Exchange Server 2007 Management and Maintenance Practices : Auditing the Environment (part 1) - Audit Logging - Enabling Event Auditing , Viewing the Security Logs

10/2/2014 9:25:24 PM

Various methods of auditing the Exchange environment exist to gather and store records of network and Exchange access and to assist with the monitoring and tracking of SMTP connections and message routing.

Typically used for identifying security breaches or suspicious activity, auditing has the added benefit of allowing administrators to gain insight into how the Exchange Server 2007 systems are accessed and, in some cases, how they are performing.

1. Audit Logging

In a Windows environment, auditing is primarily considered to be an identity and access control security technology that can be implemented as part of an organization’s network security strategy. By collecting and monitoring security-related events, administrators can track user authentication and authorization, as well as access to various directory services (including Exchange Server 2007 services).

Exchange Server 2007 relies on the audit policies of the underlying operating system for capturing information on user access and authorization. Administrators can utilize the built-in Windows Server event auditing to capture data that is written to the security log for review.

Enabling Event Auditing

Audit policies are the basis for auditing events on Windows Server 2003 systems. Administrators must be aware that, depending on the policies configured, auditing might require a substantial amount of server resources in addition to those supporting the primary function of the server. On servers without adequate memory, processing power or hard drive space, auditing can potentially result in decreased server performance. After enabling auditing, administrators should monitor server performance to ensure the server can handle the additional load.

To enable audit policies on a Windows Server 2003 server, perform the following steps:

On the server to be audited, log on as a member of the local Administrators group. From the Start Menu, select Run, type MMC in the Open text box, and then click OK to start the Microsoft Management Console.

Select File, Add/Remove Snap-in.

On the Add/Remove Snap-in page, click Add.

On the Add Standalone Snap-in page, scroll down to Group Policy Object Editor, select it, and click Add.

On the Select Group Policy Object page, click Finish. Then click Close on the Add Standalone Snap-in page.

On the Add/Remove Snap-in page, click OK.

Expand each level, drilling down to Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.

In the right pane, double-click the policy to be modified.

Select to audit Success, Failure, or both.

Click OK to exit the configuration screen, and then close the MMC.

Figure 1 shows an example of typical auditing policies that might be configured in an Exchange environment.

Figure 1. Windows Server 2003 audit policies.

These audit policies can be turned on manually by following the preceding procedure or by the implementation of security templates.


After enabling audit policies, Windows event logs (specifically the security log) will capture a significant amount of data. Be sure to increase the “maximum log size” in the security log properties page. A best practice is to make the log size large enough to contain at least a week’s worth of data, and configure it to overwrite as necessary so that newer data is not sacrificed at the expense of older data.

Viewing the Security Logs

The events generated by the Windows Server 2003 auditing policies can be viewed in the security log in the Event Viewer.

Understanding the information presented in the security log events can be a challenge. The event often contains error codes, with no explanation on their meaning. Microsoft has taken strides to make this easier by providing a link to the Microsoft Help and Support Center within the event.

When an administrator clicks on the link, the Event Viewer asks for permission to send information about the event to Microsoft. Administrators can select the option to always send information if they want, and can then click Yes to authorize the sending of the data. A connection is made to the Help and Support Center, and information about the Event ID is displayed. This information can be invaluable when trying to decipher the sometimes cryptic events in the security log.

Administrators can use the Filter feature (from the View menu) to filter the events based on various fields. In addition, when searching for a specific event within a specific time frame, administrators can select a specific window of time to filter on. Some of the common events that administrators might be interested in monitoring are listed in Table 1.

Table 1. Windows Security Events
Event IDCategoryExplanation
675Account LogonA failed logon attempt via Kerberos from a workstation with a domain account has occurred. This is usually because of a bad password. The failure code indicates the reason for the failure. See Table 2 for a list of common failure codes.
672Account LogonAn account logon was attempted. The type shows either Success or Failure. Failed logon attempts with this Event ID are often due to an invalid username.
680Account LogonA set of credentials was passed to the authentication system. If success is displayed, the credentials presented were valid and an error code of 0x0 is displayed. For failure messages, an NTStatus code is displayed. See Table 3 for a list of NTStatus codes.
642Account ManagementA change to the specified user account has occurred, such as a reset password or the enabling of a disabled account. The description details which attribute was changed.
632. 636, 660Account ManagementThese three events signify that a user was added to a group. The user and group modified are shown in the description. Event ID 632 is for a global group, Event ID 636 is for a local group, and Event ID 660 is for a universal group.
624Account ManagementA new user account was created.
644Account ManagementThe specified user account was locked out after repeated logon failures.
538Logon/LogoffThe user identified in the description has logged off.
517System EventThe specified user cleared the security log.


For a more complete list of Windows 2003 security log Event IDs and their descriptions, refer to: http://www.eventid.net/downloads/w2k3security.txt.

Table 2 contains some common Kerberos failure codes that can be helpful when reviewing some of the events in the security log. This table only contains a few of the many possible codes, but a complete list of Kerberos failure codes can be seen in Request for Comments 1515 (RFC 1510) in the “error codes” section. A copy of RFC 1510 can be viewed at http://www.ietf.org/rfc/rfc1510.

Table 2. Common Kerberos Failure Codes
Kerberos Failure CodeMeaning
0x0This code indicates there is no error.
0x6The username does not exist.
0x12The workstation or logon time restriction prevented authorization.
0x18The account is disabled, expired, or locked out.
0x23The user’s password has expired.
0x32The ticket expired, a common event logged by computer accounts.
0x37The workstation clock is too far out of synchronization with the domain controller clock.

Table 3 is a list of NTStatus codes that are returned during user account logon attempts. These status codes are referenced in some of the security log Event IDs.

Table 3. NTStatus Codes
NTStatus CodeMeaning
0x0This code indicates a successful logon.
0xC0000064The specified user does not exist.
0xC000006AThe value provided as the current password is not correct.
0xC000006CThe password policy is not met.
0xC000006DThe attempted logon is invalid because of a bad username.
0xC000006EA user account restriction has prevented successful logon.
0xC000006FThe user account has time restrictions and may not be logged on to at this time.
0xC0000070The user is restricted and may not log on from the source workstation.
0xC0000071The user account’s password has expired.
0xC0000072The user account is currently disabled.
0xC000009AThere are insufficient system resources.
0xC0000193The user’s account has expired.
0xC0000224The user must change his password before he logs on the first time.
0xC0000234The user account has been automatically locked.

The information supplied here on viewing security log Event IDs is intended to help administrators get a basic understanding of the topic. There is much more that can be learned on the subject of security auditing and event monitoring, and the Microsoft website is an excellent resource for doing so.

Top 10
Free Mobile And Desktop Apps For Accessing Restricted Websites
TOYOTA CAMRY 2; 2.5 : Camry now more comely
KIA SORENTO 2.2CRDi : Fuel-sipping slugger
How To Setup, Password Protect & Encrypt Wireless Internet Connection
Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
Backup & Restore Game Progress From Any Game With SaveGameProgress
Generate A Facebook Timeline Cover Using A Free App
New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
Popular Tags
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Exchange Server Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe Photoshop CorelDRAW X5 CorelDraw 10 windows Phone 7 windows Phone 8 Iphone