Re: Exchange <--> Outlook Monitoring

[Joe Hood <joe.hood () gmail com>]

What about blocking RPC and forcing POP/SMTP, then sniffing?


On Fri, 28 Jan 2005 11:45:15 -0800, Eric McCarty <eric () piteduncan com> wrote:
> Sorry I misunderstood, I thought we were talking about mail sent via the
> IMS, It didn't occur to me that confidential stuff would be passed
> within the company, especially not between outside consultants.
>
> -----Original Message-----
> From: Presley, Steven [mailto:evetsleep () gmail com]
> Sent: Friday, January 28, 2005 11:41 AM
> To: Eric McCarty
> Cc: Doll, Josh; security-basics () securityfocus com
> Subject: Re: Exchange <--> Outlook Monitoring
>
> Unfortunately Outlook--> Exchange does not use SMTP.  It uses MAPI
> (RPC) which is not plaintext (its encrypted to some degree, depending on
> how the client is setup).  Because the MAPI traffic is encrypted I think
> your options on sniffing the traffic to figure out what they are
> sending\receiving is not going to happen.  The proper solution is
> getting management\HR to approval for journaling and get your Exchange
> administrators to configure the database that they are on to journal
> everything to a dedicated mailbox.  I realize that you stated that
> management will not approve, but unfortunately your options are limited
> if you do not manage the Exchange server and if management won't help.
> In fact, is there not significant risk to your job in trying to pull
> something like this off without management\HR approval?
>  Most companies would not look to kindly to some one doing this without
> the proper approval.
>
> Best regards,
> Steven
>
> On Fri, 28 Jan 2005 11:28:09 -0800, Eric McCarty <eric () piteduncan com>
> wrote:
> > Since SMTP is plain text it can be pulled off the wire @ the gateway,
> > if your patient enough to use ethereal w/a filter you can pull all
> > SMTP from a certain IP. Or you can use a graphical IDS like the Etrust
>
> > product which isn't free but provides an easier and cleaner interface
> > for such things.
> >
> > E.
>
> > -----Original Message-----
> > From: Doll, Josh [mailto:Doll () pbworld com]
> > Sent: Friday, January 28, 2005 8:27 AM
> > To: security-basics () securityfocus com
> > Subject: Exchange <--> Outlook Monitoring
> >
> > Is there any effective way of capturing exchange / outlook data from a
>
> > 3rd party machine?  We have a number of sub consultants with email
> > access from our company, who's email needs to be monitored / archived
> > for breech of contract and sharing of company secrets.  Problem is, we
>
> > don't maintain our exchange server here in this office, and the office
>
> > that does is unwilling to cooperate in this matter (Read: upper
> > management catfight).  Therefore we need a way to ensure that what
> > they send and receive is legit.  It is a relatively small number of
> > users
> > (~5) that are still on our LAN that need to be monitored, the rest
> > have been moved to another subnet without company email.
> >
> > My understanding is that it is nowhere near as easy to capture these
> > emails when it is an exchange environment vs.. the options available
> > when using POP or others.
> >
> > Any help, or nudges in the right direction would be helpful.
> >
> > C. Josh Doll
> > Network Administrator - Houston
> > Parsons Brinckerhoff