Auditing the Environment

Auditing gathers and keeps track of activity on the network, devices, and entire systems. By default, Windows Server 2003 enables some auditing, although many other auditing functions must be manually turned on. Windows Server 2003 should be used with Exchange Server 2003 auditing to customize your auditing requirements and provide comprehensive amounts of information that can be analyzed .

Auditing is typically used for identifying security breaches or suspicious activity. However, auditing is also important to gain insight into how the Exchange Server 2003 systems are performing and how they are accessed. Exchange Server 2003 offers three types of auditing: audit logging, protocol logging, and message tracking.

Audit Logging

Exchange Server 2003 uses Windows Server 2003 audit policies to audit how users access and use Exchange servers, as shown in Figure 19.1. Audit policies are the basis for auditing events on a Windows Server 2003 system. Depending on the policies set, auditing might require a substantial amount of server resources in addition to those resources supporting the server's functionality. Otherwise, it could potentially slow server performance. Also, collecting lots of information is only as good as the evaluation of the audit logs. In other words, if a lot of information is captured and it takes a significant amount of effort to evaluate those audit logs, the whole purpose of auditing is not as effective. As a result, it's important to take the time to properly plan how the system will be audited. This enables you to determine what needs to be audited , and why, without creating an abundance of overhead.

Protocol Logging

Protocol logging is great for troubleshooting issues with the mail system protocols SMTP, NNTP, or HTTP. It can give you information regarding messaging commands that a user sends to the Exchange Server 2003 server. This includes, but isn't limited to, IP address, bytes sent, data, time, protocol, and domain name .

With the exception of auditing HTTP, which is performed using the IIS snap-in, SMTP and NNTP auditing is enabled through the ESM. To enable protocol logging, follow these steps:

1. Start the ESM by selecting Start, All Programs, Microsoft Exchange, System Manager.

2. In the left pane, expand Servers, Server Name, Protocols and find the protocol to enable logging.

3. In the right pane, right-click on the protocol's virtual server and select Properties.

4. On the General tab, select Enable logging check box.

5. From the drop-down list that appears, select the logging format for auditing the protocol. You can choose from Microsoft IIS Log File Format, NCSA Common Log File Format, ODBC Logging, and W3C Extended Log File Format.

Message Tracking

Out of the three auditing techniques that you can use specifically with Exchange Server 2003, message tracking is by far the least resource- intensive . For this reason, it's more than just a troubleshooting tool. You can use message tracking also for statistical analysis, reporting, and deducing where a message is located in the system.

Message tracking is enabled within the ESM. Simply expand servers and then select properties of the Exchange Server 2003 server for which you want to enable message tracking. Select Enable message tracking within the General tab, as shown in Figure 19.2. Click OK when the information window displays. Optionally, you can select Enable subject logging and display.

The information captured by message tracking is kept in the Exchsrvr\< servername >.log filefor example, %SystemDrive%\Program Files\Exchsrvr\server2.log . You can configure Exchange to remove the log file after it is so many days old to conserve disk space. As you can see in Figure 19.3, at first glance the log file might appear somewhat cryptic. It is full of useful information, however, that can be used to track down messages.