Microsoft Exchange Server 2007 Administrators Pocket Consultant Second Edition

Auditing lets you track what's happening with Exchange Server. You can use auditing to collect information related to information logons and logoffs, permission use, and much more. Any time an action that you've configured for auditing occurs, this action is written to the system's security log, where it's stored for your review. You can access the security log from Event Viewer.

Using Auditing

You enable auditing in the domain through Group Policy. You can think of group policies as sets of rules that help you manage resources. You can apply group policies to domains, organizational units within domains, and individual systems. Policies that apply to individual systems are referred to as local group policies and are stored only on the local system. Other group policies are linked as objects in Active Directory.

Note 

Several tools are available for managing Group Policy, including Group Policy Management Console (GPMC) and Group Policy Object Editor (GPOE). Group Policy Management Console is included with Windows Vista and later versions of the Windows operating system. (You can download GPMC by going to http://www.microsoft.com/downloads/details.aspx?FamilyId=&displaylang=en.) When you are editing individual Group Policy Objects (GPOs), Group Policy Object Editor is the standard tool. You can access GPOE from GPMC and from other tools as well, such as Active Directory Users And Computers.

You can audit Exchange activity by enabling auditing in a Group Policy Object applied to your Exchange servers. This policy object can be a local Group Policy Object or an Active Directory Group Policy Object.

Configuring Auditing

You can enable Exchange auditing by completing the following steps:

  1. Log on to a computer running Windows Vista with an administrator account. This computer must be a member of the forest in which you installed your Exchange server.

  2. Click Start, type mmc into the Search box, and then press Enter.

  3. In the Microsoft Management Console, select File, and then select Add/Remove Snap-in. Click Add.

  4. In the Add Standalone Snap-in dialog box, select Group Policy Management Console, click Add, and then click OK. You can now navigate through the forest and domains in the organization to view individual Group Policy Objects using Group Policy Management Console.

  5. To specifically audit users’ actions on Exchange Server, you should consider creating an OU for Exchange servers, and then define auditing policy for the OU. After you've created the OU or if you have an existing OU for Exchange servers, right-click the related policy object, and then select Edit to open the policy object for editing in Group Policy Object Editor.

  6. As shown in Figure 10-7, access the Audit Policy node by working your way down through the console tree. Expand Computer Configuration, Windows Settings, Security Settings, and Local Policies. Then select Audit Policy.

  7. You should now see the following auditing options:

    • q Audit Account Logon Events Tracks user account authentication during logon. Account logon events are generated on the authenticating computer when a user is authenticated.

    • q Audit Account Management Tracks account management by means of Active Directory Users And Computers. Events are generated any time user, computer, or group accounts are created, modified, or deleted.

    • q Audit Directory Service Access Tracks access to Active Directory. Events are generated any time users or computers access the directory.

    • q Audit Logon Events Tracks local logon events for a server or workstation.

    • q Audit Object Access Tracks system resource usage for mailboxes, information stores, and other types of objects.

    • q Audit Policy Change Tracks changes to user rights, auditing, and trust relationships.

    • q Audit Privilege Use Tracks the use of user rights and privileges, such as the right to create mailboxes.

    • q Audit Process Tracking Tracks system processes and the resources they use.

    • q Audit System Events Tracks system startup, shutdown, and restart, as well as actions that affect system security or the security log.

  8. To configure an auditing policy, double-click or right-click its entry, and then select Security. This opens a Properties dialog box for the policy.

  9. Select the Define These Policy Settings check box, and then select the Success check box, the Failure check box, or both. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.

  10. Repeat steps 8 and 9 to enable other auditing policies. The policy changes won't be applied until the next time you start the Exchange server.

Figure 10-7: Use the Audit Policy node in Group Policy to enable auditing.

Категории