Exchange Server Forums

Secruity Logs

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2003] >> Server Security >> Secruity Logs

Page: [1]

Message

<< Older Topic Newer Topic >>

Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM

TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!

Secruity Logs - 8.Apr.2008 10:22:33 AM

James22

Posts: 7
Joined: 8.Apr.2008
Status: offline

I am not sure if this is the correct place to past tihs message but here goes.

Our server monitering software has picked up alot of hacker checks on 2 sites some 179 attemps.

From what i can see it is attempts to access OWA as the login process is advapi i would like to know who/what is creating the failure login attempts.

I have switched on IIS STMP logging on the default web site holding OWA and also SMTP logging in exchange.

Unfortantly i am not able to catch the ip address that is attempting to access owa i have run some of my own tests.

Connected to OWA from my PC and tried some bogus usernames password.Which are logged in the event viewer as 529 security errors using the same login process as others. The problem is if i check the IIS log or the smtp in "c:\windows\system32\logfiles" there is nothing logged in either log files around the times of the tests or the hack attempts but outboundcommands ect are shown.

The question i am asking is how to track hackers trying to access OWA and do the faliure logins get logged and if so where ??????????

Thanks in advance

James

Post #: 1

Featured Links*

RE: Secruity Logs - 8.Apr.2008 10:33:08 AM

uemurad

Posts: 5485
Joined: 7.Jan.2004
From: California, USA
Status: offline

James,

This may be overly simplistic, but can't your firewall and/or router tell you the IP address connecting to your OWA server? You know the recipient address (public IP of your OWA server) and you know the protocol (HTTP or HTTPS).

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to James22)

Post #: 2

RE: Secruity Logs - 8.Apr.2008 11:40:12 AM

James22

Posts: 7
Joined: 8.Apr.2008
Status: offline

Thanks for the quick responce

Unfortanly the router does not have firewall logging option on the router, the router is a DLINK DSL-504T but does have remote logging the manaul gives you no clue in setting it up tho

what it gives you.

I checked the router first and tried to find out how to setup logging but it is a basic router / Firewall.

All help very much appricated.

James22

< Message edited by James22 -- 8.Apr.2008 12:33:29 PM >

(in reply to James22)

Post #: 3

RE: Secruity Logs - 8.Apr.2008 1:50:36 PM

uemurad

Posts: 5485
Joined: 7.Jan.2004
From: California, USA
Status: offline

I did some research on your Dlink router and on OWA logging. From what I could see the OWA log only tracks connections and not failed attempts (in the WWW log). In order to see the failed connection attempts you really need to log the traffic at the entry point. Is there any chance you will install a different or additional router or firewall?

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to James22)

Post #: 4

RE: Secruity Logs - 9.Apr.2008 8:16:31 AM