Microsoft Exchange is one of the primary solutions organizations use to provide email services for medium and large organizations. Exchange directly serves as an information transport mechanism and indirectly as a storage medium for organizational data in the form of attachments and email message content. This blog post seeks to cover a high-level subset of some audit considerations surrounding an Exchange 2010 and newer environment to help your organization assess whether proper oversight and controls exist to limit the likelihood of unauthorized information disclosure, disposal or modification.
The Security Access Groups. Exchange privileged access is typically associated solely to the Exchange Administrators group. Starting in Exchange 2010, Microsoft developed an internal Role-Based Access Control scheme that provides additional AD security groups with varying degrees of elevated permissions and rights. For example, members of the Server Management group can modify certain properties of any Exchange Server in the environment. Members of the Organization Management group are essentially an Exchange Admin, just without rights to perform mailbox searches. A total of 11 built-in Exchange Role Based Access groups should be considered for review as it relates to privileged access. The Exchange Administrator group is the sum of all 11 role-based access groups.
Monitoring Group Membership. Exchange comes with 12 privileged security groups (Exchange Administrators and 11 built-in role groups). Your ability to promptly detect and respond in a timely manner to the membership changes of these groups can be useful in a variety of ways. First, this may allow you to proactively identify recon or insider threat-based attacks if processes are in place to monitor and alert when sensitive groups additions occur. A manual alert follow-up may indicate an account addition was unauthorized or associated to an external threat. Secondly, removals from sensitive Exchange groups may be an indicator of a threat agent attempting to lock you out of your systems or prevent your ability to administer the environment prior to launching or following a successful cyberattack.
Auditing Administrator Actions. Exchange provides built-in administrator logging functions, allowing commands or actions performed by privileged users to be captured for review. The logging can be redirected to SIEMs or other repositories for independent and secure analysis. The potential need for this function lies in some of the rights available to privileged Exchange users such as the ‘SendAs’ right, which allows an email to be sent by ‘User A’ while appearing to have come from ‘User B.’ Oh what fun you could have with ‘SendAs’ rights! Admin logging can also capture if hard and soft deletes were issued against another user’s mailbox (think the C-Suite) or if deleted items have been recovered. Check administrator logging status in your environment by issuing the Get-AdminAuditLogConfig | Select *audit* command from the Exchange Administrator shell.
Auditing Mailbox Use. Exchange also provides a mailbox auditing capability, providing a more granular view into a specific user’s mailbox. Using mailbox auditing in conjunction with administrator logging is typically sufficient to provide adequate audit coverage, as Exchange allows administrators with an option to set audit bypass on particular mailboxes which may allow particular admin actions to go unnoticed for extended periods of time. Mailbox auditing serves as a primary mechanism to identify mailbox abuse perpetrated by Exchange privileged users.
eDiscovery and Data Holds. Exchange allows administrators to place litigation holds on data contained in its repository to prevent deletion and to perform item-specific searches across multiple mailboxes. Monitoring when these features are enabled or disabled may allow organizations to identify when users with privileged access are attempting to electronically dumpster dive, perform recon by recovering deleted emails, or cover up unsanctioned actions by disabling data or litigation holds placed on corporate data. Controlling access to and monitoring eDiscovery should be a key control consideration.