did wonder if there would be an entry for people checking calendars via meeting request.

rapier57 · **Posted:** Thu Nov 05, 2009 7:58 pm

If she is an admin, she may have enough rights to just use Outlook, File, Open, Other User's Folder, Inbox.

She can then peruse and extract all she wanted.

Exchange should log this access, though, so that would be a place to check.

dinowuff · **Posted:** Fri Nov 06, 2009 9:37 pm

One thing to consider.

My policy states, in no uncertain terms, the your email isn't yours it's the companies and the company can let anyone they want read whatever you send or receive. It goes on to say that I (or my position) regularly monitors (reads) your email so play nice or you'll get fired!

If she has right by policy to read other peoples email, not a whole lot you can do anyway. Outside of reading her email to see if she's being naughty.

Aspman · **Posted:** Mon Nov 09, 2009 12:38 pm

The only one with the right to read others email is me, myself and I. And only if it is part of an investigation.

She has the rights but not the right to do that as the exchange admin. So this is an abuse of her privileges.

Admins are 'trusted' staff so this is worse than a 'normal' employees hopping on another workers pc and nosing around.

We also have the same policy that essentially "all your email are belong to us".

dinowuff · **Posted:** Mon Nov 09, 2009 8:51 pm

Aspman wrote:

The only one with the right to read others email is me, myself and I. And only if it is part of an investigation.

She has the rights but not the right to do that as the exchange admin. So this is an abuse of her privileges.

Admins are 'trusted' staff so this is worse than a 'normal' employees hopping on another workers pc and nosing around.

We also have the same policy that essentially "all your email are belong to us".

Oh I see, like the bitch I fired when I found out she was poking around in payroll and other personal files in a HR database

Home

FAQ

Search

TAZ Forum Community

Login

Register

Options

MS Exchange tracking

Topic Options

Who is online


	TAZ Forum Community For all your Computer and Security Needs