Filling the Gap in Exchange Auditing Written by Randy Franklin Smith Monterey Technology Group, Inc.
Copyright Quest Software, Inc. 2008. All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS All trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com e-mail: info@quest.com Please refer to our Web site for regional and international office information. Updated August 1, 2008 WPW-FillingGapExchangeAuditing-US-AG
CONTENTS EXECUTIVE SUMMARY...1 WHY IS EXCHANGE SECURITY SO IMPORTANT?...2 BUSINESS-CRITICAL INFORMATION AND PROCESSES DEPEND ON EXCHANGE... 2 INFORMATION AND PROCESSES THAT RELY ON EXCHANGE SECURITY... 3 THREATS TO EXCHANGE SECURITY...5 NON-OWNER MAILBOX ACCESS... 6 Challenges to Managing Non-Owner Mailbox Access... 6 Risks Associated with Non-Owner Mailbox Access... 7 CONFIGURATION CHANGES BY ADMINISTRATORS (MALICIOUS OR ACCIDENTAL)... 8 Risks Associated with Actions by Exchange Administrators... 8 Risks Associated with Changes to Active Directory... 9 MITIGATING THE RISKS...10 NATIVE TOOLS ARE INSUFFICIENT... 10 ACCESS CONTROL IS INSUFFICIENT... 10 THE SOLUTION LIES IN OVERSIGHT AND AUDIT TRAILS... 10 THE SOLUTION: INTRUST PLUG-IN FOR EXCHANGE & INTRUST PLUG-IN FOR ACTIVE DIRECTORY...11 INTRUST PLATFORM... 11 InTrust Knowledge Packs... 12 InTrust Plug-Ins... 12 HOW INTRUST PLUG-IN FOR EXCHANGE AND INTRUST PLUG-IN FOR ACTIVE DIRECTORY MITIGATE RISKS... 13 CONCLUSION...14 ABOUT THE AUTHOR...15 ABOUT MONTEREY TECHNOLOGY GROUP, INC....15 ABOUT QUEST SOFTWARE, INC....16 CONTACTING QUEST SOFTWARE... 16 CONTACTING QUEST SUPPORT... 16 NOTES...17 i
White Paper EXECUTIVE SUMMARY The security of your Exchange infrastructure and its content is critical. But organizations have largely neglected to look at the e-mail risks arising inside the network and adequately monitor events that impact the availability, integrity, and confidentiality of e-mail messages and the e-mail system. In particular, organizations need to: 1. Audit non-owner mailbox access (by both unauthorized individuals and by authorized non-owners) and respond to instances of improper access. 2. Audit changes to the e-mail infrastructure and other activities of administrators, and hold individual administrators accountable. Unfortunately, Exchange lacks effective native tools for auditing non-owner mailbox access and configuration changes. With Quest InTrust Plug-in for Exchange and InTrust Plug-in for Active Directory organizations can fill the gaps in Exchange auditing by: 1. Auditing non-owner mailbox access 2. Tracking changes to mailbox permissions 3. Auditing changes to the attributes of Exchange-related Active Directory objects With these capabilities, organizations can monitor and respond to instances of nonowner mailbox access and erroneous administrative changes, thus mitigating the risks identified in this paper. 1
Filling the Gap in Exchange Auditing WHY IS EXCHANGE SECURITY SO IMPORTANT? Business-Critical Information and Processes Depend on Exchange Employees use e-mail to send and receive many kinds of data. Some common types of transmitted data include: financial, patient, customer, proprietary and legally sensitive. They use e-mail to collect information that impacts financial reporting, purchase approvals, or access control changes. These types of information and processes are critical to the success of your business, and they are often subject to compliance regulation and legal risks. Their security depends upon the security of Exchange, the central communications and workflow medium in your organization. Figure 1. Information and processes that depend on Exchange security 2
White Paper Information and Processes that Rely on Exchange Security The table below lists some of the most common types of information and processes that organizations use and the major regulations and security requirements that apply to them: INFORMATION AND PROCESSES REGULATIONS DOMINANT SECURITY REQUIREMENTS Financial reporting SOX Integrity Oversight Audit trail Access control changes All Integrity Separation of duty Accountability Non-repudiation Patient data HIPAA Confidentiality Audit trail Customer data PCI, GLBA Confidentiality Oversight Audit trail Proprietary information Internal Confidentiality Oversight Audit trail Mergers and acquisitions SEC Confidentiality Oversight Audit trail Approvals All Integrity Separation of duty Accountability Non-repudiation Human resources data Legal Confidentiality Oversight Audit trail Government and defense data FISMA, NISPOM, etc. Confidentiality Oversight Audit trail General communication and workflow Internal Availability Confidentiality Table 1. Information and processes that interface with Exchange 3
Filling the Gap in Exchange Auditing As we look at the security requirements, we define confidentiality, integrity, and availability as follows: Confidentiality: Protection of sensitive or secret information from disclosure to unauthorized parties, which could result in harm or liability to the organization Integrity: Protection of the accuracy and completeness of information against accidental or malicious deletion or modification which could result in delayed or inaccurate decisions or operations or expose the organization to liability Availability: Ensuring the relevant servers, network components, and data itself are operational so that the information can be readily accessed Because Exchange is a foundation technology with connections to nearly all your business-critical information and processes, you must take a holistic approach to Exchange security. It is necessary to provide same level of confidentiality, availability, and integrity for Exchange as is placed on the information and processes that depend on Exchange. 4
White Paper THREATS TO EXCHANGE SECURITY What are the threats to Exchange security from outside and inside an organization, and how are they addressed today? External threats include malware, spam, and interception of confidential e-mail; these threats are generally well understood and mature security solutions are available to mitigate them. Some internal risks, including offensive content and proper storage of e-mail for discovery and compliance, are also already addressed by most organizations. But the business world and solution providers have largely neglected other important internal e-mail risks arising inside the network: unauthorized mailbox access and improper administrative changes to the e-mail infrastructure. The table below shows the types of e-mail-related risks and how they are typically addressed in most organizations: RISK CURRENTLY ADDRESSED IN MOST ORGANIZATIONS? STATUS HOW External Malicious e-mail Malware Phishing Spam and directory harvesting Yes Anti-malware, antispam Confidential e-mail intercepted Some Encryption Proprietary content forwarded outside organization Some Outbound keyword and heuristics filtering Internal Human Resources Harassment Offensive content, etc Yes Acceptable use policies Legal Yes Archival Discovery Compliance Unauthorized mailbox access Confidential information compromised No No detection and no audit trail Fraudulent transmission or modification of e-mail Destruction of record Malicious or inadvertent damage to e-mail infrastructure through configuration changes No No detection and no audit trail Confidentiality Integrity Availability Both Availability Yes Clustering and fault tolerant hardware Table 2. E-mail-related risks and typical state of mitigation 5
Filling the Gap in Exchange Auditing Let s take a closer look at the two major risks that have little or no mitigation in most Exchange infrastructures today: Non-owner mailbox access Configuration changes Non-Owner Mailbox Access Exchange allows a user to access another person s mailbox and potentially author e-mails as that person. This capability has legitimate uses, such as the following: A manager or executive might need a subordinate to screen his or her e- mail and handle routine items. Sometimes the assistant may be directed to send e-mail on behalf of the executive. An employee who is on vacation might need someone else to monitor his or her inbox. A manager or the Human Resources department might require access to an employee s email, either for the purposes of an investigation or a routine e-mail review according to policy. But non-owner mailbox access can also be misused or mismanaged, exposing the organization to significant risk. Therefore, non-owner mailbox access must be carefully controlled and supervised. Challenges to Managing Non-Owner Mailbox Access Unfortunately, controlling and auditing non-owner mailbox access is easier said than done, for two main reasons. First, Exchange allows a user to delegate access to his or her mailbox to any other user in the organization without intervention or approval from administrative staff. Users can delegate all of the following: Read access to their inbox and other mail folders. This includes their calendar, to-do list, contacts and any other folder in their mailbox Author and editor access, which allows the delegate to create new items in the mailbox and modify or delete existing items Send As authority, which allows the delegate to impersonate the user by sending e-mail as though it were from that user Second, there is the risk of non-owner access by IT administrators. Administrators seldom, if ever, need to read, much less modify, items in a user s mailbox. By default, administrators are denied access to user mailboxes. However, an administrator can easily override that restriction to gain access to anyone s e-mail, and delete or edit existing items or send new messages. 6
White Paper Figure 2. Exchange enables a variety of kinds of non-owner mailbox access. Risks Associated with Non-Owner Mailbox Access There are times when it is necessary for users and administrators to gain access to others mailboxes. However, there are serious risks associated with non-owner mailbox access, including the following: Non-owner mailbox access can lead to confidential information being compromised. For example, a user with read access to a manager s mailbox may read private information about another employee, such as disciplinary, health, or salary-related information. Proprietary or customer information obtained by unauthorized individuals could be improperly shared internally or externally, including with the press or competitors. Information can be improperly modified or deleted. It is possible for a subordinate to access his or her manager s mailbox and delete records regarding warnings or reprimands. An employee could modify information to cover up a bad report or to falsify figures that affect compensation or financial reporting. Users can send fraudulent e-mail. An impostor can send e-mail from another user s mailbox, making it appear that the mailbox owner has sent offensive or harassing e-mail to a third party, approved a purchase or disbursement transaction, or authorized an access change. Even in well-controlled environments, users focused on getting their jobs done naturally take the expedient route by granting other users access to their mailboxes. Unfortunately, these delegations of authority are rarely revoked or cleaned up. The resulting proliferation of non-owner mailbox access rights leads to an increasingly insecure Exchange environment, ripe for breaches in confidentiality, fraudulent e-mail, and data tampering or destruction. 7
Filling the Gap in Exchange Auditing Configuration Changes by Administrators (Malicious or Accidental) The second major threat to Exchange security that goes largely unaddressed today is configuration changes by administrators. This risk cannot be overstated. While many organizations go to great lengths to ensure separation of user roles in business and financial applications, large numbers of IT staff commonly have full access to the entire IT infrastructure, including all of its databases, e-mail systems, applications and files. Organizations commonly justify granting this broad authority with comments such as, You have to trust someone. But administrators are no less capable of fraud, maliciousness and error than others in an organization. One example is the catastrophic disruption caused by a disgruntled system administrator at UBS PaineWebber. 1 After learning his bonus would be less than expected, the administrator configured a logic bomb programmed to take down the company s entire Unix system that handled trades for the broker division. His actions cost the company three million dollars in consulting for cleanup alone; the lost revenue was never reported. Risks Associated with Actions by Exchange Administrators The risks associated with Exchange administrative power include the following: 8 Administrators can override mailbox permissions. Because administrators can access any mailbox in the organization as if the mailbox owner had given them full control, the risks associated with non-owner mailbox access discussed above also apply here: administrators can read confidential information (such as disciplinary, health, or salary-related information), impersonate other users, falsify or delete content damaging to themselves or others and access proprietary or customer information and share it improperly inside or outside the organization. Exchange server security can be weakened. Exchange security could be weakened in a number of ways: An administrator could accidentally or deliberately reconfigure Exchange to allow unencrypted access to mailboxes by remote employees. The internal domain credentials of privileged employees could then be stolen and used to access internal applications such as financial systems or confidential data, including customer information, patient data or proprietary secrets. It is also possible for Exchange itself to be compromised and the server used for access to the internal network. The SMTP service could be configured to allow the relay of unauthenticated SMTP mail, allowing spam and malware to be sent through the corporate server. When this has occurred, anti-spam services have recognized the company s server as a source of spam and malware. Legitimate e-mail from the company was not delivered and inbound messages were delayed. Disgruntled employees might exploit Exchange and force the organization s e-mail servers to be added to spam real-time block lists, causing devastating consequences.
White Paper Risks Associated with Changes to Active Directory The internal configuration and operations of Exchange are completely dependent on Active Directory (AD) objects. These AD objects can be modified directly, circumventing Exchange configuration and policy validation, resulting in the same risks as direct changes to Exchange configuration. Figure 3. Changes to Active Directory impact Exchange security 9
Filling the Gap in Exchange Auditing MITIGATING THE RISKS Native Tools are Insufficient How can the risks associated with non-owner mailbox access and administrative changes be mitigated? Unfortunately, native Exchange functionality is insufficient because of the following vulnerabilities or gaps: 1. It has no audit trail; it does not report to security log. Exchange lacks an audit trail of non-owner mailbox access and administrative changes to its infrastructure and configuration. Exchange does not report relevant events to the Windows security log. 2. It is dependent on Active Directory for security, policy, and configuration. Exchange is only as secure and dependable as the Active Directory environment it runs in. 3. It is exposed to the Internet; it directly handles network traffic and content likely to contain malware or other embedded attacks. Even with perimeter SMTP relay servers, Exchange is still more vulnerable to malicious content than other servers within the network and therefore more exposed to external attacks as well. Access Control is Insufficient Access control is also of limited use: you must allow users to sometimes delegate access to their mailboxes and grant administrators the authority to do their job; there s no way to configure the system to distinguish between legitimate actions, mistakes or malicious behavior. The Solution Lies in Oversight and Audit Trails The best way to mitigate the risks associated with non-owner mailbox access and administrative changes is through oversight and audit trails. You need to be able to audit non-owner mailbox access and respond quickly to instances of improper access or administrator actions, including identifying the perpetrators. 2 Proper oversight and audit trails help organizations discover security breaches quickly and provide evidence to prosecute violators. These tools can also serve as a deterrent. Employees who know their actions are being recorded and subject to review will be less inclined to misuse authority and practice careful mailbox management. 10
THE SOLUTION: INTRUST PLUG-IN FOR EXCHANGE & INTRUST PLUG-IN FOR ACTIVE DIRECTORY White Paper InTrust Plug-in for Exchange and InTrust Plug-in for Active Directory are specifically designed to provide effective Exchange oversight and audit trails. InTrust Plug-in for Exchange enables you to oversee and respond to instances of non-owner mailbox access, and InTrust Plug-in for Active Directory does the same for administrative changes, mitigating the risks discussed above. InTrust Platform The InTrust platform provides the core log management functions of event collection, alerting, archival, and reporting. InTrust has built-in support for the common log formats, including Windows event logs and any type of text file log, as well as syslog streams for support of Unix, Linux, and network devices like routers and firewalls. To support the special scalability requirements of enterprises and meet the challenges of log integrity in a distributed environment, InTrust includes the following distinguishing features: Log integrity: InTrust enables organizations to create a cached location on each remote server where each event is captured simultaneously as it is written to the event log. This prevents a rogue user or administrator from tampering with the audit log evidence. Redundancy: InTrust provides automated server redundancy in the case of failure. This enables administrators to quickly move all configurations and jobs from a crashed server to a backup server. This reduces the possibility of lost log files due to server failure. 11
Filling the Gap in Exchange Auditing InTrust Knowledge Packs Every system, application and device on an organization s network has its own unique log format, log rotation scheme, arcane event IDs, error codes, and other components. Proper log management and effective analysis of log data therefore requires specialized expertise for each monitored component and its corresponding logs a challenge for even the most knowledgeable IT professional. InTrust addresses this by providing modular knowledge packs built by experts in each technology. InTrust Knowledge Packs provide InTrust with the essential intelligence required to collect and analyze a wide array of log formats. InTrust Knowledge Packs are available for: Windows Solaris Linux (Redhat and SuSe) Firewalls (Checkpoint Firewall-1 and Cisco PIX) Microsoft Excel SQL databases Oracle databases Microsoft Internet Security and Acceleration Server (ISAS) Microsoft Internet Information Server (IIS) AIX 5L Microsoft Identity Integration Server (MIIS) Quest ActiveRoles Server InTrust Plug-Ins Wherever possible, InTrust leverages the native logs already provided by the operating systems, applications and devices on your network. But native functionality frequently falls short of providing the level of instrumentation required for enterprise compliance and security needs. Therefore Quest augments InTrust s core log management platform with specialized plug-ins that fill the gaps in the native logging functionality of platforms such as Active Directory, Exchange, and SharePoint. 12
White Paper How InTrust Plug-in for Exchange and InTrust Plug-in for Active Directory Mitigate Risks As explained above, Exchange lacks the necessary logging and audit functionality to mitigate the risks associated with non-owner mailbox access and administrative changes to configuration, whether they occur directly through Exchange or indirectly through the modification of AD objects. InTrust Plug-in for Exchange and InTrust Plug-in for Active Directory together fill this security and compliance gap with four key features. 1. Auditing and oversight of non-owner mailbox access: InTrust Plug-in for Exchange collects and correlates all unusual or suspicious user and administrator activity. It provides detailed information about non-owner mailbox access, including which emails were read, deleted, copied, moved, or forwarded. 2. Tracking of changes to mailbox permissions: InTrust Plug-in for Exchange provides detailed, real-time auditing and reporting of changes to permissions, including changes made by users to their own mailboxes and those made by administrators. 3. Enhanced mailbox protection: InTrust Plug-in for Exchange can protect selected Exchange mailboxes with an elevated level of protection from unwanted access. You simply specify which mailboxes are to receive this elevated level of security and specify the users or groups (if any) who are allowed to bypass mailbox security. For example, you can prevent anyone but the mailbox owner from accessing a particular mailbox, which can protect VIP mailboxes from being compromised, even by IT administrators. 4. Audit and reporting of changes to the attributes of Exchangerelated Active Directory objects: InTrust Plug-in for Active Directory provides comprehensive and detailed real-time auditing of changes to mailbox permissions and to other AD-related objects such as Group Policy Objects (GPOs). InTrust Plug-in for Active Directory provides all the detailed information behind important changes, including who was responsible, the origination, and pre- and post-change values. Administrators can troubleshoot AD problems and reverse any changes when necessary. By tracking changes to AD security and policy and showing how the changes have strayed from the approved configuration, InTrust enables organizations to address their IT compliance requirements. InTrust Plug-in for Exchange and InTrust Plug-in for Active Directory together provide the critical oversight and audit trail capabilities to address the risks of nonowner mailbox access and administrative changes to configuration. These solutions fully integrate with the alerting, archiving, and reporting capabilities of the InTrust platform to provide complete corporate data security and compliance. 13
Filling the Gap in Exchange Auditing CONCLUSION The security of your Exchange environment is just as important as the security of your most critical applications and information. But many organizations today fail to adequately oversee and audit non-owner mailbox access and administrative changes to Exchange configuration, leaving them vulnerable to risks such as: Compromise of confidential information Modification or deletion of information Fraudulent e-mail Unavailability of the core communications infrastructure Quest developed InTrust Plug-In for Exchange and InTrust Plug-In for Active Directory to enable organizations to oversee and respond to incidents that could affect the integrity, confidentiality, and availability of Exchange and the information and business processes that depend on it. These two solutions help mitigate the risks from non-owner mailbox access, changes to mailbox permissions, and changes to the attributes of Exchange-related Active Directory objects. In addition, InTrust Plug-In for Exchange offers enhanced mailbox protection to prevent unauthorized access to critical mailboxes. InTrust Plug-In for Exchange and InTrust Plug-in for Active Directory help organizations establish controls and accountability for end-users and administrators of Exchange. This allows them to oversee and quickly respond to incidents that could affect the integrity, confidentiality and availability of their critical messaging system. These two important tools also ensure organizations are able to meet any regulatory compliance requirements. 14
White Paper ABOUT THE AUTHOR Randy Franklin Smith is an information security consultant and trainer who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies and national and international organizations. Randy is the designer and exclusive instructor for the Ultimate Windows Security seminars. For more than a decade, Randy has trained hundreds of information technology auditors from public accounting firms and the internal audit departments of organizations around the world on the security and control of Microsoft environments. Randy has written over 300 articles on Windows security issues that have appeared in publications like Information Security Magazine and Windows IT Pro, where he is a contributing editor and author of the popular Windows security log series. In 2003, Randy received the Apex Award of Excellence in the category of How-to Writing for his security feature, 8 Tips for Avoiding the Next Big Worm. He also writes the popular Access Denied Q&A column in Windows IT Security. Randy Franklin Smith began his career in information technology in the 1980s developing software for a variety of companies. During the early 1990s, he led a business process reengineering effort for a multinational organization and designed several mission-critical, object-oriented, client/server systems. As the Internet and Windows NT took off, Randy focused on security and led his employer's information security planning team. In 1997, he formed Monterey Technology Group, Inc., where he serves as CEO. You can contact Randy at rsmith@montereytechgroup.com. ABOUT MONTEREY TECHNOLOGY GROUP, INC. Formed in 1997 by CEO Randy Franklin Smith, Monterey Technology Group, Inc. serves the infosec, IT audit, and software development communities with specialized services, training, and solutions related to Microsoft product security. 15
Filling the Gap in Exchange Auditing ABOUT QUEST SOFTWARE, INC. Quest Software, Inc., a leading enterprise systems management vendor, delivers innovative products that help organizations get more performance and productivity from their applications, databases, Windows infrastructure and virtual environments. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 90,000 customers worldwide meet higher expectations for enterprise IT. Quest provides customers with client management as well as server and desktop virtualization solutions through its subsidiaries, ScriptLogic and Vizioncore. Quest Software can be found in offices around the globe and at www.quest.com. Contacting Quest Software Phone: Email: Mail: Web site 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com Please refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at http://support.quest.com From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/pdfs/global Support Guide.pdf 16
White Paper NOTES 1 See Resource Center: UBS PaineWebber Insider Trial at informationweek.com: http://www.informationweek.com/security/ubstrial/;jsessionid=yx3c0ixswbakiq SNDLPCKHSCJUNN2JVN?cid=tab_art_sec 2 For a more general discussion of compliance requirements and how to implement monitoring and change control, see Meeting Change Management and Monitoring Compliance Needs in a Microsoft-Centric Network at http://www.quest.com/documents/landing.aspx?id=6269&searchoff=true&technolo gy=&prod=255&prodfamily=&loc=. 17