Security Basics mailing list archives
RE: Track who logs into my email
From: "Jason P. Rusch" <jason () infosec-rusch com>
Date: Fri, 25 Jan 2008 15:37:10 -0500
You can't really track this affectively, one of my areas of expertise is log monitoring etc etc, problem with Exchange and MS will even tell you this is their is no way to tell the difference between a non owner from access a email inbox (EVENT ID 1009, ) and an outlook client checking your calender, thus even if you monitor for this, it will be filled with false positives. Below is a example email output from a Microsoft Operations Manager (MOM) server I had setup to watch for such an event. I have done extensive work figuring out how to use MOM to watch for almost anything I want to (minus this one due to limitations of Exchange). The output below is a watch for testuser Inbox. This alert os triggered for Inbox access and calender access by non-owner. "THERE IS NO WAY TO DIFFERENTIATE BETWEEN INBOX AND CALENDER ACCESS" , This I found by my own exhaustive testing and many MS Exchange technicians at MS. =================================== EMAIL START =================================== A mailbox or calendar was accessed by a user other than the owner, Details below; Mailbox Accessed: /O=infosec- rusch/OU=LINUX/cn=Recipients/cn=testuser Accessed by: INFOSEC-RUSCH\JRusch Time: 8/16/2007 10:56:21 Mail Server: SRVMAIL01 Domain: INFOSEC-RUSCH Event ID: 1009 =================================== ### ALERTS ### Alert Name: Exchange Security Alert: Inbox Access made by non-owner - Mailbox Watch (testuser) Alert Description: QDINC\JRusch logged on as /O=Montgomery Tank Lines/OU=MTLNET/cn=Recipients/cn=testuser on database "SG02\IS10". For more information, click http://www.microsoft.com/contentredirect.asp. Alert Source: MSExchangeIS Mailbox Store Owner: Severity: Information SeverityNum: 20 Resolution StateNew Time: 8/16/2007 10:56:21 Computer: SRVMAIL01 Domain: INFOSEC-RUSCH Alert Rule Group ID: {26A42D55-EEF2-4F0E-B788-D893D1B2E91D} Alert URL: http://QDIMOM:1272/?v=a&id=1CD6D6C1-7230-4084- BE02-2FF14351F6F8 Alert GUID: {1CD6D6C1-7230-4084-BE02-2FF14351F6F8} =================================== ### EVENTS ### Event number: 1009 Full Event Number: 1049585 Message DLL: mdbmsg.dll Source Name: MSExchangeIS Mailbox Store Provider Name: Application Provider Type: NT Event Log Description: INFOSEC-RUSCH\JRusch logged on as /O=infosec- rusch/OU=LINUX/cn=Recipients/cn=testuser on database "SG02\IS10". For more information, click http://www.microsoft.com/contentredirect.asp. Message DLL file Version: 6.5.7651.61 Logging Computer: SRVMAIL01 Category: Logons Event Time: 8/16/2007 10:56:20 Source Computer: SRVMAIL01 User Name: N/A Logging Domain: INFOSEC-RUSCH Source Domain: INFOSEC-RUSCH Repeat count: 0 First Time: Last Time: Start Time: =================================== ### EVENT PARAMETERS ### Parameter 1: INFOSEC-RUSCH\JRusch Parameter 2: /O=infosec-rusch/OU=LINUX/cn=Recipients/cn=testuser Parameter 3: SG02\IS10 Parameter 4 : Parameter 5: Parameter 6: Parameter 7: Parameter 8: Parameter 9: Parameter 10: Parameter 11: Parameter 12: Parameter 13: Parameter 14: Parameter 15: Parameter 16: Parameter 17: Parameter 18: Parameter 19: Parameter 20: Parameter 21: Parameter 22: Parameter 23: Parameter 24: Parameter 25: =================================== EMAIL STOP =================================== This is my template I use in MOM =================================== TEMPLATE START =================================== ### ALERTS ### Alert Name: $Alert Name$ Alert Description: $Alert Description$ Alert Source: $Alert Source$ Owner: $Owner$ Severity: $Severity$ SeverityNum: $SeverityNum$ Resolution State$Resolution State$ Time: $Time$ Computer: $Computer$ Domain: $Domain$ Alert Rule Group ID: $Alert Rule Group ID$ Alert URL: $Alert URL$ Alert GUID: $Alert GUID$ ### EVENTS ### Event number: $Event Number$ Full Event Number: $Full Event Number$ Message DLL: $Message DLL$ Source Name: $Source Name$ Provider Name: $Provider Name$ Provider Type: $Provider Type$ Description: $Description$ Message DLL file Version: $Message DLL File Version$ Logging Computer: $Logging Computer$ Category: $Category$ Event Time: $Event Time$ Source Computer: $Source Computer$ User Name: $User Name$ Logging Domain: $Logging Domain$ Source Domain: $Source Domain$ Repeat count: $Repeat Count$ First Time: $First Time$ Last Time: $Last Time$ Start Time: $Start Time$ ### EVENT PARAMETERS ### Parameter 1: $Parameter 1$ Parameter 2: $Parameter 2$ Parameter 3: $Parameter 3$ Parameter 4 :$Parameter 4$ Parameter 5: $Parameter 5$ Parameter 6: $Parameter 6$ Parameter 7: $Parameter 7$ Parameter 8: $Parameter 8$ Parameter 9: $Parameter 9$ Parameter 10: $Parameter 10$ Parameter 11: $Parameter 11$ Parameter 12: $Parameter 12$ Parameter 13: $Parameter 13$ Parameter 14: $Parameter 14$ Parameter 15: $Parameter 15$ Parameter 16: $Parameter 16$ Parameter 17: $Parameter 17$ Parameter 18: $Parameter 18$ Parameter 19: $Parameter 19$ Parameter 20: $Parameter 20$ Parameter 21: $Parameter 21$ Parameter 22: $Parameter 22$ Parameter 23: $Parameter 23$ Parameter 24: $Parameter 24$ Parameter 25: $Parameter 25$ =================================== TEMPLATE STOP =================================== --- Sincerely Jason Rusch, CISSP, CISM, CISA Certified Information Security Consultant Wesley Chapel, Florida 33543 Mobile: (813) 765-5325 jason () infosec-rusch com www.infosec-rusch.com -- LEGAL DISCLAIMER -- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Attachment:
smime.p7s
Description:
Current thread:
- Track who logs into my email Michael R. Martinez (Jan 25)
- RE: Track who logs into my email Worrell, Brian (Jan 25)
- RE: Track who logs into my email Paul J. Brickett (Jan 25)
- RE: Track who logs into my email Nick Vaernhoej (Jan 25)
- Delving into an ERP security. WALI (Jan 28)
- RE: Track who logs into my email Paul J. Brickett (Jan 25)
- RE: Track who logs into my email Lee Bottone (Jan 25)
- RE: Track who logs into my email Eggleston, Mark (Jan 25)
- RE: Track who logs into my email Worrell, Brian (Jan 25)
- RE: Track who logs into my email Worrell, Brian (Jan 25)
- Re: Track who logs into my email Jason Bridge (Jan 25)
- <Possible follow-ups>
- RE: Track who logs into my email Jason P. Rusch (Jan 25)
- RE: Track who logs into my email Jason P. Rusch (Jan 25)