Various methods of auditing the Exchange
environment exist to gather and store records of network and Exchange
access and to assist with the monitoring and tracking of SMTP
connections and message routing.
Typically
used for identifying security breaches or suspicious activity, auditing
has the added benefit of allowing administrators to gain insight into
how the Exchange Server 2007 systems are accessed and, in some cases,
how they are performing.
1. Audit Logging
In
a Windows environment, auditing is primarily considered to be an
identity and access control security technology that can be implemented
as part of an organization’s network security strategy. By collecting
and monitoring security-related events, administrators can track user
authentication and authorization, as well as access to various
directory services (including Exchange Server 2007 services).
Exchange
Server 2007 relies on the audit policies of the underlying operating
system for capturing information on user access and authorization.
Administrators can utilize the built-in Windows Server event auditing
to capture data that is written to the security log for review.
Enabling Event Auditing
Audit
policies are the basis for auditing events on Windows Server 2003
systems. Administrators must be aware that, depending on the policies
configured, auditing might require a substantial amount of server
resources in addition to those supporting the primary function of the
server. On servers without adequate memory, processing power or hard
drive space, auditing can potentially result in decreased server
performance. After enabling auditing, administrators should monitor
server performance to ensure the server can handle the additional load.
To enable audit policies on a Windows Server 2003 server, perform the following steps:
1. | On
the server to be audited, log on as a member of the local
Administrators group. From the Start Menu, select Run, type MMC in the
Open text box, and then click OK to start the Microsoft Management
Console.
|
2. | Select File, Add/Remove Snap-in.
|
3. | On the Add/Remove Snap-in page, click Add.
|
4. | On the Add Standalone Snap-in page, scroll down to Group Policy Object Editor, select it, and click Add.
|
5. | On the Select Group Policy Object page, click Finish. Then click Close on the Add Standalone Snap-in page.
|
6. | On the Add/Remove Snap-in page, click OK.
|
7. | Expand
each level, drilling down to Local Computer Policy, Computer
Configuration, Windows Settings, Security Settings, Local Policies,
Audit Policy.
|
8. | In the right pane, double-click the policy to be modified.
|
9. | Select to audit Success, Failure, or both.
|
10. | Click OK to exit the configuration screen, and then close the MMC.
|
Figure 1 shows an example of typical auditing policies that might be configured in an Exchange environment.
These
audit policies can be turned on manually by following the preceding
procedure or by the implementation of security templates.
Note
After
enabling audit policies, Windows event logs (specifically the security
log) will capture a significant amount of data. Be sure to increase the
“maximum log size” in the security log properties page. A best practice
is to make the log size large enough to contain at least a week’s worth
of data, and configure it to overwrite as necessary so that newer data
is not sacrificed at the expense of older data.
Viewing the Security Logs
The events generated by the Windows Server 2003 auditing policies can be viewed in the security log in the Event Viewer.
Understanding
the information presented in the security log events can be a
challenge. The event often contains error codes, with no explanation on
their meaning. Microsoft has taken strides to make this easier by
providing a link to the Microsoft Help and Support Center within the
event.
When an administrator clicks on
the link, the Event Viewer asks for permission to send information
about the event to Microsoft. Administrators can select the option to
always send information if they want, and can then click Yes to
authorize the sending of the data. A connection is made to the Help and
Support Center, and information about the Event ID is displayed. This
information can be invaluable when trying to decipher the sometimes
cryptic events in the security log.
Administrators
can use the Filter feature (from the View menu) to filter the events
based on various fields. In addition, when searching for a specific
event within a specific time frame, administrators can select a
specific window of time to filter on. Some of the common events that
administrators might be interested in monitoring are listed in Table 1.
Table 1. Windows Security Events
| Event ID | Category | Explanation |
|---|
| 675 | Account Logon | A
failed logon attempt via Kerberos from a workstation with a domain
account has occurred. This is usually because of a bad password. The
failure code indicates the reason for the failure. See Table 2 for a list of common failure codes. |
| 672 | Account Logon | An
account logon was attempted. The type shows either Success or Failure.
Failed logon attempts with this Event ID are often due to an invalid
username. |
| 680 | Account Logon | A
set of credentials was passed to the authentication system. If success
is displayed, the credentials presented were valid and an error code of
0x0 is displayed. For failure messages, an NTStatus code is displayed.
See Table 3 for a list of NTStatus codes. |
| 642 | Account Management | A
change to the specified user account has occurred, such as a reset
password or the enabling of a disabled account. The description details
which attribute was changed. |
| 632. 636, 660 | Account Management | These
three events signify that a user was added to a group. The user and
group modified are shown in the description. Event ID 632 is for a
global group, Event ID 636 is for a local group, and Event ID 660 is
for a universal group. |
| 624 | Account Management | A new user account was created. |
| 644 | Account Management | The specified user account was locked out after repeated logon failures. |
| 538 | Logon/Logoff | The user identified in the description has logged off. |
| 517 | System Event | The specified user cleared the security log. |
Note
For a more complete list of Windows 2003 security log Event IDs and their descriptions, refer to: http://www.eventid.net/downloads/w2k3security.txt.
Table 2
contains some common Kerberos failure codes that can be helpful when
reviewing some of the events in the security log. This table only
contains a few of the many possible codes, but a complete list of
Kerberos failure codes can be seen in Request for Comments 1515 (RFC
1510) in the “error codes” section. A copy of RFC 1510 can be viewed at
http://www.ietf.org/rfc/rfc1510.
Table 2. Common Kerberos Failure Codes
| Kerberos Failure Code | Meaning |
|---|
| 0x0 | This code indicates there is no error. |
| 0x6 | The username does not exist. |
| 0x12 | The workstation or logon time restriction prevented authorization. |
| 0x18 | The account is disabled, expired, or locked out. |
| 0x23 | The user’s password has expired. |
| 0x32 | The ticket expired, a common event logged by computer accounts. |
| 0x37 | The workstation clock is too far out of synchronization with the domain controller clock. |
Table 3
is a list of NTStatus codes that are returned during user account logon
attempts. These status codes are referenced in some of the security log
Event IDs.
Table 3. NTStatus Codes
| NTStatus Code | Meaning |
|---|
| 0x0 | This code indicates a successful logon. |
| 0xC0000064 | The specified user does not exist. |
| 0xC000006A | The value provided as the current password is not correct. |
| 0xC000006C | The password policy is not met. |
| 0xC000006D | The attempted logon is invalid because of a bad username. |
| 0xC000006E | A user account restriction has prevented successful logon. |
| 0xC000006F | The user account has time restrictions and may not be logged on to at this time. |
| 0xC0000070 | The user is restricted and may not log on from the source workstation. |
| 0xC0000071 | The user account’s password has expired. |
| 0xC0000072 | The user account is currently disabled. |
| 0xC000009A | There are insufficient system resources. |
| 0xC0000193 | The user’s account has expired. |
| 0xC0000224 | The user must change his password before he logs on the first time. |
| 0xC0000234 | The user account has been automatically locked. |
The
information supplied here on viewing security log Event IDs is intended
to help administrators get a basic understanding of the topic. There is
much more that can be learned on the subject of security auditing and
event monitoring, and the Microsoft website is an excellent resource
for doing so.
