Security Manager for Microsoft Exchange

Release Notes

Date Published: May 2010

 
 

 

Security Manager for Microsoft Exchange helps secure your enterprise from internal and external attacks. The product monitors your Microsoft Exchange environment for various changes to Exchange settings and objects, including mailboxes, message retention policies, and email accounts. For example, this module enables you to perform the following tasks:

  • Detect changes to Exchange configuration objects
  • Detect undeliverable email messages
  • Detect quarantined spam messages
  • Detect attempts by unknown mobile devices to sync
  • Monitor the flow of email traffic and troubleshoot potential issues
  • Monitor the status of anti-spam or content filtering
  • Monitor voice mailbox access
  • Monitor POP3 and IMAP4 access to the Exchange server

Security Manager for Microsoft Exchange also collects events from logs and stores them in secure repositories so you can archive this data, create reports for management or auditing purposes, and analyze critical events to research issues.

This module for the Security Manager product includes several new features. You can post feedback in the NetIQ Security Manager forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups.

This document outlines why you should install this module, lists installation requirements, and identifies known issues.

Supported Products

For the latest information about supported software versions and the availability of module updates, visit the Security Manager Supported Products page at www.netiq.com/support/sm/supportedproducts/default.asp. If you encounter problems using this module with a later version of your application, contact NetIQ Technical Support.

This release supports the following products:

  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2010

Note
The Mailbox Access Auditing feature of Microsoft Exchange is available only when you install Microsoft Exchange Server 2007 Service Pack 2. Security Manager cannot monitor Mailbox Access Auditing logs in Microsoft Exchange Server 2007, Microsoft Exchange Server 2007 Service Pack 1, or Microsoft Exchange Server 2010 environments.

Return to Top

Why Install This Module?

Security Manager for Microsoft Exchange monitors events on Microsoft Exchange servers to detect a variety of occurrences and alert you to them. When significant events occur, Security Manager sends alerts to the consoles and can notify your staff so they can quickly take corrective action.

Return to Top

System Requirements

The following table lists additional requirements for a Windows agent. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.

Category Requirement
Processor 1.5 GHz Intel Pentium III or equivalent.
Memory 40 MB minimum. The amount of memory usage varies and depends on the environment, including event rate and other factors.
Operating System All supported Windows agent platforms.
Software
  • Ensure you have Security Manager 6.5 or later installed.
  • Ensure you have the latest version of the Security Manager for Windows module installed. The Security Manager for Microsoft Exchange module requires Security Manager for Windows to function correctly.
  • Ensure you have the latest version of the Security Manager Self-Monitoring module installed. This module is required for optimum functionality of the product.
  • Ensure you have a supported version of Microsoft Exchange installed.
  • Install the Windows agent on a domain controller in your configuration group.
  • Install the Windows agent on a separate computer from the Security Manager database server or central computer.

Return to Top

Installing This Module

Install this module using the Module Installer utility. If this is the first time you have installed the module, ensure you also add a license. For more information about installing modules, see the Installation Guide for NetIQ Security Manager.

You can verify successful installation of the module in the Module Installer. After the installation completes, verify the Status column indicates the module is current and the module version listed in the Installed Version column is the same as the version in the Available Version column.

Note
After you install the module on the central computer, the central computer automatically detects which domain controllers in your environment have agents installed and deploys the module rules to only those agents.

After you install the module, enable Active Directory auditing and configure your Microsoft Exchange servers so Security Manager can monitor Exchange events.

You can also run the Configuration Wizard to configure the module to enable archiving of Mailbox Access Auditing events, message tracking events, and Message Records Management (MRM) events. The Configuration Wizard includes steps for enabling auditing of each type of event log. For more information about using the Configuration Wizard, see the User Guide for NetIQ Security Manager.

Before you can configure Security Manager to monitor Exchange logs, you must know where Microsoft Exchange stores the logs. To find this location, use the Exchange Management Shell to run one of the commands listed in the table below on your Microsoft Exchange server.

After you find the log location, navigate to the location specified on the Exchange server and copy the full path to the folder that contains the log or logs. To enable Security Manager to monitor Exchange logs, you must let Security Manager know where to look for the logs. Add the system environment variables listed in the table below to each agent computer with Exchange installed, where each system environment variable corresponds to the location of a particular log file on the computer.

Exchange Management Shell Command Syntax Environment Variable Name Environment Variable Value
Get-AgentLog AGENTLOGLOCATION The folder on the local hard drive where Microsoft Exchange stores the anti-spam agent log files. Microsoft Exchange agent logging is enabled by default.
Get-MailboxServer ServerName | fl MessageTrackingLogPath MESSAGETRACKINGLOGLOCATION The folder on the local hard drive where Microsoft Exchange stores the message tracking log files. ServerName is the name of the Exchange server computer.
Get-MailboxServer ServerName | fl LogPathForManagedFolders MRMLOGLOCATION The folder on the local hard drive where Microsoft Exchange stores the MRM log files. ServerName is the name of the Exchange server computer.

For more information about setting environment variables, see the Microsoft Windows documentation.

Return to Top

Enabling and Configuring Microsoft Exchange Auditing

Before Security Manager can monitor Microsoft Exchange events, you must enable and configure Microsoft Exchange auditing. Microsoft Exchange stores configuration information not within Exchange itself but within a set of Active Directory (AD) objects. Every time a user or administrator creates, deletes, or modifies an Exchange AD object, AD logs an event. To monitor Exchange, you must enable and configure several different Active Directory settings and objects for Exchange, as well as logging for Mailbox Access Auditing, message tracking, and MRM.

To enable and configure Microsoft Exchange auditing:

  1. If the Exchange server is running Windows Server 2003, use the Group Policy Management Console to enable the Audit policy change policy setting in the Default Domain Controllers Policy, including both successful and failed attempts to change audit policies. For more information about modifying group policy settings in Windows Server 2003 environments using the Group Policy Management Console, see the Microsoft documentation.
  2. If the Exchange server is running Windows Server 2008, use the Auditpol command to view and enable the Audit Policy Change and Directory Service Changes security settings. For more information about modifying auditing settings in Windows Server 2008 environments using Auditpol, see the Microsoft documentation.
  3. If the Exchange server is running Windows Server 2008, use the Active Directory Service Interfaces Editor (ADSI Edit) tool to enable baseline auditing for Microsoft Exchange Configuration Objects. Add a permission entry for the group Everyone to the Microsoft Exchange Properties and select Allow for the following settings:
    • Write all properties
    • Delete
    • Delete subtree
    • Modify permissions
    • Modify owner
    • All validated writes
    • All extended rights
    • Create all child objects
    • Delete all child objects
    For more information about modifying group policy settings in Windows Server 2008 environments using ADSI Edit, see the Microsoft documentation.
  4. Use Active Directory Users and Computers to enable auditing for Active Directory user, group, msExchDynaminDistributionList, and contact objects in the Configuration and Default Naming contexts. Add an auditing entry for the group Everyone and select each of the following groups in the Apply onto list:
    • User Objects (Windows Server 2003) / Descendant User objects (Windows Server 2008)
    • Group Objects (Windows Server 2003) / Descendant Group objects (Windows Server 2008)
    • msExchDynamicDistributionList objects (Windows Server 2003) / Descendant msExchDynamicDistributionList objects (Windows Server 2008)
    • Contact Objects (Windows Server 2003) / Descendant Contact objects (Windows Server 2008)
    For each group, select Successful for all access entries you want to audit. For more information about using Active Directory Users and Computers, see the Microsoft documentation. For more information about specific information to audit, see the Microsoft TechNet White Paper "Configuration and Mailbox Access Auditing for Exchange 2007 Organizations."
  5. Use the Exchange Server Diagnostic Logging Console to enable Mailbox Access Auditing. For more information about configuring Mailbox Access Auditing, see the Configuration Wizard Help for this module.
  6. After you install Security Manager and Security Manager for Microsoft Exchange, open the Configuration Wizard and click Support for Email Servers and Groupware, then click Configure the module for Microsoft Exchange. Use the Configuration Wizard to enable archiving of Messaging Records Management, message tracking, and Mailbox Access Auditing events.

For more information about configuring Microsoft Exchange auditing, see the Microsoft documentation and the Microsoft TechNet White Paper "Configuration and Mailbox Access Auditing for Exchange 2007 Organizations." For more information about configuring Security Manager to monitor Microsoft Exchange, see the Configuration Wizard Help.

Return to Top

Contact Information

Please contact us with your questions and comments. We look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.

Return to Top

Legal Notice

Return to Top