Security Basics mailing list archives

RE: Track who logs into my email

From: "Jason P. Rusch" <jason () infosec-rusch com>
Date: Fri, 25 Jan 2008 15:37:10 -0500

You can't really track this affectively, one of my areas of expertise is
log monitoring etc etc, problem with Exchange and MS will even tell you
this is their is no way to tell the difference between a non owner from
access a email inbox (EVENT ID 1009, ) and an outlook client checking
your calender, thus even if you monitor for this, it will be filled with
false positives. Below is a example email output from a Microsoft
Operations Manager (MOM) server I had setup to watch for such an event.

I have done extensive work figuring out how to use MOM to watch for
almost anything I want to (minus this one due to limitations of
Exchange). The output below is a watch for testuser Inbox. This alert os
triggered for Inbox access and calender access by non-owner. 

"THERE IS NO WAY TO DIFFERENTIATE BETWEEN INBOX AND CALENDER ACCESS" ,
This I found by my own exhaustive testing and many MS Exchange
technicians at MS.  

===================================
EMAIL START
===================================
A mailbox or calendar was accessed by a user other than the owner,
Details below;        

Mailbox Accessed: /O=infosec-
rusch/OU=LINUX/cn=Recipients/cn=testuser         
Accessed by: INFOSEC-RUSCH\JRusch      
Time: 8/16/2007 10:56:21     
Mail Server: SRVMAIL01     
Domain: INFOSEC-RUSCH     
Event ID: 1009     

===================================
### ALERTS ###
Alert Name: Exchange Security Alert: Inbox Access made by non-owner -
Mailbox Watch (testuser)     
Alert Description: QDINC\JRusch logged on as /O=Montgomery Tank
Lines/OU=MTLNET/cn=Recipients/cn=testuser on database "SG02\IS10". 

For more information, click
http://www.microsoft.com/contentredirect.asp.      
Alert Source: MSExchangeIS Mailbox Store     
Owner:      
Severity: Information     
SeverityNum: 20     
Resolution StateNew     
Time: 8/16/2007 10:56:21     
Computer: SRVMAIL01      
Domain: INFOSEC-RUSCH          
Alert Rule Group ID: {26A42D55-EEF2-4F0E-B788-D893D1B2E91D}     
Alert URL: http://QDIMOM:1272/?v=a&id=1CD6D6C1-7230-4084-
BE02-2FF14351F6F8     
Alert GUID: {1CD6D6C1-7230-4084-BE02-2FF14351F6F8}     

===================================
### EVENTS ###
Event number: 1009     
Full Event Number: 1049585     
Message DLL: mdbmsg.dll     
Source Name: MSExchangeIS Mailbox Store     
Provider Name: Application
Provider Type: NT Event Log     
Description: INFOSEC-RUSCH\JRusch logged on as /O=infosec-
rusch/OU=LINUX/cn=Recipients/cn=testuser on database "SG02\IS10". 

For more information, click
http://www.microsoft.com/contentredirect.asp.      
Message DLL file Version: 6.5.7651.61     
Logging Computer: SRVMAIL01     
Category: Logons      
Event Time: 8/16/2007 10:56:20     
Source Computer: SRVMAIL01      
User Name: N/A     
Logging Domain: INFOSEC-RUSCH      
Source Domain: INFOSEC-RUSCH      
Repeat count: 0     
First Time:      
Last Time:      
Start Time:      

===================================
### EVENT PARAMETERS ###
Parameter 1: INFOSEC-RUSCH\JRusch     
Parameter 2: /O=infosec-rusch/OU=LINUX/cn=Recipients/cn=testuser     
Parameter 3: SG02\IS10     
Parameter 4 :     
Parameter 5:      
Parameter 6:      
Parameter 7:      
Parameter 8:      
Parameter 9:      
Parameter 10:      
Parameter 11:      
Parameter 12:      
Parameter 13:      
Parameter 14:      
Parameter 15:      
Parameter 16:      
Parameter 17:      
Parameter 18:      
Parameter 19:      
Parameter 20:      
Parameter 21:      
Parameter 22:      
Parameter 23:      
Parameter 24:      
Parameter 25:    

===================================
EMAIL STOP
===================================

This is my template I use in MOM

===================================
TEMPLATE START
===================================
### ALERTS ###
Alert Name: $Alert Name$
Alert Description: $Alert Description$
Alert Source: $Alert Source$
Owner: $Owner$
Severity: $Severity$
SeverityNum: $SeverityNum$
Resolution State$Resolution State$
Time: $Time$
Computer: $Computer$
Domain: $Domain$
Alert Rule Group ID: $Alert Rule Group ID$
Alert URL: $Alert URL$
Alert GUID: $Alert GUID$

### EVENTS ###
Event number: $Event Number$
Full Event Number: $Full Event Number$
Message DLL: $Message DLL$
Source Name: $Source Name$
Provider Name: $Provider Name$
Provider Type: $Provider Type$
Description: $Description$
Message DLL file Version: $Message DLL File Version$
Logging Computer: $Logging Computer$
Category: $Category$
Event Time: $Event Time$
Source Computer: $Source Computer$
User Name: $User Name$
Logging Domain: $Logging Domain$
Source Domain: $Source Domain$
Repeat count: $Repeat Count$
First Time: $First Time$
Last Time: $Last Time$
Start Time: $Start Time$


### EVENT PARAMETERS ###
Parameter 1: $Parameter 1$
Parameter 2: $Parameter 2$
Parameter 3: $Parameter 3$
Parameter 4 :$Parameter 4$
Parameter 5: $Parameter 5$
Parameter 6: $Parameter 6$
Parameter 7: $Parameter 7$
Parameter 8: $Parameter 8$
Parameter 9: $Parameter 9$
Parameter 10: $Parameter 10$
Parameter 11: $Parameter 11$
Parameter 12: $Parameter 12$
Parameter 13: $Parameter 13$
Parameter 14: $Parameter 14$
Parameter 15: $Parameter 15$
Parameter 16: $Parameter 16$
Parameter 17: $Parameter 17$
Parameter 18: $Parameter 18$
Parameter 19: $Parameter 19$
Parameter 20: $Parameter 20$
Parameter 21: $Parameter 21$
Parameter 22: $Parameter 22$
Parameter 23: $Parameter 23$
Parameter 24: $Parameter 24$
Parameter 25: $Parameter 25$ 

===================================
TEMPLATE STOP
===================================

---
Sincerely 

Jason Rusch, CISSP, CISM, CISA
Certified Information Security Consultant
Wesley Chapel, Florida 33543
Mobile: (813) 765-5325
jason () infosec-rusch com
www.infosec-rusch.com

-- LEGAL DISCLAIMER --
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and delete the
material from any computer.

Attachment: smime.p7s
Description:

Current thread:

Track who logs into my email Michael R. Martinez (Jan 25)
- RE: Track who logs into my email Worrell, Brian (Jan 25)
  - RE: Track who logs into my email Paul J. Brickett (Jan 25)
    - RE: Track who logs into my email Nick Vaernhoej (Jan 25)
    - Delving into an ERP security. WALI (Jan 28)
  - RE: Track who logs into my email Lee Bottone (Jan 25)
    - RE: Track who logs into my email Eggleston, Mark (Jan 25)
    - RE: Track who logs into my email Worrell, Brian (Jan 25)
- Re: Track who logs into my email Jason Bridge (Jan 25)
- <Possible follow-ups>
- RE: Track who logs into my email Jason P. Rusch (Jan 25)
- RE: Track who logs into my email Jason P. Rusch (Jan 25)