Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Exchange
2000.active.directory
2000.admin
2000.announcements
2000.app.conversion
2000.applications
2000.clients
2000.clustering
2000.connectivity
2000.development
2000.documentation
2000.general
2000.information.store
2000.interop
2000.kms
2000.misc
2000.protocols
2000.realtime.collabo.
2000.setup
2000.transport
2000.win2000
admin
application.conversion
applications
clients
clustering
connectivity
design
development
misc
mobility
setup
tools
  
 
date: Sat, 21 Jun 2008 13:23:09 +0330,    group: microsoft.public.exchange.admin        back       


Auditing Exchange Problem!    
Hi,
I have enabled some "diagnostics Logging" options to audit exchange 
administrators activities and works as I expect. The problem is that if an 
administrator changes the "Diagnostics Logging" options no event will be 
generated in event viewer.
Is there any option I have to enable for this to work? I don't want Exchange 
administrators disable logging when they don't want their activities being 
logged!

Thanks.
date: Sat, 21 Jun 2008 13:23:09 +0330   author:   Saeed Pazoki

Re: Auditing Exchange Problem!    
"Saeed Pazoki"  ha scritto nel messaggio 
news:OME8Yy30IHA.548@TK2MSFTNGP06.phx.gbl...

> I have enabled some "diagnostics Logging" options to audit exchange 
> administrators activities and works as I expect. The problem is that if an 
> administrator changes the "Diagnostics Logging" options no event will be 
> generated in event viewer.
> Is there any option I have to enable for this to work? I don't want 
> Exchange administrators disable logging when they don't want their 
> activities being logged!

Don't grant them Administrator rights, then ;-)
If they have them, nothing can stop them from doing what they want with 
Exchange.


Massimo
date: Sat, 21 Jun 2008 11:53:11 +0200   author:   Massimo

Re: Auditing Exchange Problem!    
I want them to do what they want but I expect exchange server to log those 
things! If someone has disabled diagnostics logging I expect to see this in 
event viewer and know who has violated policies!

"Massimo"  wrote in message 
news:uis5XS40IHA.552@TK2MSFTNGP06.phx.gbl...
> "Saeed Pazoki"  ha scritto nel messaggio 
> news:OME8Yy30IHA.548@TK2MSFTNGP06.phx.gbl...
>
>> I have enabled some "diagnostics Logging" options to audit exchange 
>> administrators activities and works as I expect. The problem is that if 
>> an administrator changes the "Diagnostics Logging" options no event will 
>> be generated in event viewer.
>> Is there any option I have to enable for this to work? I don't want 
>> Exchange administrators disable logging when they don't want their 
>> activities being logged!
>
> Don't grant them Administrator rights, then ;-)
> If they have them, nothing can stop them from doing what they want with 
> Exchange.
>
>
> Massimo
>
date: Sat, 21 Jun 2008 14:31:03 +0330   author:   Saeed Pazoki

Re: Auditing Exchange Problem!    
"Saeed Pazoki"  ha scritto nel messaggio 
news:OgTdaY40IHA.4040@TK2MSFTNGP04.phx.gbl...

> I want them to do what they want but I expect exchange server to log
> those things! If someone has disabled diagnostics logging I expect
> to see this in event viewer and know who has violated policies!

You can't, sorry.
It's the same thing as logging every other kind of administrative 
activities: administrators, by definition, have administrative rights, so 
they can disable logging and even delete logs. Or they can create other 
administrative accounts and use *those* to purge logs, so nobody will even 
be able to know who actually purged them and what was logged before. You 
have to trust administrators, or remove them from this role.

Regarding Exchange, maybe you can grant them lower rights: instead of making 
them Exchange full administrators, you can grant only them rights to manage 
mailboxes. But if you want them to be able to manage your server's 
configuration, then they will be able to turn on and off logging as they 
wish.

Also, remember that what you're talking about is a *diagnostic* logging: it 
was never intended to be a security auditing.


Massimo
date: Sat, 21 Jun 2008 12:20:45 +0200   author:   Massimo

Re: Auditing Exchange Problem!    
Thanks.

"Massimo"  wrote in message 
news:u$Q4xh40IHA.5832@TK2MSFTNGP02.phx.gbl...
> "Saeed Pazoki"  ha scritto nel messaggio 
> news:OgTdaY40IHA.4040@TK2MSFTNGP04.phx.gbl...
>
>> I want them to do what they want but I expect exchange server to log
>> those things! If someone has disabled diagnostics logging I expect
>> to see this in event viewer and know who has violated policies!
>
> You can't, sorry.
> It's the same thing as logging every other kind of administrative 
> activities: administrators, by definition, have administrative rights, so 
> they can disable logging and even delete logs. Or they can create other 
> administrative accounts and use *those* to purge logs, so nobody will even 
> be able to know who actually purged them and what was logged before. You 
> have to trust administrators, or remove them from this role.
>
> Regarding Exchange, maybe you can grant them lower rights: instead of 
> making them Exchange full administrators, you can grant only them rights 
> to manage mailboxes. But if you want them to be able to manage your 
> server's configuration, then they will be able to turn on and off logging 
> as they wish.
>
> Also, remember that what you're talking about is a *diagnostic* logging: 
> it was never intended to be a security auditing.
>
>
> Massimo
>
date: Sat, 21 Jun 2008 15:27:59 +0330   author:   Saeed Pazoki

Re: Auditing Exchange Problem!    
On Sat, 21 Jun 2008 13:23:09 +0330, "Saeed Pazoki"
 wrote:

>I have enabled some "diagnostics Logging" options to audit exchange 
>administrators activities and works as I expect. The problem is that if an 
>administrator changes the "Diagnostics Logging" options no event will be 
>generated in event viewer.
>Is there any option I have to enable for this to work? I don't want Exchange 
>administrators disable logging when they don't want their activities being 
>logged!

The "Diagnostics Logging" just alters values in the registry. You can
audit those changes in the O/S.

Anyone with the ability to modify the registry on that machine can
change you settings without using the Exchange UI. If you depended
solely on the UI to register changes you'd never see changes made by
anything else.
date: Sat, 21 Jun 2008 13:39:33 -0400   author:   Rich Matheisen

Re: Auditing Exchange Problem!    
I would suggest you management communicate company policy not to change log 
settings. That way Admins are aware.


"Saeed Pazoki"  wrote in message 
news:OME8Yy30IHA.548@TK2MSFTNGP06.phx.gbl...
> Hi,
> I have enabled some "diagnostics Logging" options to audit exchange 
> administrators activities and works as I expect. The problem is that if an 
> administrator changes the "Diagnostics Logging" options no event will be 
> generated in event viewer.
> Is there any option I have to enable for this to work? I don't want 
> Exchange administrators disable logging when they don't want their 
> activities being logged!
>
> Thanks.
>
date: Sun, 22 Jun 2008 11:01:11 +1000   author:   Andrew Sword [MVP]

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us