locked
Is it possible to find the ip address of the access of a mailbox? RRS feed

  • Question

  • Hello.

    A user has stated that their email was access by unauthorised persons and requested me to investigate. I ran Get-LogonStatistics -Identity and it shows LogonTime as 7am and LastAccessTime as 9am. The user says it was not them and confirmed that they do not have any machines with OWA running. They would like to know if we can find out who it was.

    In EMC there are no users with full mailbox access apart from the default security groups, so I think the first step is to find out the ip address of the access. Is this possible?

    Also, would any services running under their account show up under Get-LogonStatistics -Identity?

    I have enabled auditing for the user as follows but I cannot see any entries under a search on ECP (I have also run these under public mailboxes but entries only come up for "send as", and I was hoping it would show me "message opened" actions):

     

    Set-Mailbox -Identity "Ben Smith" -AuditAdmin MessageBind,FolderBind -AuditEnabled $true

    Set-Mailbox -Identity "Ben Smith" -AuditDelegate FolderBind -AuditEnabled $true

    Thank you!

     

    Thursday, September 29, 2011 10:24 AM

All replies

  • you can use NETMON tool to trace the Network traffic.  there is exchange tool EXMON.

    http://blogs.technet.com/b/exchange/archive/2009/04/22/3407337.aspx

    http://technet.microsoft.com/en-us/library/bb508855(EXCHG.65).aspx

    you can try running this

     


    Dhruv
    Thursday, September 29, 2011 10:33 AM
  • Checked the IIS logs on your CAS servers?
    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Thursday, September 29, 2011 10:54 AM
  • No, please direct me to where I can find out how to do this please.

     

    I have exchange 2010 installed from SBS2011 and no edge transport server. This is all on one server.

    Thursday, September 29, 2011 11:03 AM
  • Thank you for this. I have installed it but while some people have IP addresses under Client IP Addresses, others have what seems to be a MAC address, and it is the same for all users.

    Also, I cannot see where I can limit the monitoring to one user. Is this possible?

     

    Thanks.

    Thursday, September 29, 2011 11:09 AM
  • http://social.technet.microsoft.com/Forums/en/exchange2010/thread/935eeb5b-d996-4933-9cbd-0347ebad801d
    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Thursday, September 29, 2011 11:50 AM
  • Thank you.

    I have looked up the iis logs and did a search for the user's username and the only entry I can find begins at around 10:45am (around the time they came in). There are other entries from 00:01 am today so it's not a time cut off issue. The server's link-local ipv6 address shows up an awful lot though, is this normal?

     

    What does this mean then? When I do Get-LogonStatistics -Identity and it shows LogonTime as 7am and LastAccessTime as 9am but looking at the logs there are no entries for that particular user before 10:45am. Any help please?

    Thursday, September 29, 2011 12:34 PM
  • That should eliminate OWA or ActiveSync. 

    Do the security event logs on your DCs show network logons for the user at 7:00?


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Thursday, September 29, 2011 1:22 PM
  • It doesn't even go that far, I only have 2.5 hours worth of security events even though it says 145,000 events. It seems to be full of

    "The Windows Filtering Platform has permitted a connection." And I have tried disabling it using

    "auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable"

    But I keep getting the error

    "Error 0x00000057 occurred:
    The parameter is incorrect."

    This works though: "auditpol /set /subcategory:”Filtering Platform Connection”" but I doubt it has disabled the logging.

    This is doing my head in :(

    Thursday, September 29, 2011 1:53 PM
  • You may need to enable access auditing on that mailbox, and wait to see what shows up.

    http://technet.microsoft.com/en-us/library/ff459237.aspx


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Thursday, September 29, 2011 2:11 PM
  • I have enabled auditing for the user as follows but I cannot see any entries under a search on ECP (I have also run these under public mailboxes but entries only come up for "send as", and I was hoping it would show me "message opened" actions):

     

    Set-Mailbox -Identity "Ben Smith" -AuditAdmin MessageBind,FolderBind -AuditEnabled $true

    Set-Mailbox -Identity "Ben Smith" -AuditDelegate FolderBind -AuditEnabled $true

    How can I make sure I get a notification once messages are read? Is the above correct? Because if so, I am reading the shared mailboxes yet I don't see any acess logs, only "send as" and "soft delete" and so on.
    Thursday, September 29, 2011 2:15 PM
  • That won't give you any past history, it will only show you acesses from the point that auditing was enabled, but if someone is accecssing that mailbox, it'll show up the next time they do.
    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Thursday, September 29, 2011 2:24 PM
  • Thank you, but this was enabled a good few weeks ago. All I see are "send as" and "soft delete", not message and folder accesses, which is what I think Messagebind and folderbind are. Do I need to enable these elsewhere?

    Thursday, September 29, 2011 2:42 PM
  • Hi Testing_Tester,

     

    For this issue, you can have a look for this document:

     

    Exchange Server 2010 SP1 Mailbox Audit Logging Step by Step Guide

    http://exchangeserverpro.com/exchange-2010-mailbox-audit-logging

     

    Thanks,

     

    Evan Liu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

    Friday, September 30, 2011 7:55 AM
    Moderator
  • I had read that page at least 10 times and I can't find anything different to what I did before. HOWEVER, it seems as though it takes a long time to update because it has just shown me yesterday's test actions.


    I know I will need to enable owner auditing for that user in as it does not seem to be showing any third party access so I think their password has been compromised. I wish ip address source would also show up on that auditing log, that would be perfect.
    Friday, September 30, 2011 8:41 AM
  • If you suspect their password has been compromised, make sure you have auditing of failed logon attempts enabled on your DCs, change their password, and then start checking the security event logs on the DC for failed logon attempts for that account.  They should record the workstation or server that was the source of the failed logon attempt. 
    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Friday, September 30, 2011 10:30 AM
  • If you are using get-logonstatistics, the ip address of the Outlook client wont be avail without a reg tweak on the client:

    http://support.microsoft.com/kb/2292750

     

    The client IP address for an Outlook 2010 client is not logged in Exchange when you use the Get-LogonStatistics command 

     

     

    Friday, September 30, 2011 11:53 AM
  • Thank you for this. I have installed it but while some people have IP addresses under Client IP Addresses, others have what seems to be a MAC address, and it is the same for all users.

    Also, I cannot see where I can limit the monitoring to one user. Is this possible?

     

    Thanks.


    Exmon wont show you the actual client ip address, only the CAS ip address in 2010.

     

    Friday, September 30, 2011 11:54 AM
  • Thanks, Andy.  I did not know about this.
    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Friday, September 30, 2011 1:02 PM