midranger4
Stupid Is In Vogue
Premium
join:2002-01-18
Levittown, PA
| MS Exchange admin auditing
Our internal auditors are asking us to prove that our exchange admins are not accessing/reading mailboxes other than their own.
Is the Exchange System Manager the only tool available to perform auditing of this nature? If so what level of detail and history is the System Manager capable of providing?
If not what third party tools are available to assure that the exchange admin(s) are not abusing their authority?
--
Democracy is the illusion of Freedom |
|
B
Premium,MVM
join:2000-10-28
| Your auditors are misinformed and/or misguided. There are no safeguards that can be put in place if you don't trust the IT staff who are responsible for putting in the safeguards!
If the auditors wish to ensure that only mailbox owners can see their e-mail, then it should be a company-wide enforced policy that ONLY encrypted messages are sent, received, accepted, and viewed.
If you've got a mail store full of unencrypted messages it's an exercise in major stupidity to try to police your IT department. Who cares if they haven't accessed a message yet -- they can at any time! What if a backup is taken off site, or a disk or VM image cloned? Who watches the watchers?
Auditors are idiots. Try hard to avoid them.
-- B
--
In a realm outside causality and function |
|
midranger4
Stupid Is In Vogue
Premium
join:2002-01-18
Levittown, PA
| said by B  :Your auditors are misinformed and/or misguided. There are no safeguards that can be put in place if you don't trust the IT staff who are responsible for putting in the safeguards! If the auditors wish to ensure that only mailbox owners can see their e-mail, then it should be a company-wide enforced policy that ONLY encrypted messages are sent, received, accepted, and viewed. If you've got a mail store full of unencrypted messages it's an exercise in major stupidity to try to police your IT department. Who cares if they haven't accessed a message yet -- they can at any time! What if a backup is taken off site, or a disk or VM image cloned? Who watches the watchers? Auditors are idiots. Try hard to avoid them. -- B I am sadly aware that auditors are indeed the spawn of Satan but it does not preclude me from having to answer to them. I'm not so sure that they are looking to revoke authority per se but rather for the ability to see if authority inherent to being an admin is being abused.
I can understand their position on this. Sensitive and confidential emails are sent at the upper management level with little regard for any potential compromise as associated with the content of any given email. With that said I can't say I agree that trust in the administrative staff exclusively should be the only measure of security.
If as you describe the only alternative is encrypted messages than maybe that is the course that should be taken. What I believe the auditors seek is something in between that gives them the ability to spot check. For instance a report that might contain the name of any/all mailboxes accessed by anyone other than the owner along with a date and time stamp.
Is such a request really that unobtainable?
--
Democracy is the illusion of Freedom |
|
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| reply to B
said by B : Auditors are idiots. Auditors have arranged it so the entire US economy has to purchase an unwanted service from them with essentially no recourse for bad performance. Just who are the idiots again?  |
|
maxkool
join:2005-05-19
Rockville, MD | reply to midranger4
There really isn't a way to find out if they have been opening other users mailboxes using ESM. You will have to hunt around in the security logs on your Domain Controllers and look for all of the privileged use entries for their accounts. |
|
B
Premium,MVM
join:2000-10-28
| reply to Steve
said by Steve :said by B : Auditors are idiots. Auditors have arranged it so the entire US economy has to purchase an unwanted service from them with essentially no recourse for bad performance. No, worse, no metric by which to measure "performance" at all! It's an entirely no-news-is-good-news effort, and they can do what they want (or nothing at all) during the audit. They don't share the name with the IRS folks for nothing. At least with accounting there are some kind of rules, but when they delve into IT...
To the OP, sure you can check on logins as maxkool implied -- I use a standard IMAP client to check several Exchange mail accounts and each login is logged in Windows security logs -- but how, exactly, are the auditors going to be notified when a backup tape gets restored to a temporary server or a disk is swapped out or any number of OTHER ways an IT person can peruse the mail store at his or her leisure without ANY way of being tracked? Without cameras everywhere and cattle prods up their butts, IT people are free to... manage IT. Imagine that.
The auditors have to understand the scope of what they're asking. Sure, if they want to cordon off a tiny piece of the many possible ways, they are welcome to check the event logs. In fact, that's probably the bone that should be tossed their way. But if they had half a clue they'd realize how incomplete that is. Good luck!
-- B
--
In a realm outside causality and function |
|
techjoe
Premium
join:2004-02-20
Worth, IL
 ·Sprint Mobile Broa..
 ·MegaPath
edit:
May 2nd, @07:19PM
| reply to midranger4
Read up on Object Access and other security auditing options.
Also see »support.microsoft.com/default.as···s;867640
I deal with SOx and a series of internal audits at my shop and we've enabled a lot of object access/modification auditing to comply with audit requests and guidelines. It's not very difficult and when properly archived and presented they can provide a nice database of who's been doing what in case of any security events that may occur.
With that said, who's collecting the logs and how? The same 'suspects' that may be accessing the mailboxes? Can you trust them to maintain accurate and intact logs when you can't trust them with the data they maintain? Want to see an auditor's head explode? Try getting a real answer that to that kind of question!
There's many other ways to peek at a mailbox...restore a store to your test lab and mount it? Use one of the commercial EDB extraction tools to pull data from the raw files? Remote screen monitoring? I'll agree it's silly to RELY upon for audit reasons, but often you're best off just complying with the request and moving on..?
I'll repeat one phase I particularly like from above...Who will watch the watchers?
--
Baka wa shinanakya naoranai |
|
elias
Premium,VIP
join:2000-07-24
Miami, FL
clubs: 
| reply to midranger4
I agree, who watches the watchers? Who censors the censors?
It always reminds me of a story we had to read for English class in college:
»southerncrossreview.org/3/censorseng.html
--
My Webmaster Gig | Crunching the Midnight Oil |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY
| reply to midranger4
Oh...auditors.....
We got written up by a group of auditors because our NetBackup system did not have a set of Restore Jobs.
Restore Jobs? Uhhh...what?
Yeah...like I need someone randomly kicking off that job. All of the backup Jobs can not hurt a thing. How about restoring old data over new stuff?
We tried explaining it to them over and over again why that was a bad idea...but he just kept saying it should be a "standard practice".... |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
 ·Verizon FIOS
| reply to midranger4
You can export the permissions to mailboxes using PFDavAdmin for their review.
»www.microsoft.com/downloads/deta···ylang=en
Done .
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! |
|
