Re: MS Exchange admin auditing in No, I Will Not Fix Your #@$!! Computer

Re: MS Exchange admin auditing in No, I Will Not Fix Your #@$!! Computer http://www.dslreports.com/forum/r20423039 en Fri, 21 Nov 2008 10:52:22 EDT Fri, 21 Nov 2008 10:52:22 EDT Re: MS Exchange admin auditing http://www.dslreports.com/forum/remark,20468017 vic102482 : You can export the permissions to mailboxes using PFDavAdmin for their review.

»www.microsoft.com/downloads/deta···ylang=en

Done :).
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!!]]> http://www.dslreports.com/forum/remark,20468017 Mon, 12 May 2008 01:10:29 EDT Re: MS Exchange admin auditing http://www.dslreports.com/forum/remark,20439719 fcisler : Oh...auditors.....

We got written up by a group of auditors because our NetBackup system did not have a set of Restore Jobs.

Restore Jobs? Uhhh...what?

Yeah...like I need someone randomly kicking off that job. All of the backup Jobs can not hurt a thing. How about restoring old data over new stuff?

We tried explaining it to them over and over again why that was a bad idea...but he just kept saying it should be a "standard practice"....]]> http://www.dslreports.com/forum/remark,20439719 Tue, 06 May 2008 12:38:24 EDT Re: MS Exchange admin auditing http://www.dslreports.com/forum/remark,20435793 elias : I agree, who watches the watchers? Who censors the censors?

It always reminds me of a story we had to read for English class in college:

»southerncrossreview.org/3/censorseng.html
--
My Webmaster Gig | Crunching the Midnight Oil]]> http://www.dslreports.com/forum/remark,20435793 Mon, 05 May 2008 17:31:05 EDT Re: MS Exchange admin auditing http://www.dslreports.com/forum/remark,20423039 techjoe : Read up on Object Access and other security auditing options.

Also see »support.microsoft.com/default.as···s;867640

I deal with SOx and a series of internal audits at my shop and we've enabled a lot of object access/modification auditing to comply with audit requests and guidelines. It's not very difficult and when properly archived and presented they can provide a nice database of who's been doing what in case of any security events that may occur.

With that said, who's collecting the logs and how? The same 'suspects' that may be accessing the mailboxes? Can you trust them to maintain accurate and intact logs when you can't trust them with the data they maintain? Want to see an auditor's head explode? Try getting a real answer that to that kind of question!

There's many other ways to peek at a mailbox...restore a store to your test lab and mount it? Use one of the commercial EDB extraction tools to pull data from the raw files? Remote screen monitoring? I'll agree it's silly to RELY upon for audit reasons, but often you're best off just complying with the request and moving on..?

I'll repeat one phase I particularly like from above...Who will watch the watchers?
--
Baka wa shinanakya naoranai]]> http://www.dslreports.com/forum/remark,20423039 Fri, 02 May 2008 19:17:43 EDT Re: MS Exchange admin auditing http://www.dslreports.com/forum/remark,20422611 B :

said by Steve

said by B

:

Auditors are idiots.

Auditors have arranged it so the entire US economy has to purchase an unwanted service from them with essentially no recourse for bad performance.

No, worse, no metric by which to measure "performance" at all! It's an entirely no-news-is-good-news effort, and they can do what they want (or nothing at all) during the audit. They don't share the name with the IRS folks for nothing. At least with accounting there are some kind of rules, but when they delve into IT...

To the OP, sure you can check on logins as maxkool implied -- I use a standard IMAP client to check several Exchange mail accounts and each login is logged in Windows security logs -- but how, exactly, are the auditors going to be notified when a backup tape gets restored to a temporary server or a disk is swapped out or any number of OTHER ways an IT person can peruse the mail store at his or her leisure without ANY way of being tracked? Without cameras everywhere and cattle prods up their butts, IT people are free to... manage IT. Imagine that. :)

The auditors have to understand the scope of what they're asking. Sure, if they want to cordon off a tiny piece of the many possible ways, they are welcome to check the event logs. In fact, that's probably the bone that should be tossed their way. But if they had half a clue they'd realize how incomplete that is. Good luck!

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,20422611 Fri, 02 May 2008 17:34:34 EDT Re: MS Exchange admin auditing http://www.dslreports.com/forum/remark,20422293 maxkool : There really isn't a way to find out if they have been opening other users mailboxes using ESM. You will have to hunt around in the security logs on your Domain Controllers and look for all of the privileged use entries for their accounts. ]]> http://www.dslreports.com/forum/remark,20422293 Fri, 02 May 2008 16:37:20 EDT Re: MS Exchange admin auditing http://www.dslreports.com/forum/remark,20421994 Steve :

said by B

:

Auditors are idiots.

Auditors have arranged it so the entire US economy has to purchase an unwanted service from them with essentially no recourse for bad performance. Just who are the idiots again? :-)]]> http://www.dslreports.com/forum/remark,20421994 Fri, 02 May 2008 15:33:14 EDT Re: MS Exchange admin auditing http://www.dslreports.com/forum/remark,20421967 midranger4 :

said by B

:

Your auditors are misinformed and/or misguided. There are no safeguards that can be put in place if you don't trust the IT staff who are responsible for putting in the safeguards!

If the auditors wish to ensure that only mailbox owners can see their e-mail, then it should be a company-wide enforced policy that ONLY encrypted messages are sent, received, accepted, and viewed.

If you've got a mail store full of unencrypted messages it's an exercise in major stupidity to try to police your IT department. Who cares if they haven't accessed a message yet -- they can at any time! What if a backup is taken off site, or a disk or VM image cloned? Who watches the watchers?

Auditors are idiots. Try hard to avoid them.

-- B

I am sadly aware that auditors are indeed the spawn of Satan but it does not preclude me from having to answer to them. I'm not so sure that they are looking to revoke authority per se but rather for the ability to see if authority inherent to being an admin is being abused.

I can understand their position on this. Sensitive and confidential emails are sent at the upper management level with little regard for any potential compromise as associated with the content of any given email. With that said I can't say I agree that trust in the administrative staff exclusively should be the only measure of security.

If as you describe the only alternative is encrypted messages than maybe that is the course that should be taken. What I believe the auditors seek is something in between that gives them the ability to spot check. For instance a report that might contain the name of any/all mailboxes accessed by anyone other than the owner along with a date and time stamp.

Is such a request really that unobtainable?
--
Democracy is the illusion of Freedom]]> http://www.dslreports.com/forum/remark,20421967 Fri, 02 May 2008 15:29:21 EDT Re: MS Exchange admin auditing http://www.dslreports.com/forum/remark,20421533 B : Your auditors are misinformed and/or misguided. There are no safeguards that can be put in place if you don't trust the IT staff who are responsible for putting in the safeguards!

If the auditors wish to ensure that only mailbox owners can see their e-mail, then it should be a company-wide enforced policy that ONLY encrypted messages are sent, received, accepted, and viewed.

If you've got a mail store full of unencrypted messages it's an exercise in major stupidity to try to police your IT department. Who cares if they haven't accessed a message yet -- they can at any time! What if a backup is taken off site, or a disk or VM image cloned? Who watches the watchers?

Auditors are idiots. Try hard to avoid them.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,20421533 Fri, 02 May 2008 13:55:15 EDT MS Exchange admin auditing http://www.dslreports.com/forum/remark,20421181 midranger4 : Our internal auditors are asking us to prove that our exchange admins are not accessing/reading mailboxes other than their own.

Is the Exchange System Manager the only tool available to perform auditing of this nature? If so what level of detail and history is the System Manager capable of providing?

If not what third party tools are available to assure that the exchange admin(s) are not abusing their authority?
--
Democracy is the illusion of Freedom]]> http://www.dslreports.com/forum/remark,20421181 Fri, 02 May 2008 12:43:34 EDT