Monday, March 31, 2008

Exchange & "Manage auditing and security log" - OUCH!!!

So last week one of our security engineers emailed me with a request to be able to read all of the security logs on workstations and servers in the enterprise. Seemed like a simple enough request but...

By default everyone can view the System and Application logs, but only administrators can view the Security logs. I did not want to grant our security guy domain admin rights (so that he could also view the logs on our domain controllers), but knew that he would need to tweak auditing settings. The "Manage auditing and security log" group policy setting looked like a nice easy solution to the problem.

The settings configure the following:

This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.

This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be enabled, the Audit object access setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies must be configured.

You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.

After getting approval to implement the setting, I proceeded to make the following changes.
  • Created a security group called "Global Event Log Auditors" and added our security engineer to that group.
  • The "Manage auditing and security log" settings had already been defined in the Default Domain Controllers policy so I just added my security group to the accounts listed.
  • I enabled the setting on the Default Domain Policy and added "Global Event Log Auditors" to the policy.
All set (or so I thought). This all took place at about 5:30pm when most of the users had already gone home. At about 5:45pm, my Systems Center Operations Manager began throwing out alerts that the Information Stores on one of our Exchange servers (2003 flavor) had gone offline. I reacted right away, but made absolutely no connection to the change that I had made earlier. I repeatedly to mount the stores, but struck out each time!

The following alert kept popping up after the failed mount:

The store could not be mounted because the Active Directory information was not replicated yet.

After several failed mounting attempts (blush), I googled the error. To my horror, the following KB came up:

http://support.microsoft.com/kb/896703

Issues that may occur when the "Manage auditing and security log" permission is removed from the Exchange Enterprise Servers group in Exchange 2000 Server

So...by defining the policy, I actually overwrote/removed "Exchange Enterprise Servers" group's auditing permissions defined locally on the Exchange servers. YIKES...I quickly added the "Enterprise Exchange Servers" group to the "Manage auditing and security logs" setting in the Default Domain Policy, forced a gpupdate on the Exchange box and was back in business.

Luckily the blunder had not taken affect on our other Exchange servers yet!



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)