Understanding who is opening another user’s mailbox is an integral Compliance requirement within any regulated institution. Whether Security needs to monitor executive mailboxes for users probing for information on confidential material, or find the Exchange administrators taking advantage of their elevated mailbox support rights, it is pertinent to have a single consolidated view that highlights these access violations.
Data leakage can cause both financial and reputational damage to an organization. The business, with the IT team, needs to come together to identify what should be monitored and how, while ensuring that the tools implemented do not pose risk to the integrity of the systems.
There are tools in the market that can answer this business question using a variety of unique approaches. Most common is an agent that sits on the Exchange server and runs within the Exchange process, intercepting the traffic. This provides in-depth and granular details around who is doing what in the monitored mailboxes. This agent approach provides an abundant amount of information, but it also poses a significant risk of causing serious outages on the systems. Other solutions scan the event log for specific event IDs that identify access violations. Again, these solutions provide the required data but require administrators to turn up diagnostic logging. For larger organizations, this is often not a viable option, as a number of events logged when diagnostic logging is turned up can cause a significant volume influx of events. Maintaining history can become very difficult.
A new and different approach, from STEALTHbits Technologies, is similar to the agent variety but does not pose as much risk. This approach utilizes the existing WMI/PowerShell queries, as you would see in ESM, to find non-owner access. You also maintain history on this data as Microsoft overwrites previous data as soon as the user logs out of the mailbox. Additional data processing and business intelligence isolate executives and rogue admins for focused monitoring. This approach eliminates the risk of an outage as it simply uses the native Windows Scheduler on the remote Exchange server that sits idle and on low priority, watching the resources around it.
Whether understanding access violations is a requirement in an organization or not, it is certainly a common request from senior management. Instead of implementing a “big brother” solution that quietly monitors logon violations, some organizations choose to notify the mailbox owner immediately with this information. In either case, the technology remains the same, and it is pertinent to find a solution that not only meets the business needs but also does not cause any degradation in services.