Microsoft Exchange, Non-Owner Mailbox Logon: Auditing the Insider Threat

Email, one the greatest innovations in communication since the telephone.  One could even argue that it is the most important.  The ability to have a conversation (albeit in electronic format), send vast quantities of data, and involve an unlimited number of recipients is the backbone of modern business.

With each iteration, Exchange gets more and more security features. Litigation hold and classification are good examples of this.  However, as useful as they are, they don’t address the most basic security risk of all – the simple act of logging into a mailbox. Specifically, logging into someone else’s mailbox – a Non-Owner Mailbox Logon.

The Anatomy of an Exchange Mailbox

A mailbox is an object in an Exchange Database.  That object can be looked at as a container of other objects, which in themselves can contain other objects.

When you look at what those ‘objects’ are, you can see that a mailbox is not simply just an ‘inbox’.  It’s a document repository that gets larger every day.  That said, mailbox limits are almost redundant these days with storage medium being so cheap.

No longer does a user have to clean out their mailbox on a regular basis when they can store gigabytes of data with no problems.  It’s also an appealing option as that data is always there, on the desktop, laptop, mobile device, and web.  All of this begs the question: Why wouldn’t a user keep all of their emails with attachments in their mailbox?

And therein lies the risk.

What’s the difference between storing data in a traditional file system and a mailbox?

From a permission model standpoint, a mailbox is more secure, however, a mailbox has a purpose built transport mechanism.  The Exchange platform is designed for sending data.  Traditional file systems have no transport mechanism.

A few simple clicks and data can be sent to an unlimited amount of recipients, globally.

That data could be an email containing classified data, PID, R&D, financial data.

It’s not all bad though. At least a mailbox is not publicly available like a file share.  Only a restricted set of people can access a mailbox:

• Exchange Administrators
• Mailbox Delegates – People who have been granted access to manage calendars, read emails, and possibly ‘send-as’ (send an email as that person). A common delegate scenario is a Director and their personal assistant. Often times, a PA will fully manage another person(s) mailbox, creating and accepting meeting requests as well as replying to and sending emails.  All of this is done on behalf of the mailbox owner.

Securing Mailbox Access

There are two approaches to this:  Auditing and blocking.

Auditing:

• Non-owner logons – Audit all logons to the mailbox by an administrator or delegate
• Permission changes – Audit changes to mailbox permissions, this can be through Exchange management tools or in Outlook

Blocking:

• Non-owner logons – Allow only authorized people to logon to the mailbox. Predominantly for stopping Administrators from logging on
• Permission changes – Blocking any changes to mailbox permissions. Stopping both delegates and Administrators from granting access either to themselves or others

Why just non-owner access?

Auditing is a heavy duty process, both in terms of resources required for auditing in Exchange and the sheer volume of events created. Use best practice with any form of auditing and if possible, only target what you really need to see. In this instance does anyone really care if a person logs on to their own mailbox?

This leads us on to ‘object level auditing in an Exchange Mailbox’. Watch this space for future blogs on the subject.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*