Shulou(Shulou.com)06/03 Report--

In the information management of enterprises, it is particularly important for system robustness and information security. For users, they can be constrained by configuring various permissions, rules, and policies. What about administrators with considerable or even full privileges? And how to restrict it, this is important. Events from "deleting the database to running away" continue to occur, how can we guard against the risks brought by which actions of the administrator in advance? How can I confirm what the administrator has done and whether they are compliant? How can you find out in time that a problem is caused by the actions of the administrator?

Obviously the most direct way is to track all the sensitive actions of each administrator, record what the administrator has done, and save these records as logs for later reference. The greatest role of the audit function of Exchange Online is to record these logs, so these logs are called audit logs in Exchange Online.

I. Audit log

Audit logs can be used to track specific actions taken by administrators for troubleshooting configuration problems. And provide enterprises with reliable information on compliance with laws and regulations, compliance with management strategies, and litigation requirements. Exchange Online provides the following two types of audit logging:

The administrator audits the log to record all actions taken by the administrator on the Exchange Online based on the PowerShell command line. The log can be used to troubleshoot configuration issues, or to identify security-related or compliance-related issues, and to further discover the root cause. In addition, in Exchange Online, actions performed by Microsoft administrators and delegated administrators are recorded.

Mailbox audit log, which records the access to the mailbox. This includes access to mailboxes by administrators, assigned users, and mailbox owners. This log is used to determine when and by whom the mailbox was accessed, and what the visitor did to the message.

2. Enable audit logging

Before you can obtain audit logs, you must configure audit logging. Otherwise, the audit log cannot be exported and obtained.

To monitor whether mail administrators view the contents of a user's mailbox with their special permissions, you can obtain relevant information by running a non-owner mailbox access report.

For content to exist in a mailbox running a non-owner mailbox access report, mailbox audit logging must be enabled in advance for each mailbox that needs to monitor administrator behavior.

For Exchange Online, enabling audit logging must currently be done through Exchange Online PowerShell. And auditing cannot be enabled for mailboxes associated with Office 365 groups (nor can auditing be enabled for mailboxes associated with Microsoft Teams currently in the international version).

Refer to "Yi Bao Dian Article-how to use PSl connection Exchange Online to manage Exchange Online Services 5 in Office 365" (https://blog.51cto.com/liulike/1668854) use PowerShell to log in to Exchange Online through a global administrator.

1. Enable audit logging for a single mailbox

Use Set-Mailbox to enable audit logging for the specified user mailbox:

Set-Mailbox-Identity "Zhang San"-AuditEnabled $true

After the run is complete, verify that the settings are in effect through Get-Mailbox:

Get-Mailbox "Zhang San" | FL Audit*

2. Enable audit logging for all mailboxes

Similarly, enabling audit logging for all mailboxes can only be set through PowerShell.

Use Get-Mailbox to get all user mailboxes, and then pipe them to the Set-Mailbox setting to enable audit logs.

Get-Mailbox-ResultSize Unlimited-Filter {RecipientTypeDetails-eq "UserMailbox"} | Set-Mailbox-AuditEnabled $true

When finished, view and verify that the mailbox enabled audit log is in effect through Get-Mailbox.

Get-Mailbox-ResultSize Unlimited-Filter {RecipientTypeDetails-eq "UserMailbox"} | FL Name,Audit*

Specify the actions for the mailbox that need to be audited by its owner

By default, enabling auditing for mailboxes only audits certain actions of mailbox owners (non-administrators and delegated users, that is, mailbox users themselves). If you need to audit other actions of the mailbox owner, additional settings are required.

The actions that enable auditing by default for mailbox owners are:

UpdateCalendarDelegation: calendar delegation assigned to the mailbox

UpdateFolderPermissions: file permissions changed

UpdateInboxRules: added, modified and deleted mailbox rules

However, if you need to check whether there is a mailbox login, or delete the message completely, and so on. The grant needs to be done manually.

1. Specify the owner action to audit while enabling auditing for a single mailbox

Use Set-Mailbox to set up user mailboxes to enable login auditing for the owner.

Set-Mailbox "Li Si"-AuditEnabled $true-AuditOwner MailboxLogin

Use Get-Mailbox to verify that the settings are in effect.

Get-Mailbox "Li Si" | FL Audit*

You can see that the MailboxLogin value is specified in the AuditOwner property.

2. Specify multiple actions of the audit owner for a single mailbox that has the audit feature enabled

Use Set-Mailbox to set up user mailboxes to enable auditing for all logins and complete deletion of messages.

Set-Mailbox "Zhang San"-AuditOwner @ {Add= "MailboxLogin", "HardDelete"}

Use Get-Mailbox to verify that the settings are in effect.

Get-Mailbox "Zhang San" | FL Audit*

3. Specify multiple actions of the audit owner for all mailboxes

Use Set-Mailbox to set up user mailboxes to enable auditing for all logins, delete messages, and completely delete messages.

Get-Mailbox-ResultSize Unlimited-Filter {RecipientTypeDetails-eq "UserMailbox"} | Set-Mailbox-AuditOwner @ {Add= "MailboxLogin", "HardDelete", "SoftDelete"}

Verify that the usage configuration is successful.

Get-Mailbox-ResultSize Unlimited-Filter {RecipientTypeDetails-eq "UserMailbox"} | FL Name,Audit*

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.