IT compliance and security necessities require you to track Exchange Server mailbox permission changes. Anyone with full access permissions to another user’s mailbox has unrestricted access mailbox data which they can potentially compromise. If a “C” level executive’s account has been compromised, a data leakage incident can be devastating to the reputation and bottom line of the business. In this article, you will learn how to track Exchange Server mailbox permission changes (first with native auditing methods, and then with LepideAuditor).

Tracking Exchange Server Mailbox Permission Changes Natively

Step 1: Enable Administrator Audit Logging

Open the Exchange Management Shell. Check if “Administrator Audit Logging” is enabled by running the following command:

Get-AdminAuditLogConfig | FL AdminAuditLogEnabled

Figure 1 Check whether Administrator audit logging is enabled

As shown in the above image, in our lab, it is already enabled.

If Administrator Audit Logging is not enabled, the AdminAuditLogEnabled attribute’s value will be “False”, in that case, you can use the following command to enable it:

Set-AdminAuditLogConfig – AdminAuditLogEnabled $true

Step 2: View Mailbox Permission Change Events

After Administrator audit logging has been enabled, all Exchange mailbox permissions change events will be logged. To view them, follow the below steps:

1. Go to “Control Panel” ➔ “Administrative Tools” ➔ “Event Viewer”. You can also type “eventvwr” in “Run” box or at “Command Prompt” and press “Enter” key to access this window.

2. Navigate to the “Applications and Services Logs” ➔ “MSExchange Management”.

3. Search for the logs with cmdlet "Add-MailboxPermission"/"Remove-MailboxPermission".

In the result, you can find all the logs with this cmdlet. To get more information about the event, double-click on it.

For example, the following “Event Properties” image taken in our lab shows a permission addition event. The cmdlet shows that “Administrator” has been given full access right over the “TestUser1’s” mailbox. To find out when the permission was granted, check the “Logged” field. To get other details, click on the “Details” tab.

Figure 2: Viewing “mailbox permission change log” in Event Viewer

Using LepideAuditor for Exchange Server

Now, we will show you how to track the same changes using LepideAuditor for Exchange Server – hopefully demonstrating how much easier and more powerful this method is than native auditing.

As shown in the following image, the same change has been captured by LepideAuditor. All the relevant information (including who granted the permission, to whom it was granted, when and over which mailbox) is available in a single line record:

Figure 3: LepideAuditor Exchange Server mailbox permission change report

Conclusion

LepideAuditor gives complete visibility into your Exchange Server mailbox permission changes. The predefined audit reports provide complete audit information that enables you to take quicker, more intelligence driven action to keep your critical servers secure from privilege abuse.



Download LepideAuditor for Exchange Server

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.