How to Detect Who Granted Full Access Permissions to Another User’s Mailbox


Native Auditing vs. Netwrix Auditor for Exchange

Native Auditing Netwrix Auditor for Exchange
Steps
  1. Open the Exchange Management Shell, and run the following cmdlets:
    • Set-AdminAuditLogConfig – AdminAuditLogEnabled $true 
    • Set-AdminAuditLogConfig – LogLevel Verbose (for Exchange 2013).
  2. Run eventvwr.msc → Applications and Services Logs → MSExchange Management → search for log with cmdlet "Add(Remove)-MailboxPermission" – where you can find information about who changed You can also find this information in Exchange Admin Center in your browser → Compliance Management → Auditing → click "View the administrator audit log". mailbox permissions, when it happened, to what mailbox and what kind of access to whom was given.
  3. You can also find this information in Exchange Admin Center in your browser → Compliance Management → Auditing → click "View the administrator audit log".
  4. Also via power shell - Open the Exchange Management Shell and run the following cmdlet:

    • Search-AdminAuditLog –cmdlets Add(Remove)-MailboxPermission.

  1. Run Netwrix Auditor → Click "Reports" → choose Exchange → Choose "Mailbox Delegation and Permissions Changes" → click "View".


Detect Unauthorized Changes on Exchange Server to Minimize the Risk of a Security Breach

Anyone who has been granted full access permissions to another user’s mailbox can delete or forward emails, change mailbox content and more. These actions can easily go unnoticed by either the mailbox owner or IT staff. Without ongoing tracking of changes in Exchange, full access permissions granted to another user’s mailbox without proper business justification can lead to a security breach. Proper auditing enables IT admins to determine who was granted full access rights to another user’s mailbox, helping them protect critical mailbox content and prevent the loss or leakage of sensitive data.

Netwrix Auditor for Exchange delivers complete visibility into your Microsoft Exchange Server by monitoring all mailbox changes and access events, including mailbox delegation and the granting of full access permissions. With predefined reports on the activity on Exchange Server at hand, IT admins can properly manage full access permissions to mailboxes and quickly determine who was granted full access rights to another user’s mailbox, when it happened and who did it — mitigating the risk of data leaks.

Got Feedback? Share!