Exchange 2013 Brief – Mailbox Audit Logging

Executive Overview

Due to the wide-spread prevalence of e-mail and the potential that e-mails contain sensitive information that may be of high impact to a business or contain personal information, there is a need for many IT departments to be able to track access to mailboxes. Mailbox audit logging enables an organization to identify mailbox access by mailbox owners, delegates and administrators.

Notable Features

  • Mailbox Audit Logon Types
  • Mailbox Audit Log

Architecture/Components

  • Mailbox Audit Logon Types: In Exchange 2013, you can distinguish between three classes of users when they access a mailbox. These classes are:
    • Mailbox Owners: The account designated to access the mailbox. (Primarily Users)
    • Mailbox Delegates: Alternate accounts that have been granted permissions to access a mailbox
    • Administrators: Administrators typically access an account during the following three instances: Firstly, when In-Place eDiscovery is used to search a mailbox. Secondly, when the New-MailboxExportRequest cmdlet is used to export a mailbox; and Thirdly, the Microsoft Exchange Server MAPI Editor is used to access a mailbox.
  • Mailbox Audit Logs: Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are retained in the mailbox by default for 90 days in the Audits subfolder of the audited mailboxRecoverable Items folder. Mailbox Audit logs allow you to specific what types of important information should be logged for a specific logon type. These include:
    • User Actions (Accessing, copying, creating, moving or deleting a message)
    • Performing SendAs or SendOnBehalf actions
    • Reading or previewing a message
    • Client IP adress
    • Client Host name
    • Process that client used to access the mailbox

Common Administrative Tasks

  1. Enabling or Disabling Mailbox Audit Logging: via EAC or PowerShell
    Set-Mailbox -Identity “Road Chimp” -AuditEnabled $true to enable &
    Set-Mailbox -Identity “Road Chimp” -AuditEnabled $false to disable
  2. Enabling/Disabling Mailbox Audit Logging for various logon types:
    Set-Mailbox -Identity “Road Chimp” -AuditOwner or
    Set-Mailbox -Identity “Road Chimp”
     -AuditDelegate or
    Set-Mailbox -Identity “Road Chimp” -AuditAdmin
  3. Verify Mailbox Audit Logging was configured: via Powershell
    Get-Mailbox “Road Chimp | Format-List *audit*
  4. Create a Mailbox Audit Log Search: via EAC or PowerShell
    New-MailboxAuditLogSearch “Admin and Delegate Access” -Mailboxes “Road Chimp”,”Chief Peeler” -LogonTypes Admin,Delegate -StartDate 1/1/2012 -EndDate 12/01/2012 -StatusMailRecipients “auditors@chimpcorp.com”
  5. Searching Mailbox Audit Log for a specific search term: via EAC or PowerShell
    Search-MailboxAuditLog -Identity “Road Chimp” -LogonTypes Admin,Delegate -StartDate 1/1/2012 -EndDate 12/31/2012 -ResultSize 2000
  6. Bypass a User Account from Mailbox Audit Logging: via EAC or Powershell
    Set-MailboxAuditBypassAssociation -Identity “Road Chimp” -AuditBypassEnabled $true

Top PowerShell Commands/Tools:

– Set-Mailbox -AuditEnabled
– Set-Mailbox -AuditDelegate |AuditAdmin | AuditOwner
– Get-Mailbox

References/Links

Technet: Article on Mailbox Audit Logging
Cmdlets: For Mailbox Audit Logging

Advertisements

One thought on “Exchange 2013 Brief – Mailbox Audit Logging

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s