Tuesday, July 25, 2017

Exchange 2010 SP3 - Search-AdminAuditLog (2)

During my previous research on the Search-AdminAuditLog cmdlet, I read some claims that only changes made in the EMC (Exchange Management Console) and EMS (Exchange Management Shell) are audited. If we open PowerShell itself, import the Exchange snap-ins and then execute the command in question, it will not appear in the logs.


"Unfortunately, this does not address the issue that the admin audit logs do not actually record everything. If you open Windows PowerShell and load the Exchange module nothing you do in or to Exchange will be in the admin log. [...] if the purpose of the log is to help you monitor what someone has done it seems to be a big hole."



Apparently the same person makes the claim again here:

"Unfortunately, not everything done by an Admin is logged. If you open a Windows PowerShell window and load the Exchange module nothing is recorded in the audit logs. Only actions performed in the EMS are recorded."



This seems like a surprising oversight and if exact would make auditing almost useless. Any administrator aware of this shortcoming could execute their commands in PowerShell (with the Exchange snap-ins imported) and leave no tracks for auditing.


But is the claim exact?

What does Microsoft have to say?

"Cmdlets that are run directly in the Exchange Management Shell are audited. In addition, operations that are performed by using the Exchange Management Console (EMC) and the Exchange Web management interface are also logged because those operations run cmdlets in the background."

Nothing is mentioned about cmdlets executed directly in PowerShell (after the Exchange snap-in is loaded).

If we open PowerShell and load the Exchange module, rather than using the EMS, this apparently bypasses RBAC (although I'm not sure if that has any effect as far as auditing is concerned).


This is also stated in Paul Cunningham's article (and ensuing discussion).

In any event, this is something worth testing.


***


First, I'm testing with Exchange 2010 SP3 RU 15. I may or may not test with other versions of Exchange (possibly 2016). My PowerShell version is 2:




We can enable admin auditing with this command...


Set-AdminAuditLogConfig -AdminAuditLogEnabled $True


But since Exchange 2010 SP1, it is enabled by default.

Indeed, that is the case on my test server:



So let's open PowerShell and load the Exchange module:



In our experiment, the administrator "XADMIN" will grant himself permissions to the mailbox of user Alan Reid.

Right now, these are the permissions on the mailbox:



XADMIN grants himself Full Access to the mailbox with this command:



Before testing the Search-AdminAuditLog cmdlet, I want to see if the action is simply visible in the Event Viewer (MSExchange Management log). I open Find and enter the cmdlet I am seeking (Add-MailboxPermission). The only results are an entry for the Search-AdminAuditLog cmdlet (produced in an earlier experiment) and...



... the entry created during that earlier experiment when XADMIN granted himself Full Access to the mailbox of Alex Heyne (but not Alan Reid):



There is no other entry in the Event Viewer for the Add-MailboxPermission cmdlet:



Note: could this be due to a simple delay? First, there is nothing else happening on my test network (no one else connected, no incoming or outgoing messages to process). Second, I performed the search a second time five days later (when I started the composition of this blog post) and there was still no entry for the access granted to the mailbox of Alan Reid.


Yet, when I execute the Search-AdminAuditLog cmdlet, there is an entry for the action (as well as the earlier event concerning the mailbox of Alex Heyne):



So we do have a trace of XADMIN granting himself Full Access to the mailbox of Alan Reid (and earlier to Alex Heyne's mailbox) but if it cannot be found in the Event Viewer... then where is it coming from?

The admin audit logs are stored in a folder of a system mailbox that is not displayed in the EMC.

We can see the system mailboxes with this command:

Get-Mailbox -Arbitration



However, there are two system mailboxes. Which one holds the admin audit logs?

I thought these properties might distingush the mailbox in question...



But not really...

I thought we could use the Get-MailboxFolderStatistics cmdlet to view the different folders of each of the system mailboxes - but first I want to set a variable to represent the mailbox (and avoid having to deal with the long name).

$SM1 = Get-Mailbox -Arbitration "SystemMailbox{1f05a927-dd92-45c6-8e7e-3ee6d8fdb1e4}"

$SM2 = Get-Mailbox -Arbitration "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}"

Note: the cmdlet did not work if I did not specify -Arbitration

There is nothing about admin audit logs in the first of the two system mailboxes.

$SM1 | Get-MailboxFolderStatistics | fl name

I have better luck with the second system mailbox:

$SM2 | Get-MailboxFolderStatistics | fl name

There is probably a better method to reach the same result: there were a lot of unnecessary folders listed with the commands above, so many that I've opted not to post the excessive output.

Knowing that the pertinent folders contain the word "audit", I'll attempt the following:

[PS] C:\>$SM2 | Get-MailboxFolderStatistics | where {$_.Name -contains "audit"}
[PS] C:\> [Note: no results here]
[PS] C:\>$SM2 | Get-MailboxFolderStatistics | where {$_.Name -match "audit"}

The last command above displays the folders in question but with each and every property.

This is much neater:

[PS] C:\>$SM2 | Get-MailboxFolderStatistics | where {$_.Name -match "audit"} | fl Name

Name : AdminAuditLogSearch

Name : MailboxAuditLogSearch

Name : AdminAuditLogs



In any event, we have located where the admin audit logs are located.


***


Another question arises in my mind: what if we purge the MSExchange Management event log?

I would predict this would NOT delete the admin audit logs since they are not stored there in the first place. Unless by some mechanism (?) the command to purge the MSExchange Management log also acts on the Exchange admin audit logs in the system mailbox.

First, I want to provide these additional details on the system mailbox:



I then purge the log on EX13-2:






There is no change. There are still 49 items in the folder and I can still find examples of the Add-MailboxPermission cmdlet (using the Search-AdminAuditLog cmdlet).

Remember that the system mailbox in question resides on EX13-1 (at least for the time being, since the mailbox is part of a DAG and could become active on EX13-2).

What if I purge the MSExchange Management log on EX13-1? As far as the audit logs are concerned, nothing. There are still 49 items in the folder and we can still retrieve examples of use of the Add-MailboxPermission cmdlet with Search-AdminAuditLog.

We should also remember that if a log is cleared, that too creates an entry (in the System log):



***


So we have answered two questions. First, Exchange cmdlets executed in PowerShell (after importing the Exchange module) are not logged in the MSExchange Management log but are logged in the admin audit logs. Second, the admin audit logs are stored in the folder of a system mailbox. Even if the MSExchange Management log is cleared, the admin audit logs remain.


No comments:

Post a Comment