How to Track Permission Changes on Exchange Server Mailboxes
IT compliance and security necessities require you to track Exchange Server mailbox permission changes. Anyone with full access permissions to another user’s mailbox has unrestricted access mailbox data which they can potentially compromise. If a “C” level executive’s account has been compromised, a data leakage incident can be devastating to the reputation and bottom line of the business. In this article, you will learn how to track Exchange Server mailbox permission changes (first with native auditing methods, and then with Lepide Exchange Server Auditor).
Tracking Exchange Server Mailbox Permission Changes Natively
Step 1: Enable Administrator Audit Logging
Open the Exchange Management Shell. Check if “Administrator Audit Logging” is enabled by running the following command:
Get-AdminAuditLogConfig | FL AdminAuditLogEnabled
As shown in the above image, in our lab, it is already enabled.
If Administrator Audit Logging is not enabled, the AdminAuditLogEnabled attribute’s value will be “False”, in that case, you can use the following command to enable it:
Set-AdminAuditLogConfig – AdminAuditLogEnabled $true
Step 2: View Mailbox Permission Change Events
After Administrator audit logging has been enabled, all Exchange mailbox permissions change events will be logged. To view them, follow the below steps:
- Go to “Control Panel” ➔ “Administrative Tools” ➔ “Event Viewer”. You can also type “eventvwr” in “Run” box or at “Command Prompt” and press “Enter” key to access this window.
- Navigate to the “Applications and Services Logs” ➔ “MSExchange Management”.
- Search for the logs with cmdlet “Add-MailboxPermission”/”Remove-MailboxPermission”.
In the result, you can find all the logs with this cmdlet. To get more information about the event, double-click on it.
For example, the following “Event Properties” image taken in our lab shows a permission addition event. The cmdlet shows that “Administrator” has been given full access right over the “TestUser1’s” mailbox. To find out when the permission was granted, check the “Logged” field. To get other details, click on the “Details” tab.
Using Lepide Exchange Server Auditor
Now, we will show you how to track the same changes using Lepide Exchange Server Auditor (part of Lepide Data Security Platform) – hopefully demonstrating how much easier and more powerful this method is than native auditing.
As shown in the following image, the same change has been captured by Lepide’s Exchange Server auditing solution. All the relevant information (including who granted the permission, to whom it was granted, when and over which mailbox) is available in a single line record:
Lepide Exchange Server Auditor gives complete visibility into your Exchange Server mailbox permission changes. The predefined audit reports provide complete audit information that enables you to take quicker, more intelligence driven action to keep your critical servers secure from privilege abuse.