Buyer's Guide: Exchange Server Auditing Software

It's the software that watches the watchers—and everyone, and everything, else


Why should you perform auditing on your Microsoft Exchange Server environment? If you’re asking yourself that question, chances are you’re in trouble already, even if you don’t know it. Even without legal or regulatory requirements, there are probably many good reasons you want to keep a close watch on your Exchange systems, from general security to performance. Knowing what to look for and where to find it—that’s where things get a little trickier.

Exchange Server 2010 introduced tools to perform administrator auditing, although if you’re not a PowerShell aficionado, you’re probably not going to like them. In “Auditing Administrators’ Actions with Exchange 2010,” Tony Redmond walks you through enabling the new native tools, shows you how to use the cmdlets to search and export data, and describes the few out-of-the-box reports you have available. Exchange 2010 has the ability to find whatever you might need, but there’s no fancy GUI—at least, not up to this point.

Third-party vendors, as usual, can probably fill your auditing needs quite nicely—and provide you with an administrative GUI to get the job done. In the accompanying buyer’s guide table, you can see a comparison of features of the products in this market space. But first, let’s examine some of the factors driving the need for Exchange auditing, and then take a look at what you should expect to find in a third-party product.

The Need for Auditing

In certain industries—medical, financial services—strict legal requirements govern how data is handled and who has access to it. And for that, we’re all quite thankful—when it works. We’ve all heard of regulations such as HIPAA or standards such as PCI. If you manage an Exchange organization where such regulations are enforced, clearly you’re familiar with auditing. But no organization can really afford to ignore it. As Tom Crane, product manager for Quest Software, said, “I don’t think any industry out there is free and clear for not having auditing.”
Even if you adhere to certain regulations, it’s sometimes unclear what exactly they mean or how to monitor for them. In some cases, companies might not even be sure which regulations apply to them. Certainly that was the case when HIPAA and Sarbanes-Oxley and such first appeared, but as Crane said, “As time goes on, the definitions of what needs to be done have started to mature.” He also noted that both auditors and companies have come to a better understanding of the data and what’s required of them by these regulations.

But let’s face it: There’s a lot of data. A lot of potentially regulated information can pass through or reside in an Exchange organization. Wendy Yale, senior director of marketing for Varonis Systems, spoke to this point. “Email nowadays is the cornerstone of collaboration,” Yale said. “It’s even more important today than traditional communication methods—people just don’t talk on the phone as much. It’s the heart of collaboration, and because of that, the data is growing so, so fast. If you look at most companies, it’s not even [that they’re] not keeping up with it; in the worst cases, it’s not even approaching coming to a manageable ratio.”

In most cases, systems have grown organically over time. As email and other electronic communication methods have gained prevalence, all that data just keeps piling up, and your needs for things such as auditing probably weren’t thought of at the beginning. As Yale points out, “It’s hard to go back and fix it once something’s started.” So, having the right tools that can sift the data and provide it to you in a useful form is a must.

Although the drive to find an auditing solution might come from Exchange administrators themselves, it’s just as possible that it might be a suggestion—or demand—from higher up the chain of command in a business. As Crane said, “A lot of times, it comes down to board members, CEOs—those are the big drivers, all the executives. They’re really particular about a lot of intellectual property, a lot of confidential information getting passed back and forth. Exchange administrators have access to backup accounts, or other accounts that have the natural, delegated permissions. So [executives] want to keep tabs if someone is using those [accounts] inappropriately.”

No Exchange admin wants to feel like someone’s watching over their shoulder all the time, but this is a reality of the corporate world. And Crane’s point is valid: Admins are the ones who have access. Furthermore, auditing isn’t just about watching for violations or unauthorized access; it can also be used to find problems when a change goes awry. Who made that change, and why? What was it supposed to be? A good auditing solution will help you spot such problems.

What Should You Audit?

The question of what specifically in your environment to look at is going to be answered differently for different organizations, and quite possibly answered differently at different times. In speaking with the four companies providing auditing products for Exchange, I found that they all had valuable advice, and all slightly different. Not surprising, this advice more or less aligns with the strengths of their particular products.
According to Michael Fimin, president and CEO of NetWrix, it’s important to track all changes in your Exchange environment. “Every time you change something, it has to be audited,” Fimin said, “especially if there’s more than one person involved in Exchange management. It has to be tracked. And everybody has to be aware of what’s going on, what things are being changed, what permissions are being changed, what mailboxes change, whatever.” NetWrix Exchange Change Reporter is part of the company’s Change Reporter Suite, which has modules to monitor your entire IT infrastructure, including Active Directory (AD), SharePoint, SQL Server, and much more.

Fimin was able to break down into three categories what he feels an auditing solution should be able to do for you. “First of all, it’s the archiving of changes. You have to be able to track the history,” he said. “If your auditors come in and say, ‘Show me what changed 5 years ago,’ you have to be able to do that.” Fimin noted that in certain industries, you might need to be able to audit changes back as far as 7 years.

His second requirement is the ability to effectively report on the data you collect. “You have to be able to create reports for specific types of changes, or just for any changes from a certain criteria,” he said. “And the alerting capability would be a third important piece of the puzzle. You have to be able to create alerts on certain sensitive types of events, such as those that can affect security and compliance.”

For Adam Laub, vice president of marketing for STEALTHbits, and Barbara Baumle, technical product manager for messaging and mobility at the company, some of the important auditing features Exchange administrators need center around access control. “Not just looking at access activity,” Laub said, “but actually who has access, and who has access over time, so that they can keep track of critical changes to mailbox rights and permissions, make sure that you don’t have high-risk mailboxes sitting out there where accounts like Default and Anonymous are open for any user to essentially log on to that mailbox and be able to peruse through it.”

The STEALTHbits product, StealthAUDIT Management Platform for Exchange, is also part of a larger auditing platform from the company, a good point to keep in mind if your auditing interests stretch beyond Exchange itself. As far as what customers are looking to keep an eye on, Baumle said, “We find it’s very specific per corporation, depending on what they actually want to see and what’s important to them.” So either find a solution that offers the greatest amount of choice in how to search and audit and report, or figure out exactly what you’re going to need ahead of time.

Like Fimin, Quest Software’s Crane had three basic capabilities he thought any auditing product should have. First, you should expect the product to provide ongoing analysis of your overall environment. You should also expect it to help you maintain compliance within your organization by auditing for violations. And third, the product should provide real-time alerts on policy violations.

Even more specifically, Crane talked about the type of information you should be capturing for any change. “It sets out to answer the six Ws,” he said. “Who made the change? When did it happen? What object was changed? What system captured it, or what Exchange server did it come from? Where did it originate? Why did it happen?” In addition, the product should capture before and after values for changes, whenever appropriate—and maintain that data.

For Varonis, a key point is the problem of data ownership. You’ve got public folders in your environment, but it’s not always simple to tell who they belong to or who is actually using them. Varonis DatAdvantage for Exchange, which is focused on data governance, can provide this information as well as make recommendations about who has permissions that they shouldn’t. As Yale said, “That’s powerful, when you provide context to people in addition to just giving them visibility about what exists, because it gives them the intelligence to make proactive decisions about how to move forward.” And really, isn’t that the real idea behind all this auditing in the first place?

All the Basics

When I began researching Exchange auditing products, I was surprised to find so few companies offering such solutions—only four, each of which spoke with me about their offerings. The good news, if you’re in the market, is that means there are fewer products to wade through. Each of the four products performs all the basics of auditing, reporting, and alerting that you would expect, yet each one comes at if from a little different angle, or focuses in a slightly different way. Note that this is a buyer’s guide, not a review, so further investigation of the products before purchase is warranted. Check out the feature comparison table, then visit the vendors’ websites. Some of the products have trial versions or freeware versions, so you can get a solid understanding before committing to a full deployment. Good luck!