Adding Read-only permissions to Exchange 2007 Auditing Logs


Hi,

I was asked today to add a permission to the Exchange Auditing log which is included with Exchange 2007 SP2 installations to simplify auditing,
after activating Mailbox Access Auditing , I was requested to allow read only permissions to the IT Security group.

What seemed to be quite straight forward, was soon to be changed with SDDL ACL format….

Here’s the quick how-to:

– Note, this was done on a Windows 2008 server

  1. Identify the SID of the user/group you wish to allow access.
    Using powershell you can easily find it e.g:
    Get-User | Select SID
    Get-Group | Select SID
  2. Then following this KB – Which was the most simple and self-explained, add the appropriate permissions.
    http://support.microsoft.com/kb/2028427In-Short – each event log is located in the registry at: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLog
    the Exchange Auditing log is also located there, and in that key you will find an existing CustomSD string value with the ACL’s in the SDDL format ( more info in the links I added below )
    I was required to add read-only permissions to the IT Audit group, which is a “regular” group, without special domain / enterprise rights,
    so in my case i used the following:
    (A;;0x1;;; [Your Group Name/user account SID])
    so appended that to the existing CustomSD value.
  3. Restart the server.
  4. Now the user/group can access the Exchange Auditing log from any computer 🙂

Links:

http://technet.microsoft.com/en-us/library/ee331009%28EXCHG.80%29.aspx – White Paper: Configuration and Mailbox Access Auditing for Exchange 2007 Organizations
http://support.microsoft.com/kb/2028427 – Writing to the Windows Event Log from an ASP.NET or ASP application fails.
http://support.microsoft.com/kb/323076 – How to set event log security locally or by using Group Policy in Windows Server 2003 – Also useful if you’d like to set this via GPO
http://blogs.technet.com/b/askds/archive/2008/05/07/the-security-descriptor-definition-language-of-love-part-1.aspx
http://blogs.technet.com/b/askds/archive/2008/05/07/the-security-descriptor-definition-language-of-love-part-2.aspx
http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx

Happy Auditing !

Advertisements

About ilantz

I am a technology enthusiastic, I've been working as an IT consultant since late 2007, I attained extensive experience with Microsoft's Exchange Server, Active Directory, Forefront products and the Windows server platform. I love designing solutions, handling security measures, architecture and advanced troubleshooting.
This entry was posted in Exchange 2007, Server 2008 / R2. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s