Friday, April 25, 2008

Monitoring Exchange Unauthorized Mailbox Access (Exchange 360degree monitoring) PART: 1

This is one of the three part security auditing post for Exchange servers.

Many implementers, system integrators, users and administrators implement Exchange servers as part of their collaboration infrastructure without knowing what's going on in Exchange. For security conscious companies/people, its important to know that not only Exchange but any email system put out there have a potential of a security breech, more often than not, they (the threats) may come from inside.

All systems have administrators or superusers which (can) have full control over applications and data inside servers. Now this article focuses on one very important factor when it comes to administering an Exchange server and that is knowing what our administrator does.

Problem with admins being "Gods" on mail server is that they can take ownership of a mailbox on Exchange or associate themselves (or someone other user) to a mailbox thus giving full rights to read other user's emails/data.

Now, that's good for some reasons but it can be seriously become dangerous if for example, this administrator reads his/her bosses email or the CEO's email, for instance.

  1. By design, one user can only have one mailbox (that's called the primary user for this mailbox)
  2. By design since Exchange 2000, administrators have been denied access to other users mailbox out of the box
  3. By design, when admins do this (associate themselves or other users to another mailbox), no one knows (or nothing is logged) on the Windows box hosting Exchange or Active Directory servers

Questions this article plans to address.

  1. Can we track when someone access a mailbox that does not belong to him/her
  2. Can we track if the auditing are disabled.

In most articles you find online, they address the tracking of events that are associated with anyone accessing mailboxes that are not theirs. That's good, but these articles do not address when someone removes the audit setting. Since admins are Gods, they can do this. Doing this will disable tracking of such events (reversing the auditing).

In all cases where you would like to start monitoring your Exchange based on this 360degree Exchange monitoring document, i suggest audit your existing Exchange for possibly any delegation that are "suspicious". I will not discuss auditing just yet unless its requested.

The steps in general are as below; (i assume you know how to turn auditing events on and off on a Windows box). I suggest use a remote event viewer tracker application like a vbscript (shall show you on a later post) or software like EventSentry to trap events that appear and send emails etc..
  1. Enable auditing of directory access at the global level - I suggest turning this on at the domain controller security policy) - This is to audit changes made to the audit settings (explained later)
  2. Enable audit of changes made to the domain controller security policy
  3. Enable diagnostic logging setting for Logons, under MSExchangeIS, Mailbox
  4. Enable auditing the removal of the diagnostic logging

Enable global level auditing
  • Launch Active Directory Users and Computers, go to Domain Controllers and edit the Default Domain Controller Security Policy (or use GPMC) or you could use a new one to avoid changing this default policy
  • Go to Computer Configuration, Windows Settings, Security Settings, Audit Policy
  • Turn on Audit Directory Service Access - Success

NOTE: You do not have to turn on failure audits and account management audits, i enabled it for other purposes.

Enable auditing the changes to global level auditing (360deg)
  • Launch Active Directory Users and Computers, go to Domain Controllers and click Properties of Default Domain Controller Security Policy (or use GPMC) or the security policy that you've used in the step above.
  • Click on Auditing, click Add...
  • When prompted for a user, this is the part where you need to monitor all users making changes to this policy, so select Everyone or Authenticated Users
  • Click on Properties at the next dialog box..., select Write All Properties, click OK several times until you go back to the ADUC's GPO objects inside that OU. Before quitting that, take note of the GPO's GUID (Unique Name) for use later when an event is triggered.

Now, at this point, if someone edits or removes this policy or the auditing settings, an event will be triggered to give you enough time to capture the event. An event like below can be then captured.

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 4/15/2008
Time: 5:31:37 AM
User: CHAMPS\Administrator
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: groupPolicyContainer
Object Name: CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=champs,DC=int
Handle ID: -
Primary User Name: FIRSTSERVER$
Primary Domain: CHAMPS
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: CHAMPS
Client Logon ID: (0x0,0x1BEB5)
Accesses: Write Property

Write Property
Default property set

Additional Info:
Additional Info2:
Access Mask: 0x20

Notice that the versionNumber is "written" therefore a change to this policy (6AC1786C-016F-11D2-945F-00C04fB984F9 which was the domain controller security policy's GUID) has been made and this event is logged in the Security event on your domain controller. You have to now manually go check if anyone changed this policy to deem it useless for logging :).

Enable diagnostic logging - triggering alerts for non default mailbox access
Now that you've got the auditing at the global level turned on and tracked for changes, we can proceed with the second part. Please note though, diagnostic logging in Exchange is not dependent on the above global logging settings and the events are logged in the Application tab on your Exchange server unlike auditing, where events are stored in the security tab. If this event is triggered, your remote event correlator tool should immediately send an email out. Even if someone tries to clear the event viewer, this event has already been generated so the remove event correlator tool would have picked it up.

Anyway, how to turn on diagnostic logging for the above event..
  • Launch Exchange System Manager
  • Drill down to your Exchange server's physical name, right click and click properties
  • Go to the diagnostic logging tab, go to MSExchangeIS and select Mailbox
  • Select logons and set that to minimum (will do)

Now, any non default user access will trigger event 1016 in your application log of that Exchange server. NOTE: If you use clusters, it will be triggered on all the physical servers.

NOTE: You can omit selecting maximum or Access control. I am doing it for some other purposes.

To eliminate false positives, use your monitoring software and filter out the 1016 events for attempts by exchange full administrators. There are instances where other software and system that could trigger this event, these could be;

2. Antivirus account
3. Backup account
4. Blackberry or equivalent software
5. Folders delegation in Outlook (done by users themselves)

Due to the chances of a high false positive rate, it is recommended to only log exchange full administrators like \Administrator alone will do.

Enable auditing the removal of diagnostic logging settings (360deg)
Alright, now that you've got auditing of non default mailbox out of the way, we now attempt to audit anyone removing or changing this setting. This auditing will need the policy setup at the local Exchange server level (unlike above, where you could set it at the domain level). Object Access need to be turned on, on each physical Exchange Servers. Please note that if you have a OU, Domain or Domain Controller or Site group policy that conflicts with this setting, your local settings be overwritten. So, i recommend, group all exchange servers together into one OU, then create a group policy in this OU to enable Object Access Auditing - Success turned on.

NOTE: You do not need to audit Failure.

On each physical Exchange servers, browse to the following registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\Diagnostics\9000 Private

Right click on 9000 Private and click permissions. Click Advanced and click on the auditing tab. Select Everyone or Authenticated Users when prompted for users then track the following like the diagram below;

This registry key basically refers to the diagnostic logging settings. Enabling auditing on this key will track changes made to the key's auditing settings itself and values within this key.
check on the Set Value for success is sufficient. I selected both for other purposes.

Okay, now that you've set that up, any attempts to modify the diagnostic logging settings and/or the registry settings will be tracked and an event like below shall be triggered.

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/17/2008
Time: 1:04:13 AM
User: CHAMPS\Administrator
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MSExchangeIS\Diagnostics\9000 Private
Handle ID: 1340
Operation ID: {0,2242247}
Process ID: 2148
Image File Name: C:\WINDOWS\system32\mmc.exe
Primary User Name: Administrator
Primary Domain: CHAMPS
Primary Logon ID: (0x0,0x21F7F)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: Query key value
Set key value
Enumerate sub-keys

Privileges: -
Restricted Sid Count: 0
Access Mask: 0xB

Alright, there you go, happy auditing. Be secure, start by knowing and gaining visibility.

Monday, April 21, 2008

Don't Drink & Code:

7:50pm, Monday 21 April 2008: Problem working in a brewery..stay sober while coding guys....Suggested MSKB Article:

Tuesday, April 15, 2008

Sending emails with streamyx (port 25 blocked by Streamyx)

TMNet's Streamyx, as part of their antiflooding attempts of their service implements the blocking of port 25 which is commonly used for sending emails using SMTP for. As a streamyx user (non corporate/non fixed IP user), you may find this a nuisance especially if you use your office corporate email to send and receive emails.

So, what are our options here?
1. Use Streamyx's SMTP.
Use the smtp server Make sure to provide authentication in the form of and provide your streamyx broadband password. Be aware that the default streamyx password tmnet123 should be changed immediate at then use another complex password. When doing this, it will affect your streamyx login (when dialing into streamyx on your PC or router) as well as your email facilities and online billing facilities.

2. If you can, use SMTP on another port, e.g. port 20025. Most SMTP server is capable of adding a new port to an existing IP address or another IP address. Open up your corporate firewall for that port and change the port settings of your corporate email to the port you've specified in your corporate email server's SMTP service.

3. Use VPN
Anything inside the VPN tunnel cannot be "seen" by filters like TMNet's packet filters

4. Use webmail - no explaination needed here rite :P

5. Change to different ISP (yea, like we've got heaps of choices, sigh)

Free Internet Filter (and open & fast dns server)

Lets face it, you can have a 100Mbps link to the WWW but it makes a huge performance (speed) impact if you have crappy DNS servers. This could mean DNS servers that are easily poisoned, DNS servers that are slow and DNS servers that are unreliable. For instance this afternoon, i was using Jaring's infamous and, i had problems accessing HP's driver download site, quickly i realized this could be a DNS related issues cause IP based accesses seem fast (doh), i googled a little and found

This pretty nifty site provides two DNS addresses, and These two IPs are publicly routable and available for immediate use. With some lame tests i found these DNS servers respond in about millisecond faster than time it takes to respond from TMNut's and servers. If that's not convincing enough to churn, read on.

Goody bag
OD gives you an option (purely optional) to create an account. What can we do with that account? Well, simply, use DNS facilities to do addresses filtering, yup, you got it, a free DNS based filtering (phishing, pharming, porn filter - i will certainly omit the last filter factor :P ). Any organization could also use this especially if you use a fixed IP address.

If you don't have fixed IPs like me, their software provides dynamic IP such as the dyndns fellas. OpenDns has a facility called DNS-O-Matic which integrates common dynamic DNS providers and OpenDNS's filtering mechanism. Instructions and how-to is very clearly available on their web site.

So, once you've sorted out your IPs and which network you belong, you can
go about the business of filtering! There are over 50 predefined categories filters and custom categories you can work with. Also, you could block based on domain names. More cooler, is the typo correction. People in a rush to get their groove on may mistype domain names and end up in some phishing scam site. Worry not my friend, this pretty lil thing again does the trick to help resolve incorrectly requested fields e.g. will be "fixed" to Neat!.

Lastly, this tool gives you reports! Yes, finding why your internet line is super chugged, bloodsucking websites such as Friendster and Facebook could be the culprits, then disable them. Yes, you can receive lifelong curses and odd stares while walking to the pantry but saves you the much precious bandwidth. Also, if you think that there's issues with the cache responses, you can choose to clear it right from their website.

You can have exceptions, this can be mitigated by using the whitelist feature that will then bypass all rules and settings that you have in the categories, individual domain and other possible false positive or exceptional sites you may wish to allow you users to browse to. Cool.

So, this will solve my content filtering issues?
Well, yea, sorta, users can however browse using IP addresses or change to another DNS server on their local TCP-IP settings. To mitigate this, implement an application layer firewall that will disallow access by using IP and direct DNS queries.

What about other protocols other than web based? Well, yea, other protocols when using names may work (not tried em all) but the fundamental is that, when name is resolved by IP in servers, it will filter which is allowed and which is not. Only then, this tool will work. Novice users may truly be pissed... :D

What you need to be aware of using 3rd party DNS servers?
They could monitor your activity for statistical purposes or etc (god knows whatelse they will do with your data). If you are an organization which value privacy of users accessing the WWW, be aware of the possible consequences.

Sunday, April 6, 2008

My Samsung & How To Disable ActiveSync From Buggin' You

I just got meself a samsung i780, pretty nifty runs on Windows Mobile 6. I installed Activesync as usual to get things sorted out between the phone and the computer. I got pretty frustrated once i was unable to unload this darn thing (activesycn) off my memory. Each time activesync rounds up its business of synch-ing, it turns on my phone LCD and keep its on.

This is especially pretty frustrating when you just wanna charge the darn thing using USB. Each time Activesync runs, somewhat my Vista just freezes like its loading large fat apps like Photoshop and i gotta wait a couple of seconds before things regain consciousness again...Also, even if you kill wcescomm.exe it will keep coming back again, like ex-girlfriends and Prudential Insurance Agents. M$ didn't include an exit or "do not load during startup" function. Of course you could use msconfig.exe to de-select it but it will pop right back up when an activesync device is plugged in.

So i was googling around and found this hack, it allows you to switch the crappy ActiveSync off and on. How cool, finally... Microsoft can't rule the world (mobile edition)...give the control back to us!!!

ActiveSync Toggle: Checkit out: