Announcement

Collapse
No announcement yet.

How to check who's reading who's email

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to check who's reading who's email

    I've been given a task to check not only who has access (Domain Admins...) to our CEO's mailbox, but who's been reading it, if there's anyone else but her.

    In what way can I approach this, which logs if any can I check, what kind of auditing needs to be in place...

    I need to be 100% sure, with evidence in hand.

  • #2
    Re: How to check who's reading who's email

    If logging wasn't enabled then you cannot discover that retrospectively.
    Exchange doesn't log at an item level. The most that you can get is the access to the mailbox. However that can give false positives, for example accessing content that has been allowed to contacts for example.

    This KB article explains how to audit mailbox access.
    http://support.microsoft.com/kb/867640

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: How to check who's reading who's email

      Thank you very much Sembee.
      I already see that an Administrator account logged on to all mailboxes when viewing in System Manager, but that's nothing.

      Auditing most probably wasn't configured, and the way the events are displayed I won't even be near the 100% mark. I really don't want much less in this case since people would get fired. Very strange the level of details is not even close to what one would expect/desire.

      Comment


      • #4
        Re: How to check who's reading who's email

        Exchange doesn't provide more granular logging because of the massive number of logs it would generate. Remember Exchange is an enterprise level solution, 1000 or more users per server is not unusual and logging is set on a per server basis. If you have 1000 users and are logging at the level required to fire someone then you will be generating a lot of logs which will simply drown out anything of any use inside the logs.

        I have seen logging turned right up to try and capture everything, but the clients who are doing it are using a third party event log management tool which stores the logs elsewhere, on dedicated SQL servers in most cases.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: How to check who's reading who's email

          I see.

          This is a small shop with 70 mailboxes and I'd only need to monitor the one from our CEO, even if not for what happened in the past, but in the near future.

          Comment


          • #6
            Re: How to check who's reading who's email

            Originally posted by CypherBit View Post
            I see.

            This is a small shop with 70 mailboxes and I'd only need to monitor the one from our CEO, even if not for what happened in the past, but in the near future.
            You can only set things at a per server basis, even on 70 users you will generate a very high number of logs. Things are not logged once a day or when Outlook is started, the logs are very frequent, as much as every couple of minutes per mailbox.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: How to check who's reading who's email

              Thank you Sembee.
              I'll just have to go the other way and remove everyone from Domain Admins.

              Hopefully future 2k7, 2k10 have more granular control as far as auditing is concerned.

              Comment


              • #8
                Re: How to check who's reading who's email

                Originally posted by CypherBit View Post
                Hopefully future 2k7, 2k10 have more granular control as far as auditing is concerned.
                You are talking about those products like they aren't released.
                Nothing has changed in the logging options with regards to Exchange 2007/2010.

                Logging at mailbox level is simply inefficient. Furthermore, Exchange 2007/2010 is really designed for major deployments - there is a school of thought that anyone with less than 100 mailboxes shouldn't even be running their own mail server, they should be pushed out to the cloud, and certainly the feature set in the latest versions of Exchange tend to push towards that thought.

                This blog posting explains how the logging can be enabled, but the key point in that post still applies "There may be times however (even more so with older Outlook clients) that other users will access other mailboxes to see details about calendar appointments or other data."

                http://exchangeexchange.com/blogs/jo...ange-2007.aspx

                There is no way that you can log to the level that will allow you to say with 100% confidence that someone accessed the mailbox to read the email. It simply isn't possible.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment

                Working...
                X