Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Exchange Server 2010 Management and Maintenance Practices : Auditing the Environment (part 1) - Audit Logging

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
4/10/2011 7:13:13 PM
Various methods of auditing the Exchange Server environment exist to gather and store records of network and Exchange Server access and to assist with the monitoring and tracking of SMTP connections and message routing.

Typically used for identifying security breaches or suspicious activity, auditing has the added benefit of allowing administrators to gain insight into how the Exchange Server 2010 systems are accessed and, in some cases, how they are performing.

This article focuses on three types of auditing:

  • Audit logging— For security and tracking user access

  • SMTP logging— For capturing SMTP conversations between messaging servers

  • Message tracking— For tracking emails through the messaging environment

Audit Logging

In a Windows environment, auditing is primarily considered to be an identity and access control security technology that can be implemented as part of an organization’s network security strategy. By collecting and monitoring security-related events, administrators can track user authentication and authorization, as well as access to various directory services (including Exchange Server 2010 services).

Exchange Server 2010 relies on the audit policies of the underlying operating system for capturing information on user access and authorization. Administrators can utilize the built-in Windows Server event auditing to capture data that is written to the security log for review.

Enabling Event Auditing

Audit policies are the basis for auditing events on Windows Server 2003 and Windows Server 2008 systems. Administrators must be aware that, depending on the policies configured, auditing might require a substantial amount of server resources in addition to those supporting the primary function of the server. On servers without adequate memory, processing power or hard drive space, auditing can potentially result in decreased server performance. After enabling auditing, administrators should monitor server performance to ensure the server can handle the additional load.

To enable audit policies on a Windows Server 2008 server, perform the following steps:

1.
On the server to be audited, log on as a member of the local Administrators group.

2.
Select Start, Administrative Tools, and launch the Local Security Policy snap-in.

3.
Expand Local Policies and select Audit Policy.

4.
In the right pane, double-click the policy to be modified.

5.
Select to audit Success, Failure, or both.

6.
Click OK to exit the configuration screen, and then close the Local Security Policy tool.

Figure 1 shows an example of typical auditing policies that might be configured for an Exchange server.

Figure 1. Windows Server 2008 audit policy setting example.

These audit policies can be turned on manually by following the preceding procedure, configuring a group policy, or by the implementation of security templates.

Note

After enabling audit policies, Windows event logs (specifically the security log) will capture a significant amount of data. Be sure to increase the “maximum log size” in the security log properties page. A best practice is to make the log size large enough to contain at least a week’s worth of data, and configure it to overwrite as necessary so that newer data is not sacrificed at the expense of older data.


Viewing the Security Logs

The events generated by the Windows Server 2003 and Windows Server 2008 auditing policies can be viewed in the security log in the Event Viewer.

Understanding the information presented in the security log events can be a challenge. The event often contains error codes, with no explanation on their meaning. Microsoft has taken strides to make this easier by providing a link to the Microsoft Help and Support Center within the event.

When an administrator clicks on the link, the Event Viewer asks for permission to send information about the event to Microsoft. Administrators can select the option to always send information if they want, and can then click Yes to authorize the sending of the data. A connection is made to the Help and Support Center, and information about the Event ID is displayed. This information can be invaluable when trying to decipher the sometimes cryptic events in the security log.

Administrators can use the Filter feature (from the View menu) to filter the events based on various fields. In addition, when searching for a specific event within a specific time frame, administrators can select a specific window of time to filter on.

For an extensive list of security event IDs and their meaning in Windows Server 2008, go to http://support.microsoft.com/kb/947226.

The information supplied here on viewing security log Event IDs is intended to help administrators get a basic understanding of the topic. There is much more that can be learned on the subject of security auditing and event monitoring, and the Microsoft website is an excellent resource for doing so.


Other -----------------
- BizTalk 2010 Recipes : Orchestrations - Calling External Assemblies
- BizTalk 2010 Recipes : Orchestrations - Receiving Multiple Message Formats in a Single Orchestration
- BizTalk 2010 Recipes : Orchestrations - Creating Branching Logic in an Orchestration
- SharePoint 2010 PerformancePoint Services : Examining Show Details Reports
- SharePoint 2010 PerformancePoint Services : Examining Decomposition Tree Reports
- SharePoint 2010 PerformancePoint Services : Reports - Strategy Map
- Windows Server 2008 R2 : Installing DFS (part 2) - Creating a DFS Folder and Replication Group & Configuring DFS Read-Only Replication
- Windows Server 2008 R2 : Installing DFS (part 1) - Creating the DFS Namespace and Root & Adding an Additional Namespace Server to a Domain-Based Namespace
- Windows Server 2008 R2 : File System Management and Fault Tolerance - Planning a DFS Deployment
- Windows Server 2008 R2 : File System Management and Fault Tolerance - The Distributed File System
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server