Abuse of Authority
Hello.
I suspect that my SysAdmin is abusing his authority and reading the emails of senior management. Is there a way that I can verify my suspicions without being detected by the SysAdmin?
It is unfortunate but necessary that I investigate this matter.
Regards,
John
August 1st, 2007 11:37pm
If he is clever, he will see that you have enabled the logging necessary to do this, but I suspect if he is dumb enough (and bored enough) to be going through your executive's e-mail then he is probably not the sharpest tool in the shed.
You need to enable Logons diagnostics logging for the MSExchangeIS Mailbox category (on the properties of the server). Set it to Minimum.
Then, you need to look for events that indicate that UserX is reading UserY's mail and is not the primary account on that mailbox. The Source is MSExchangeIS Mailbox, the Category is Logons, and the Event ID is 1016. The event looks something like this:
Event Type:Success AuditEvent Source:MSExchangeIS Mailbox StoreEvent Category:Logons Event ID:1016Date:8/1/2007Time:12:20:02 PMUser:N/AComputer:SERVER01Description:Windows 2000 User Domain\Jim logged on to snuffy@domain.com mailbox, and is not the primary Windows 2000 account on this mailbox.
There are other reasons why you might see this, though. For example, an Exec gives his/her assistant permissions to open their calendar or Inbox. Or, a mailbox-by-mailbox backup (aka brick backup) can generate these. If you do see your admin opening these mailboxes, though, he certainly has some explaining to do.
One place that I know that this happened they actually decided to frame the guy. The put information in a couple of the mailboxes that he was reading that they knew he would tell someone else about. When he mentioned it to someone else, they fired him on the spot. Be ready to change all of your admin accounts' passwords and escort him out of the building, though.
Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2007 1:25am
I have the same situation but just with Calendars. Still not ethical. I want to be 110% correct (actually I hope I am wrong). What I am trying to prove\disprove is if a admin used
is administrative access privledges to view calendars without the knowledge or consent of the owners. I have checked delegate assignments and he has not been granted rights to these calendars. I dont have the actual event log
entry but I have the exported CSV version listed below. We are running Exchange 2007 SP3. I have changed user names and tried to sanitize to protect the innocent. The admin claims he is innocent and is not abusing his admin privedges. Tried to track down what
the event 10100 & 10102 means but cannot get any detail. He also is questioning the logs themselves which were done by our internal compliance team. I really dont want to escalate this becuase if it does it can result in termination. We just want
to warn him. Can you advise me.
1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Acces s
Auditing 10100 N/A SERVERXXXX The folder /Calendar in Mailbox ''User Name''
was opened by user BFLHQ\adminID
1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Access Auditing
10102 N/A SERVERXXXX The message
<61BBD591B42DB44584D7C5BD9CF918F815D1B9131E@SERVERXXX.hq.company.com> in
Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
1/19/2011 8:25:30 PM MSExchangeIS Auditing Information Mailbox Access Auditing
10102 N/A SERVERXXXX The message
<73284C20E0FFA04CB101A78D070D595115573271D2@SERVERXXX.hq.company.com> in
Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing
10102 N/A SERVERXXXX The message
<61BBD591B42DB44584D7C5BD9CF918F815D1B91299@SERVERXXX.hq.company.com> in
Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing
10102 N/A SERVERXXXX The message
<61BBD591B42DB44584D7C5BD9CF918F815D1B9129A@SERVERXXX.hq.company.com> in
Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing
10102 N/A SERVERXXXX The message
<61BBD591B42DB44584D7C5BD9CF918F815D1B9129B@SERVERXXX.hq.company.com> in
Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing
10102 N/A SERVERXXXX The message
<61BBD591B42DB44584D7C5BD9CF918F815D1B91368@SERVERXXX.hq.company.com> in
Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing
10102 N/A SERVERXXXX The message
<61BBD591B42DB44584D7C5BD9CF918F815D1B91375@SERVERXXX.hq.company.com> in
Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing
10102 N/A SERVERXXXX The message
<61BBD591B42DB44584D7C5BD9CF918F815D1B91376@SERVERXXX.hq.company.com> in
Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing
10102 N/A SERVERXXXX The message
<61BBD591B42DB44584D7C5BD9CF918F815D1B91379@SERVERXXX.hq.company.com> in
Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
1/19/2011 8:25:31 PM MSExchangeIS Auditing Information Mailbox Access Auditing
10102 N/A SERVERXXXX The message
<61BBD591B42DB44584D7C5BD9CF918F815D1B9137A@SERVERXXX.hq.company.com> in
Mailbox 'User Name' was opened by user XXXXHQ\ExchangeAdminID
January 22nd, 2011 2:07pm
Judging by those timestamps, if he's perusing their calendars he's got their mailboxes added to his Outlook profile. Either that or he's running a script that's opening them (which may mean he's not actually reading anything out of them) Nobody
can manually open that many mailboxes that fast.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2011 4:06pm
On Sat, 22 Jan 2011 21:05:57 +0000, mjolinor wrote:
>
>
>Judging by those timestamps, if he's perusing their calendars he's got their mailboxes added to his Outlook profile. Either that or he's running a script that's opening them (which may mean he's not actually reading anything out of them) Nobody can manually
open that many mailboxes that fast.
Which may mean that there's some brick-level backup, AV software, or
other software that examines mailboxes that's running with his
credentials. Pretty dumb move, but it happens.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
January 22nd, 2011 5:09pm
Pretty dumb move, but it happens.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Agreed.
I think it's more likely a misuse of credentials than an abuse of authority.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2011 6:25pm
What would stop you from simply looking at the permissions on the mailboxes in question?
I thought that by default, only the user in question (SELF) has access to the MBX.
So why not just look in the GUI or run the Get-Permissions cmdlet and see who else has been added?
Anything other than the fact that the admin could change permissions back to what they were once he is done reading?
January 22nd, 2011 7:18pm
On Sun, 23 Jan 2011 00:13:33 +0000, Le Pivert wrote:
>
>
>What would stop you from simply looking at the permissions on the mailboxes in question?
>
>I thought that by default, only the user in question (SELF) has access to the MBX.
>
>So why not just look in the GUI or run the Get-Permissions cmdlet and see who else has been added?
There can be all manner of inherited permissions that aren't "mailbox"
permissions. Things such as "Receive As", for example, that are
inherited from the AD object. Or he could be a member of a group with
permission to do "stuff".
>Anything other than the fact that the admin could change permissions back to what they were once he is done reading?
If he wants to exonerate himself, tell him to change his password to
something not easiy guessable that's nice and secure. If he has to
change the password on any services . . .
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2011 7:46pm
If he has to
change the password on any services . . .
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
or scheduled tasks.......[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
January 22nd, 2011 11:01pm
Hello,
Also, don't forget he may also have a user's mail being copied to himself or to another mailbox. Sound like the
BOFH is back.
Miguel
Miguel Fra /
Falcon IT Services
Computer & Network Support, Miami, FL
Visit our Knowledgebase and Support Sharepoint Site
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2011 10:58am
Hello,
Also, don't forget he may also have a user's mail being copied to himself or to another mailbox. Sound like the
BOFH is back.
Miguel
Miguel Fra /
Falcon IT Services
Computer & Network Support, Miami, FL
Visit our Knowledgebase and Support Sharepoint Site
If he's doing that, it would be easy to find in the message tracking logs.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
January 23rd, 2011 2:13pm
Should be able to run this:
http://gallery.technet.microsoft.com/scriptcenter/0e43993a-895a-4afe-a2b2-045a5146048a
against the Exchange servers an see if his account shows up with a service or batch logon type.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2011 2:19pm
I am trying to not say to much as this person is a member of the management team so chances are there is no enterprise level scripting or backup runing with his credentials unless it is local to his machine. THe timestamps correspond with entries
we compared against our vpn logs so there could be something running on he\she's PC. Having it attached to his profile might be the most likely. Some other interesting facts. The entries are only for a single person on he\she's team.
Since having his exchange admin rights taken away there have been no entries at all. Is thee a way to prove he had this calendar attached to he\she's profile.
January 23rd, 2011 5:52pm
You would have stoppped seeing the access events as soon as you revoked his permissons. Are you doing any kind of auditing to see if there's still access requests being made?[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2011 11:52pm
Yes. All auditing has not changed. We just took he\she out of exchange admin group.
January 24th, 2011 10:57am