StellarReporter & Auditor for Exchange Server

toogle

Stellar Reporter & Auditor for Exchange Server/3. Getting Started/3.5. Configuration and Settings/3.5.2. Exchange Server Configuration Settings

3.5.2. Exchange Server Configuration Settings

Configuration Required for Auditor:

Auditor reports are generated using events recorded in Event Viewer logs. To get auditor reports following configurations are required:

1. Configuring Exchange Servers for Exchange Auditing

Diagnostic Loggingshould be configured in Exchange Servers to gain access toMailbox Logon reports. Upon configuration, the mailbox logon events are recorded in the ′Application Log′ in ′Event Viewer′ and further used for generating Mailbox Logon reports. This topic explains the procedure to set the Diagnostic Logging levels using the Exchange Management Shell and Exchange Management Console.

Use Exchange Management Shell to configure Exchange Server 2007, 2010, 2013, 2016:

  1. OpenExchange Management ShellfromStart->Programs->Microsoft Exchange.

  2. Run the following command.

Set-EventLogLevel "MSExchangeIS\9000 Private\Logons" –Level Expert

OR

Use Exchange Management Console to configure Exchange Server 2007 and 2010

  1. OpenExchange Management ConsolefromStart -> All Programs -> Microsoft Exchange.

  2. In theconsole tree, navigate toServer configuration -> Mailbox

  3. Right click on theserverand selectManage Diagnostic Logging Properties.

  4. On the Manage Diagnostic Logging Properties wizard page, expandMSExchangeIS --> 9000 Private and select Logons service.

  5. Set thelogging levelasExpert.

  6. ClickConfigure.

2. Configuring Domain Controllers for Exchange Auditing

Default Domain Controller Policyshould be configured for accessingMailbox Property Changesand邮箱的权限更改reports. Upon configuration, events related to mailbox permission and property changes will be recorded in the ′Security Log′ in ′Event Viewer′. Based on these event details, the Permission and Property Change reports are generated.

Configuring Default Domain Controller Policy:

  1. Log on to aDomain Controllerusing anadministrative account.

  2. IfWindows 2008server, openGroup Policy ManagementfromStart -> Administrative tools.

  3. Navigate toForestName -> Domains -> DomainName -> Group Policy Objects -> Default Domain Controller Policy点击右键,Editit.

  4. Navigate toComputer Configuration -> Policies-> Windows Settings -> Security Settings -> Local Policies.

  5. SelectAudit Policy.

  6. IfWindows 2003server, selectDomain Controller Security PolicyfromStart -> Administrative tools. UnderLocal Policies, SelectAudit Policy.

  7. In the right pane, double click the following policies and enable "Success" and "Failure" settings.

    • Audit directory service access

    • Audit objects access.

  8. ClickOK.

3. Configuring Object level Auditing (Domain Partition)

Object level Auditing (Domain Partition)should be configured for accessingMailbox Property Changesand邮箱的权限更改reports. Upon configuration, events related to mailbox permission and property changes will be recorded in the 'Security Log' in 'Event Viewer'. Based on these event details, the Permission and Property Change reports are generated.

  1. OpenActive Directory Users and ComputersfromStart -> Administrative Tools.

  2. SelectAdvanced FeaturesfromView menuto view the advanced security settings.

  3. In the left pane, right click on theDomainand select"Properties".

  4. Under theSecurity tab, click"Advanced"to open the“高级安全设置域”window.

  5. Under theAuditing tab, click"Add"to add the security principal object to which the policy will be applied.

  6. Enter the object name as"Everyone"and click ok. This opens the"Auditing Entry for the domain"

  7. Specify theApply Ontofield as follows

    • IfWindows Server 2008, Select"Descendant User objects"

    • IfWindows Server 2003, Select "User Objects"

    • Select"Successful"for the following Access

      • Write All Properties

      • 删除

      • Modify Permissions

      • All Extended Rights

    • ClickOK.

4. Configuring Object level Auditing (Configuration Partition)

Object level Auditing (Configuration Partition)should be configured for accessingOrganization Changereports. Upon configuration, events related to organization changes will be recorded in the 'Security Log' in 'Event Viewer'. Based on these event details, the Organization Change reports are generated.

  1. OpenADSI EditfromStart -> Administrative Tools.

  2. SelectConfiguration Partition.

  3. In the left pane, right click on theCN=Configurationand select"Properties".

  4. Under theSecurity tab, click"Advanced"to open the"Advanced Security Settings for Configuration"window.

  5. Under theAuditing tab, click"Add"to add the security principal object to which the policy will be applied.

  6. Enter the object name as"Everyone"and click ok. This opens the"Auditing Entry for Configuration"

  7. Select the following Access

    • Write All Properties

    • 删除

    • Modify Permissions

    • All Extended Rights

    • Create all child objects

    • Specify the apply Onto field as follows

      • IfWindows Server 2003, Select"This object and all child objects".

      • IfWindows Server 2008, Select"This object and all descendant objects".

    • Select the type as"Successful".

    • ClickOK.