If you are running Exchange 2000 on Windows 2000 the 'Application' event
log logs any access to a mailbox that is not the users primary mailbox
with event ID 1016. I'm can't remember if this is a default setting
though? You may have to turn on "Audit account logon events" in security
policies on your exchange server?

The Event Type is Success Audit which is kind of misleading because even
when the unauthorized user accesses a mailbox that they are not
permitted to access the Event Type is still Success Audit with the same
ID. From the little I've tested it does not appear that the unauthorized
user was given access to the other persons mailbox.

I hope this helps.

Dave

Example Event Log message.

Event Type: Success Audit
Event Source: MSExchangeIS Mailbox Store
Event Category: Logons
Event ID: 1016
Date: 5/23/2001
Time: 9:43:06 AM
User: N/A
Computer: SERVER
Description:
Windows 2000 User DOMAIN\USERNAME logged on to ACCOUNTDOMAIN.MSFT
mailbox, and is not the primary Windows 2000 account on this mailbox.

-----Original Message-----
From: Russell Munday [mailto:rmundaysyscap.com]
Sent: Monday, May 21, 2001 6:38 AM
To: 'focus-mssecurityfocus.com'
Subject: Exchange access question

Hi all, quick question for any MS Exchange gurus.

Is it possible to track when someone's Inbox is opened? i.e.
unauthorized
person accessing someone else's Inbox.

TIA

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]