Dismiss Notice

Welcome To CK5!

Registering is free and easy! Hope to see you on the forums soon.

Score a FREE t-shirt and membership sticker when you sign up for a Premium Membership and choose the recurring plan.

Any MS Exchange gurus?

Discussion in 'The Lounge' started by newyorkin, Jul 29, 2002.

  1. newyorkin

    newyorkin 1 ton status

    Joined:
    May 8, 2001
    Posts:
    16,555
    Likes Received:
    157
    Location:
    Los Estados Unitos
    Hey all, I'm looking for some help... Someone deleted a mailbox on an Exchange 5.5 server, and noone can figure out who, (or someone is covering someone else).
    Anyone here know Echange 5.5 well enough to give me some tips?


    It's on an NT4/sp6a server.
    Auditing is enabled for the following:
    Logon/Logoff --succ/fail
    File and object access --succ/fail
    Use of user rights --succ
    user and group managment --succ/fail
    Security policy changes --succ
    Restart shutdown and system --succ/fail
    process tracking --succ


    As you can guess the security log loads up pretty quick with user mailbox logon. The day of delete has already been flushed out and not backed up. I know, I've already said some pretty nasty words about it myself... In retrospect, though, I now have a batch that will copy the log to my hard drive, rename it by date, and save it forever...
     
  2. Goober

    Goober 1/2 ton status

    Joined:
    Apr 26, 2002
    Posts:
    2,222
    Likes Received:
    0
    Location:
    Mayberry (Auburn, WA)
    It's kind of tough to track down specific users actions without having audit records avalable. Have you got any backups that you could restore? (you do daily backups, right? /forums/images/icons/wink.gif )

    Another thing you can do is check to see if advanced diagnostics logging is enabled. If so, you can get quite a bit of forensic information from the application log (not the security log)

    If you have enabled diagnostic logging, then you should be able to search your application log for an event ID 1053 with the event's description containing the text 0x10000. You could also get an event ID 1053 in the Security Log when an admin opens Exchange Administrator. This can be identified by the text 0x20 found in the event's description.

    In the future (if you are in a Win2k Domain) you could setup a quickie batch file using a cool tool called Dumpel from the NT 4 Resource kit and Qgrep from the Windows 2000 Server Resource kit (it works just fine on NT) that will dump all of the chages made during the day into a text file that can be archived or mailed every day.

    Example batch file:

    Check1053.bat

    dumpel -f c:\reports\dumpel.txt
    -l Application -m MSExchangeDS
    -e 1053 ­d 1

    qgrep -y MyEmail c:\reports\dumpel.txt > c:\ExchangeLogs\reports\check153.txt

    postie ­host:yourmailserver ­to:exchange
    <font color="white">_________ </font color> admins ­s:"Exchange Permission
    <font color="white">_________ </font color> Changes" ­from:"Exchange

    Report" ­msg:"The following
    <font color="white">_________ </font color> permissions were changed on
    <font color="white">_________ </font color> Exchange during the past day."­ c:\ExchangeLogs\reports\check153.txt


    This batch file will use Dumpel to search the application log for all occurrances of Event ID 1053 with a source of MSExchangeDS (Exchange) and dump it into a text file. Then it will use Qgrep (similar to the Unix Grep command) to search for any references to MyEmail (the -y switch tells it to ignore case and the -d 1 switch tells it to report 1 days activity). Then the batch file uses Postie (an inexpensive command line SMTP application from Infradig Software) to email the results when it is finished. You can schedule this batch file to run every day, report on any or all email accounts and have the results sent to any email account you want (preferable on a different Server).

    You will get an email that looks something like this:

    __________________________________

    The following permissions were changed on Exchange
    during the past day.

    07/31/2002 09:31:56 AM 4 2
    1175 MSExchangeDS CORP\mine
    EXCHSRVR The security attributes on object /o=Corporation/ou=CORP/cn=Recipients/cn=MyEmail were modified.
    __________________________________

    Oh yea, don't forget to give every Administrator their own unique login ID ... just to keep them honest. /forums/images/icons/grin.gif

    Hope this gives you some ideas!
     
  3. newyorkin

    newyorkin 1 ton status

    Joined:
    May 8, 2001
    Posts:
    16,555
    Likes Received:
    157
    Location:
    Los Estados Unitos
    Thanks Goober. I've pretty much done that. Dumpel is a pretty cool little utility, I've been using it since february to dump the app/sys logs to my laptop to read on my commute, but I never bothered with the security logs until after they were overwritten. Since I've added them, I have major slowdown on boot (when I run the script), so I'm thinking I'm going to use my boot script to call the actual dump script from a server, having it dump the output to a share on my laptop.

    Have you ever used the "for" command? I'm addicted to it, I use it for batching totally unnecessary stuff (hey, it's that extra level that sets me apart!)... I use "for" to parse the date, and rename the dumped logs by date, this way every day when I log on and dump the logs, they're separated and stored by date, with an overlap of 3 days to make up for the weekends.

    The sec logs are friggin huge, though...
     
  4. thatK30guy

    thatK30guy 1 ton status Premium Member

    Joined:
    Jan 12, 2001
    Posts:
    32,076
    Likes Received:
    55
    Location:
    .
    Gawd dam, Goober! I'm impressed! /forums/images/icons/shocked.gif

    You must be a 'puter nerd! /forums/images/icons/tongue.gif /forums/images/icons/laugh.gif
     
  5. Goober

    Goober 1/2 ton status

    Joined:
    Apr 26, 2002
    Posts:
    2,222
    Likes Received:
    0
    Location:
    Mayberry (Auburn, WA)
    </font><blockquote><font class="small">In reply to:</font><hr />
    been using it since february to dump the app/sys logs to my laptop to read on my commute

    [/ QUOTE ]
    How can you even think about working while commuting when there is all that coffee that needs to be consumed?? /forums/images/icons/smirk.gif


    </font><blockquote><font class="small">In reply to:</font><hr />
    I never bothered with the security logs until after they were overwritten

    [/ QUOTE ]

    If you wait until they are overwritten how can you see what was there? /forums/images/icons/shocked.gif


    Sounds like you have taken steps to make sure it doesn't happen again.

    The worst part about it is that most problems are caused by people that are too stupid to realize exactly what they are doing.

    The best part is when I get to watch them get escorted out the door after I catch them. /forums/images/icons/grin.gif
     
  6. newyorkin

    newyorkin 1 ton status

    Joined:
    May 8, 2001
    Posts:
    16,555
    Likes Received:
    157
    Location:
    Los Estados Unitos
    ahh, the coffee's more like battery acid at my train station... That's what I meant, I'm now dumping sec logs as well. Before I was ignoring them, and hadn't considered them until it was too late and they'd been wiped already (these things are wiped in a day!!).

    The bad part is, we don't know who it was, and too many peope had access before this event. It could've been somoene stupid, or it could've been the head of the exchange team in a bad moment!
     

Share This Page