In this article we look at important pointers that one should keep track of while a mailbox audit process is initiated.
An organization contains multiple mailboxes; these mailboxes belong to people of different departments, and might also have differences in their privacy settings, depending on the type of user they belong to. A few mailboxes are such, which are only being maintained for the purpose of Discovery, to show compliance towards legal requirements. There might be instances where someone attempts to gain control or access to another mailbox for malicious purposes like obtaining sensitive data and tampering with account settings, etc.
Auditing Mailbox Access
Exchange editions launched before 2010, did not have sufficient compliance features. The feature of Auditing Mailbox Access was launched with the 2010 edition of MS Exchange. Through this feature the activities taking place in a mailbox can be recorded, this greatly helps in keeping a record of all the deleted or duplication actions performed in a mailbox. Auditing Mailbox Access requires the user to first set particular commands for Auditing, for a given mailbox, only those commands which have been audited for the mailbox, will be recorded. Once you configure this feature for a mailbox, and decide the scope of the feature, meaning how much details do you want it to record, you can find your audited entries in Audit Subfolder. This folder is present in the Recoverable items folder.
Things to keep in mind while using Auditing Mailbox Access
- The most important commands you should audit, using the Audit Mailbox Access feature are ‘SendAs’ and ‘Delete’. Once audited, every time these commands are performed, the operation will be recorded.
- It is important to Audit these commands because these are the most preferred commands, used by hackers. A hacker can easily hack into your account to delete mails, or send emails with prohibitory content to malign you. Once the Audit has been performed you can use an OST file recovery to get back the deleted data
- Once these commands are audited, it can easily be identified if the hacker tempered with them, a falsely accused user could then be vindicated.
- Through this feature, it can be proved, that it was not the user, but the hacker who send the email to the victim, thus turning the sender to an offender. It can prove that someone else was logged in to the system. The instances of hackers pretending to be account users are common, thus using the Auditing Mailbox Access feature is imperative.
- This feature is not activated by default in MS Exchange, as it will take up more space once activated. You thus need to be smart while activating it, use selected commands for auditing, so that the feature is activated, but still takes up minimum amount of space.
Why should you use Auditing Mailbox Access
One of the most important reasons for why all Exchange users should be using this feature is, to find out the real culprits, and prevent prosecuting innocent employees by falling in the traps set by the hackers.
Van Sutton is a data recovery expert in DataNumen, Inc., which is the world leader in data recovery technologies, including repair Outlook pst damage and bkf recovery software products. For more information visit www.datanumen.com