Exchange System Manager last logged in by explanation
I am looking into a possible security breach on a mailbox and wondered if anyone could provide any info or an explanation. The issue that I have is that ESM is showing me that the user accessed a mailbox at a particular time at which they were out of office hours and he had no reason to be viewing it. The person DOES have access to the mailbox but I want to establish if and how the time and date could be incorrect on ESM. The scenario is that the user accessed the mailbox as an additional mailbox within Outlook Client on a Monday and did not close Outlook until Wednesday. I would have thought that ESM would show me a time on Monday as last log-in time. Infact, ESM shows a log-in time of Tuesday at 2012hrs.I have looked through the event log and cannot find a log-in event for the Tuesday evening. I am aware of the calender/free-busy time showing in the ESM as a mailbox access as a possible explanation but that is not a possibility in this case. Why would it show the log-in time if the person had not been accessing it at that time, but did have their Outlook connection still open?I am sorry if this sounds a bit vague, I'm just searching for a possible explanation. I have heard that the ESM 'logged in by' field can be inaccurate but I am looking for some more concrete answers. I would really appreciate any input or references to Microsoft articles.Environment is Outlook 2003 Client with Exchange 2003.
March 23rd, 2009 9:26pm
How is there a security breach on a mailbox if the person has the right to access the mailbox? The logged in by/at field has got way too many dependencies on it to be able to be any use in a security investigation. Even if there was some outage on the network and the client (who was left logged on) reconnected you'd see an event. If the a/v kicked in you'd see an event. If someone accessed the F/B you'd see an event.I'd look elsewhere.
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2009 12:28am
ESM logged in by also includes when a user checks another user's calendar to see if they are busy when making appointments. So there are legitimate reasons for the user to be shown as logged in to another user's mailbox.
March 24th, 2009 12:55am
Hi.. Thanks for your input. I'm aware of f/b time being a factor. Although the user does have access to the mailbox, I'm looking for the reason why ESM is showing a date and time other than the original log in. I need all possible options for this and references to credible sources, if anyone can help.Hadn't thought along the lines of a temporary disconnection, but I need more ideas.Thanks
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2009 1:05am
Issue description: The last time problematic mailbox has been accessed as additional mailbox is on Monday, but the Last Logon Time showed as Tuesday
Explanation: This symptom occurs when a user try to access any folder (Inbox, calendar or free/busy information) of another user, even the attempt to access is failed (KB 867640). It means that Last Logon Time will also be updated along with the attempt
Check info:
1. Who shows in Last Logged on By, the owner, the user opened the problematic mailbox as additional mailbox until Wednesday, or some users who have the permission to access the problematic mailbox?
2. I have looked through the event log and cannot find a log-in event for the Tuesday evening: Have you enabled diagnostic logging level to Minimum for Logons category of the Microsoft Exchange Information Store service, if not, you wont see the logon event when the mailbox is accessed other than the owner
March 24th, 2009 9:50am
Hi James, thanks for the reply. I understand your explanation, but don't see how these symptoms can occur under these circumstances. ESM shows me that the last logged on user was the user opening the problematic mailbox as an additional mailbox, not the owner or any other user. However the user was in a position where he would have been unable to do this (i.e. he wasn't anywhere near a computer). So in short, why is it showing him as logging in?With regard to your second point, would I still not see event 1016 in the event log, showing that someone has authenticated to a mailbox?
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2009 3:30pm
The point here is that the field you are looking at gets updated by a myriad of events, including failure events. If you had the non-owner listed as logged on and then the owner or someone else logged on there would be a change in who/date&time is recorded. Then someone else checks a calendar and the field changes yet again, eventually you'll see the original non-owner log onto it again since everyone else who accessed it (I won't use 'logged on' here) has gone away. That would explain what you saw - from your original posting.I know what you're trying to do and I can understand why you want to do it but, bottom line, you're onto a total non-starter with even trying to conduct an inquiry by using this field as the source of your forensic trace.
March 24th, 2009 3:41pm
Last Logon Time will only be changed in the following conditions:
Access mailbox via OWA
Access mailbox via Outlook
Close Outlook and reopen (The session will be disconnected immediately after closing Outlook)
Quote: would I still not see event 1016 in the event log, showing that someone has authenticated to a mailbox?
If you want to see event 1016, the diagnostic logging level must be raised up
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2009 4:50am
Thanks for your reply, Mark. What I should have made clear at the beginning is that I'm trying to prove that the log-in by and date/time is incorrect and cannot be trusted. I'm looking for as much evidence/articles to back up my theory - can you point me in the right direction?The two plausible explanations I have so far are 1. the user kept their client open and there was a temporary network disruption/glitch2. someone else accessed the mailbox in question, then disconnected, therefore showing the original user as logged inWould anyone agree with these theories and have anything to back me up on this? Bearing in mind that ESM is showing a time of 2012hrs, so it is highly unlikely that we would have many users logged in and f/b time access is definately not the case.I am trying to prove that ESM is incorrect and cannot be used as evidence against the user.
March 25th, 2009 2:03pm