Your SlideShare is downloading. ×

Exchange Auditing in the Enterprise

210

Published on

Exchange is the primary data store and means of communication for all levels within the organization. The ability to audit and report in detail Exchange change events that take place on a daily basis …

Exchange is the primary data store and means of communication for all levels within the organization. The ability to audit and report in detail Exchange change events that take place on a daily basis helps maintain security and sustain compliance. Implementing an effective auditing strategy for MS Exchange is a necessity to secure and maintain this critical business asset. This whitepaper outlines not only the reasons for having an Exchange auditing procedure in place but also those must-have qualities of any successful MS Exchange auditing effort.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
210
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Exchange Auditing in the Enterprise White Paper Written by Chris Rich for NetWrix Corporation
  • 2. Exchange Auditing - White PaperTable of Contents1. What is Microsoft Exchange Auditing? ........................................................................................................................... 32. Why is Exchange Auditing Important? ............................................................................................................................ 4 2.1 Exchange Auditing: A Real-World Example............................................................................................................. 4 2.2 Exchange Auditing to Reduce Risk .......................................................................................................................... 4 2.3 Change Auditing to Improve Security ..................................................................................................................... 5 2.4 Exchange Auditing to Sustain Compliance .............................................................................................................. 5 2.5 Exchange Auditing to Improve Manageability ........................................................................................................ 53. Required Features for Exchange Auditing ...................................................................................................................... 7 3.1 Automatic Data Collection ...................................................................................................................................... 7 3.2 Efficient and Centralized Audit Data Storage.......................................................................................................... 7 3.3 Scalability ................................................................................................................................................................ 8 3.4 Advanced Reporting Capabilities ............................................................................................................................ 8 3.5 Non-Owner Mailbox Auditing ................................................................................................................................. 9 3.6 Additional Considerations ....................................................................................................................................... 9 3.7 SIEM, IT Governance, Risk-Management and Exchange Auditing ........................................................................ 104. NetWrix approach to Exchange Auditing ...................................................................................................................... 11About NetWrix Corporation .................................................................................................................................................. 11About Chris Rich .................................................................................................................................................................... 12Additional Resources ............................................................................................................................................................ 12 2
  • 3. Exchange Auditing - White Paper 1. What is Microsoft Exchange Auditing? Microsoft Exchange Auditing is an ongoing auditing activity for mitigating risks associated with the changesto Exchange environment, including servers, settings, mailboxes, policies and permissions. The goal is toalways ensure compliance, security and stability. Limiting unauthorized or undesired Exchange configurationchanges and having appropriate segregation of duties and management controls in place is essential to reducethe risks associated with implementing and monitoring Exchange environments in production. While Exchange has seen many improvements to security controls and management tools over the pastfew years, Exchange auditing is not easily accomplished using native tools, including added features inMicrosoft Exchange 2010. Changes to Exchange can introduce security risks, undesired behaviors, errors andproblems for end users as well as any applications requiring use of the messaging infrastructure. Proper MSExchange auditing can reduce the risk of security features being disabled or turned off, sensitive datacompromise, and non-compliance with internal and external regulatory requirements. An effective Microsoft Exchange audit includes measuring the risks associated with managing a productionIT environment and addressing those risks in a secure, reliable and controlled audit trail of all changes24x7x365. MS Exchange auditing of objects and permissions is required to secure and manage the messaginginfrastructure. This provides a broad range of benefits most notably including accountability, compliance andoperational stability at all times and is difficult if not impossible using even the most current native tools. 3
  • 4. Exchange Auditing - White Paper 2. Why is Exchange Auditing Important? 2.1 Exchange Auditing: A Real-World Example The importance of Exchange auditing is best illustrated by a real-world example. Email is theorganization’s primary go-to store of information and is still the most relied upon means of communicationboth internally and externally. It contains everything from sensitive communications within and outside theorganization, employee data, financial information, proprietary and trade information not meant for public oreven certain internal recipients. One bad change can put that information and compliance at serious risk. Consider the network administrator conducting routine operations who needs help managing a remoteExchange server in the organization. In order to recruit some assistance, they add a local admin to the serverto the Exchange Enterprise Administrators group, giving that individual full access to the server and itssettings. This local admin decides to change the database store of local mailboxes to a new SAN drive,however, the configuration is performed incorrectly. Users at this location are unable to access their mail.Frustration and anger quickly sets in. Without an Exchange auditing tool in place, this organization will have to work harder and faster to findthe problem costing time and some of the reputation of the IT group. With auditing, this information couldhave been quickly and easily discovered saving potentially hours of troubleshooting. 2.2 Exchange Auditing to Reduce Risk Exchange auditing provides accountability thereby reducing risk through detailed collection and analysis ofMS Exchange configuration change information. An Exchange permission setting made today may not beappropriate at some point in the future. Exchange auditing is the vehicle by which changes made to Exchangesettings and permissions can be monitored and can be weighed against predetermined compliance andsecurity risks and mitigated accordingly. Establishing risk factors is the single most important step in securingany IT environment. Doing so will ensure that everyone involved from end-users to senior managementunderstands what is at risk. This creates a conscious awareness of all things critical to sustaining normalbusiness operations within the messaging infrastructure. Regularly revisiting these risk factors will serve toadjust them appropriate to needs and condition changes. Once the risk factors have been identified, the next step is to secure them. For Exchange server,permissions limit rights to sensitive data stored in mailboxes. Effectively managing every aspect of user andadministrator interaction with the messaging environment reduces risk while granting the appropriate accessneeded to communicate effectively and consistently. Change may sometimes bring unpredictable results, oneof which is unintentionally creating conditions that disrupts mail delivery. Exchange auditing provides 4
  • 5. Exchange Auditing - White Paperactionable and historical forensic information to ensure risk factors are managed appropriately whiledelivering consistent e-mail services to the end-users. 2.3 Change Auditing to Improve Security Accountability will always keep the honest users and administrators honest, however, internal threatspose a more immediate danger than those external to the organization because of trust. Change auditingprovides the ability to establish a robust check-and-balance record for all changes to Exchange. Securityimprovements through the use of traditional Exchange auditing are most often reactionary. Flaws and holesare discovered after the fact and the reason for this is that without auditing Exchange activity on a regularbasis, there is no way to predict and react to how a change will impact the messaging environment.Environments that rely on ticket-based change management systems, or other change approval processes maystill experience security problems if the information submitted is later found to have been inaccurate orintentionally misleading. One of the easiest ways to improve Exchange security is to extract and review changeinformation automatically on a regular basis. 2.4 Exchange Auditing to Sustain Compliance Regulations such as SOX, PCI, FISMA, HIPAA each have their own detailed explanations of security standardpractices including what exactly needs to be tracked and recorded. These regulations exist to establish (IT)change auditing standards to protect both businesses and consumers. At the end of the day, these regulationsand their enforcement strive to confirm the organization is securing, recording and monitoring change eventsthat permit access to sensitive information such as banking information, social security numbers, and healthrecords. Additionally, regulations exist to establish a minimum set of security standards as they apply to useraccess within the messaging environment in which they operate. Some examples include: mailbox moves, datastore deletions, Exchange administrator group memberships, and routing settings. Demonstrating complianceis an exercise in presenting this information to auditors upon request and to the level of details as isinterpreted by the law or standard and subject to the individual auditor’s discretion. Auditing Exchangeprovides the Who, What, When, and Where information most frequently requested by auditors and almostequally important is the need to store this information for sometimes up to 7 years or more to be consideredcompliant. For Exchange this is extremely difficult and an entirely manual process with native functionality andthus gives rise to the demand for additional tools, especially in large environments with multiple levels of ITadministration. 2.5 Exchange Auditing to Improve Manageability Making changes to Exchange is performed easily when provided sufficient access. The consequences ofchanges however require thought and planning to avoid problems. Even if a lab environment is used to test 5
  • 6. Exchange Auditing - White Paperchanges, unexpected results can still occur making the need to monitor Exchange server is essential toensuring a compliant, secure and stable messaging environment. Exchange auditing offers the opportunity tosee before and new values for modified configuration settings and permissions that can greatly improve anadministrator’s response times to recover from changes that result in harm or that introduce unnecessaryrisks. Additionally, by maintaining an historical record of changes over time, further analysis can be used touncover less obvious problems or inefficiencies. Being able to make changes to Exchange is necessary to adjustto meet business and operational goals however, the ability to look back at the impact those changes had isthe difference between ensuring a consistent, stable and safe environment for users and loosing visibility andcontrol over the systems charged with delivery of critical messaging services. The ease with which changes aremade can create a false sense of security with regards to the impacts those changes may bring and thusreinforces the need to have an Exchange auditing and reporting tool to improve overall enterprise messagingmanageability. 6
  • 7. Exchange Auditing - White Paper 3. Required Features for Exchange Auditing Exchange auditing is the process of gathering information, reporting the information, analyzing theinformation, taking action and evaluating the results of those actions, to sustain compliance, secureinformation, and ensure consistent delivery of messaging services. Windows natively has the ability to outputaudit information. This information however is dispersed between Exchange servers and Active Directorydomain controllers and is not centrally aggregated. Exchange reporting tools are also unavailable for auditdata making the collection and reporting steps of change auditing for configuration changes difficult and timeconsuming. There is also a risk of losing audit data if event log settings are not set properly to handle thevolume of information logged and running out of disk space on domain controllers if too much information isbeing captured and not cleared after it’s been archived properly. Once native information is analyzed by anadministrator experienced with system events and messages, the interpretation then would need to result in adecision to act or, accept the change and information as having met the intended goal and did not result in adeficiency or unacceptable compromise. Evaluating using native Windows and Exchange tools requires thesame activity as collecting the information and thus requires similar investments in time and effort. Combinethese factors and the result is native change auditing is not feasible in most types of environments. Thefollowing information is a collection of must-have Microsoft Exchange auditing features. Additionaldeployment considerations are provided as well. 3.1 Automatic Data Collection In order to efficiently audit Exchange servers, the process must be automated through scripting or 3rd-party tools. Without it, collecting the information in a timely manner is not feasible. This is especially true asthe size of the organization will have a great impact on the raw volume of information collected making iteven more challenging to track and monitor Exchange changes. Special steps must also be taken on serversand domain controllers throughout the environment to facilitate auditing of the information which is bydefault not enabled. Additional scripting and/or a 3 rd-party Exchange server monitoring tool may also beemployed to pre-configure systems in preparation of collecting event data. Furthermore, if audit data is notcollected regularly, there is a risk of losing this information due to event log automatic overwrites or diskspace issues. This is an important required feature to change auditing because without it, timely auditing isnearly impossible. 3.2 Efficient and Centralized Audit Data Storage Automation of any kind typically requires additional resources and may negatively impact systemperformance which can lead to bigger problems. For this reason, it’s important that the impact of the methodemployed to automatically collect data is minimal. Furthermore, storage of data must also be a considerationduring implementation. While it is possible to store event and audit data locally on Exchange servers where 7
  • 8. Exchange Auditing - White Paperthe events are taking place, the preferred method will be to centralize this information in a data store that isboth secure and readily available. This leads to numerous additional benefits over time as the need to analyzeand report on this information becomes part of daily routine for the IT administrator or group responsible forthe overall health of the Exchange messaging services. Collection of information must also be reliable. Occasionally, each piece of the change auditing systemshould have a periodic check to ensure information is consistent when collected. The most advanced methodsof reliably collecting this information will also have the ability to pre-screen data and filter for only essentialdata and the ability to compress this information to further add to overall efficiency. During collection,preference should be given to methods that leverage the existing Windows and Exchange event logs asopposed to injected agents or modified core system code for audit data extraction. Doing so will eliminate anypotential system stability issues or future incompatibility problems. Relying solely on event log data introducesproblems because this information is frequently incomplete. To completely understand an event, informationfrom all sources involved must be aggregated and analyzed as a whole. Securing this information for short andlong-term storage is also an important consideration and thus best-practices for securing audit data should beincluded pre-deployment such that no single power-user has access to or the ability to delete or tamper withinformation. Access to this information should be heavily restricted and monitored. 3.3 Scalability To audit Exchange changes in the enterprise, the solution must be scalable to adjust to a constantlychanging environment without the need for dramatic steps. Implementation and ongoing use of MS Exchangeauditing will be simplified when no additional software or extensive reconfigurations are required whenadjusting to messaging changes within the organization. Exchange auditing should keep pace with all granularchanges as the overall topology of the network, domain controllers and Active Directory changes to ensureconsistent control to best serve end-users and provide an invaluable audit trail for the IT staff. This scalabilityneeds to be facilitated easily. 3.4 Advanced Reporting Capabilities Once data collection is automated, reliable and stored securely, MS Exchange auditing can assume aproactive role in sustaining compliance, securing information and improving overall messaging performanceand stability. Advanced reporting is necessary to provide IT administrators, management and auditors withsummarized information on every Exchange change and for any time period. Without the ability to produceclear information on change history for day-to-day modifications to Exchange objects and settings, such as,who changed mailbox permissions or if there has been a deleted connector, sustaining compliance, stabilityand security will be impossible and many opportunities to improve these functions will be surrendered. 8
  • 9. Exchange Auditing - White Paper With Exchange messaging environments, using Microsoft SQL Server to store data and leverage SQLReporting Services prove obvious choices for storing and reporting on data. SQL Server with Reporting Services(SQL SRS) can be downloaded for free from Microsoft. The ability to customize ad-hoc and predefined 3rd-party reports will accelerate an effective change auditing implementation by saving time and providingconfiguration options to suit the majority of needs. Using reports on a daily basis ensures complete visibilityover the entire IT infrastructure providing opportunities to improve security and sustain compliance.Additional reporting services including e-mail subscription capabilities and will also add to the impactadvanced reporting will have on overall systems management effectiveness. Once established, advancedreporting will be the main driver behind a successful sustained Exchange audit and will become an importantpart of day-to-day management of the messaging environment. 3.5 Non-Owner Mailbox Auditing Non-owner mailbox access poses serious threats to your information. With the abundance of sensitivedata stored in mailboxes, having the ability to monitor who attempts to open them is a necessity. This will alsoserve to show where security needs firming up and will satisfy auditors who may want to see a report showingwho has attempted access to mail files not belonging to them. Administrators and users with excessive permissions present serious threats to the organization in theform of reviewing confidential information without permission. This threat is especially severe for publiclytraded companies where financial information if leaked from the CFO’s mailbox can have legal repercussions.An internal employee having a look at confidential financial statements before they become public may buy orsell stock in the company using this insider information. The necessity to audit Non-Owner mailbox access iscritical for this reason as well as numerous similar situations where confidential information may pose seriousharm. Human resources also withholds sensitive company and employee information as such is the case duringmajor restructuring, or acquisitions where an employee could learn of upcoming layoffs or terminations inadvance of this information becoming public. The unauthorized employee could warn coworkers or causepanic and unrest in the organization. This example further illustrates the grave dangers associated with non-owner mailbox access and highlights the need to have this important feature as part of any Exchange auditingsolution. 3.6 Additional Considerations Preferred solutions (and providers) should offer plug-in or add-on modules and software to help form acohesive and comprehensive management suite to maximize the potential benefits of change auditing. Someadditional types of systems may include firewalls, switches, database servers, SANs, storage appliances andother Microsoft technologies such as SQL and SharePoint and especially Active Directory and Group Policies. 9
  • 10. Exchange Auditing - White PaperReal-time alerting and object restore features will also add great value to any selected Exchange auditingtools. 3.7 SIEM, IT Governance, Risk-Management and Exchange Auditing These common buzzwords appear frequently when discussing security and change auditing and representa broader view of enterprise IT management methodologies. SIEM, which stands for Security Information andEvent Management is related to change auditing, however, with some important differentiators. SIEMencompasses real-time analysis of security alerts and events generated through the entire enterprise,extending to all applications and devices at all corners of the organization. Change auditing is a criticalinformation collection and reporting layer to overall SIEM objectives and must have a high level ofinteroperability with SIEM systems and services in order to achieve maximum effectiveness. SIEMimplementations range from in-house, customized systems to massive modular deployments providingmanagement capabilities for nearly all IT resources in an environment. IT Governance is a term often used todescribe the overall mission of an IT organization within the broader context of the organization as a whole.It’s meant to provide a means by which core activities and services provided by IT align with overallorganizational directives and goals. Risk-Management is a term found more and more frequently in press andpublications to challenge the status of security for appropriately describing how organizations approachkeeping their resources stable and secure. More recently, the increased visibility of mobile devices and cloudcomputing as part of an organization’s IT strategy present new challenges to traditional models of thought onsecurity and how best to provide that in an increasingly mobile world where borders to IT infrastructure haveblurred greatly. Keeping these new terms in mind while approaching Exchange auditing will help keep ITobjectives in line with organizational messaging objectives and needs as requirements change. 10
  • 11. Exchange Auditing - White Paper 4. NetWrix approach to Exchange Auditing The NetWrix approach incorporates all the necessary features for achieving effective Active Directoryauditing in a software solution. The NetWrix Exchange Change Reporter is an Exchange auditing tool thattracks changes made to Exchange objects, settings and permissions across the entire messaging infrastructure.It generates audit reports that include the four W’s: Who, What, When, and Where for every auditedExchange change including created and deleted mailboxes, transport link changes, changes made to securitypermissions, Exchange admin groups, and all other change activity. It also automatically provides before andnew setting values for each Exchange configuration change to improve security and change control efforts.NetWrix also offers an optional Non-Owner Mailbox Auditing add-on critical to securing sensitive informationfrom prying eyes by users and administrators with too much privilege over mail files. The automatic collectionand reporting on Exchange changes not only surpasses native capabilities in Windows but expands upon themeliminating the time and effort spent collecting change audit information manually or through complexscripting thereby making this information both reliable and actionable. Furthermore, it has the ability tosustain compliance through historical reporting for up to 7 years and more and extend Exchange auditing intoSIEM systems such as SCOM for improved IT control and protection of these investments. In addition toExchange auditing, NetWrix offers additional integrated modules for Active Directory, Group Policy and morehelping protect existing investments in current NetWrix product installations. Adding Active Directory ChangeReporter allows for real-time alert capabilities and automatic restoration for Exchange objects, setting andpermission changes. Try a free download of NetWrix Exchange Change Reporter to see how NetWrix can help with yourauditing and compliance needs. Download link: netwrix.com/exch_downloadAbout NetWrix Corporation NetWrix Corporation is a highly specialized provider of solutions for IT infrastructure change auditing. Change auditing is the core competency ofNetWrix and no other vendor focuses on this more extensively. With the broadest platform coverage availablein the industry, innovative technology and strategic roadmap aiming to support different types of IT systems,devices and applications, NetWrix offers award-winning change auditing solutions at very competitive prices,matched with great customer service. Founded in 2006, NetWrix has evolved as #1 for Change Auditing as 11
  • 12. Exchange Auditing - White Paperevidenced by thousands of satisfied customers worldwide. The company is headquartered in Paramus, NJ, andhas regional offices in Los Angeles and Boston.About Chris Rich As Senior Director of Product Management for NetWrix, located in the Boston office, I oversee all aspects of product management for the NetWrix family of products. I have been involved in numerous aspects of IT for over 16 years including help desk, systems administration, network management, network architecture, telecom and software sales and sales engineering, andproduct management. I am also a certified technical trainer, MCSA, Certified IBM Domino Administrator, avidrunner, musician and happily married father of two.Additional ResourcesInformation security professionals and trends - www.infosecisland.comArticles and commentary on a wide array of IT related topics - www.techrepublic.comCommunity focused on Windows technologies - www.windowsitpro.comEditorial resource for technology professionals - www.redmondmag.comInnovative tool and active community of IT practitioners - www.spiceworks.comFocused community on Windows security needs, trends, and information -www.windowssecurity.com10 Immutable Laws of Security - http://technet.microsoft.com/en-us/library/cc722487.aspxPopular explanation and resources for Change Management and Change Auditing concepts and terminology -http://en.wikipedia.org/wiki/Change_management_auditingExcellent resource for Windows Administrators - www.petri.co.ilNetWrix Corporate Blog - http://blog.netwrix.com©2011 All rights reserved. NetWrix is trademark of NetWrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent andTrademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners. 12

×