How to Detect Who Granted Full Access Permissions to Another User’s Mailbox


Native Auditing vs. Netwrix Auditor for Exchange

Native Auditing Netwrix Auditor for Exchange
Steps
  1. Open the Exchange Management Shell, and run the following cmdlets:
    • Set-AdminAuditLogConfig – AdminAuditLogEnabled $true 
    • Set-AdminAuditLogConfig – LogLevel Verbose (for Exchange 2013).
  2. Run eventvwr.msc → Applications and Services Logs → MSExchange Management → search for log with cmdlet "Add(Remove)-MailboxPermission" – where you can find information about who changed You can also find this information in Exchange Admin Center in your browser → Compliance Management → Auditing → click "View the administrator audit log". mailbox permissions, when it happened, to what mailbox and what kind of access to whom was given.
  3. You can also find this information in Exchange Admin Center in your browser → Compliance Management → Auditing → click "View the administrator audit log".
  4. Also via power shell - Open the Exchange Management Shell and run the following cmdlet:

    • Search-AdminAuditLog –cmdlets Add(Remove)-MailboxPermission.

  1. Run Netwrix Auditor → Click "Reports" → choose Exchange → Choose "Mailbox Delegation and Permissions Changes" → click "View".


Detect Unauthorized Changes on Exchange Server to Minimize the Risk of a Security Breach

Anyone who has been granted full access permissions to another user’s mailbox can easily delete or forward emails, change other mailbox content and more. These actions can easily go unnoticed by either the mailbox owner or IT staff. Without ongoing tracking of changes in Exchange, full access permissions granted to another user’s mailbox without proper business justification can lead to a security breach. Proper auditing enables IT admins to determine who has granted full access rights to a mailbox, helping them protect sensitive mailbox content and prevent data exfiltration.

Netwrix Auditor for Exchange delivers complete visibility into your Microsoft Exchange Server by monitoring all mailbox changes and access events, including mailbox delegation and granting of full access permissions. With predefined reports on the activity on Exchange Server at hand, IT admins can properly manage full access permissions to another user’s mailbox. The Interactive Search feature enables IT admins to quickly determine who was granted full access rights to another user’s mailbox, when it happened and who did it — mitigating the risk of data leaks.

Got Feedback? Share!