Stealthaudit Exchange Permissions

Home , MAPI

2021 StealthAUDIT® Exchange Permissions StealthAUDIT®

TOC

Exchange Permissions Overview 3

Exchange Compatibility 3

Exchange Solution to Permissions Alignment 5

Exchange Mail-Flow Permissions 7

Exchange Remote Connections Permissions 9

Exchange PowerShell Permissions 11

Scoping Options 13

No Scoping 13 Scope by Database 13 Scope by Mailbox 13 Scope by Server 14 Scope by Public Folder 14

Exchange Web Services API Permissions 15

MAPI-Based Data Collector Permissions 16

Enable Exchange Mailbox Access Auditing 17

Appendices 18

Appendix: Enable Remote PowerShell for ExchangePS Data Collector 18

Appendix: Enable Windows Authentication for PowerShell Virtual Directory 18

Appendix: Create Custom Application Impersonation Role in Exchange 20

More Information 22

Doc_ID 667 2

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Exchange Permissions Overview This document describes the necessary settings and permissions in a Microsoft® Exchange® environment to allow for successful use of the StealthAUDIT for Exchange & Exchange Online Solution, which employs the Exchange2K, EWSMailbox, EWSPublicFolder, ExchangeMailbox, ExchangeMetrics, ExchangePS, ExchangePublicFolder, and SMARTLog data collectors to scan for Mail-Flow, Remote Connections, Database, Mailbox, Public Folder, and Distribution List information. It also provides justifications for the required permissions.

The Sensitive Data Discovery Auditing with the ExchangeMailbox Data Collector requires the Sensitive Data Discovery Add-on. Each thread requires a minimum of 2 additional GB of RAM per host. For example, if the job is configured to scan 8 hosts at a time, then an extra 16 GB of RAM are required (8x2=16). See the StealthAUDIT Sensitive Data Discovery Add-On User Guide for additional information.

Exchange Compatibility The StealthAUDIT for Exchange Solution is compatible with the following Exchange versions as targets:

l Exchange Online (Limited)

l Exchange 2019 (Limited)

l Exchange 2016 (Limited)

l Exchange 2013

l Exchange 2010 (Limited)

If (Limited) is included next to the version, the following table indicates which data collectors can target which supported platforms:

MAPI - Exchang Exchang Exchang Exchang Exchang Data Collector Base e Online e 2019 e 2016 e 2013 e 2010 d

EWSMailbox û ü ü ü ü Limited*

EWSPublicFolder û ü ü ü ü Limited*

Doc_ID 667 3

MAPI - Exchang Exchang Exchang Exchang Exchang Data Collector Base e Online e 2019 e 2016 e 2013 e 2010 d

Exchange2K ü û û û ü ü

ExchangeMailbox ü û û û ü ü

ExchangeMetrics û û ü ü ü ü

ExchangePS û ü ü ü ü ü

ExchangePublicFo ü û û û ü ü lder

SMARTLog û û ü ü ü ü

*The data collector an target Exchange 2010 Service Pack 1 and later.

The following table identifies which job groups can target which supported platforms:

MAPI Exchange Exchange Exchange Exchange Exchange Job Groups - Online 2019 2016 2013 2010 Based

1. HUB û û ü ü ü ü Metrics

2. CAS û û ü ü ü ü Metrics

3. Database ü û Limited Limited ü ü

4. û ü ü ü ü ü Mailboxes

5. Public ü û û û ü ü Folders

Doc_ID 667 4

MAPI Exchange Exchange Exchange Exchange Exchange Job Groups - Online 2019 2016 2013 2010 Based

6. û ü ü ü ü ü Distribution Lists

7. Sensitive Mix ü ü ü ü Limited* Data

8. Exchange û ü û û û û Online

*Limited indicates that some of the data collectors can target the environment, but not all. Mix indicates some data collectors are MAPI-based but not all.

Exchange Solution To Permissions Alignment See the following sections for permission requirements according to the job group, data collector, or action module to be used:

l Exchange Mail-Flow Permissions section

l ExchangeMetrics Data Collector

l 1. HUB Metrics Job Group

l Exchange Remote Connections Permissions section

l SMARTLog Data Collector

l 2. CAS Metrics Job Group

l Exchange PowerShell Permissions section

l ExchangePS Data Collector

l ExchangePublicFolder Data Collector

l ExchangeMailbox Data Collector

l PublicFolder Action Module

l Mailbox Action Module

Doc_ID 667 5

l 2. CAS Metrics Job Group

l 3. Databases Job Group

l 4. Mailboxes Job Group

l 5. Public Folders Job Group

l 8. Exchange Online Job Group

l Exchange Web Services API Permissions section

l EWSMailbox Data Collector

l EWSPublicFolder Data Collector

l 7. Sensitive Data Job Group

l MAPI-Based Data Collector Permissions section

l Exchange2K Data Collector

l ExchangeMailbox Data Collector

l ExchangePublicFolder Data Collector

l 3. Databases Job Group

l 5. Public Folders Job Group

l 7. Sensitive Data Job Group

l Enable Exchange Mailbox Access Auditing section

l 4. Mailboxes Job Group

Doc_ID 667 6

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Exchange Mail-Flow Permissions The ExchangeMetrics Data Collector is capable of processing the Message Tracking Logs on the Exchange servers. This data collector utilizes an applet to process and collect summarized metrics from the Message Tracking Log.

The ExchangeMetrics Data Collector supports Exchange 2010 through Exchange 2019. Since this data collector is an applet and requires running on the Exchange server, it does not support Exchange Online.

The Connection Profile assigned to the 1. HUB Metrics Job Group requires the following permissions (based on default settings):

l Local Administrator group membership on the targeted Exchange server(s) where the Hub Transport service is running

l Log on as a Service Group Policy:

l Go to GPedit.msc

l Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights

Local Administrator on the Target Hosts

This is required because the ExchangeMetrics Data Collector is an applet-based data collector. It requires local Administrator group membership on the target host which contain the Message Tracking Logs to be able to create the SA_ExchangeMetricsData folder, which will contain the applet files and the processed message tracking log files stored inside a SQLite database for each day. For example: \\ExchangeServerName\c$\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking

If there have been additional security or permission modifications on the server(s), the following rights and policies may need to be enabled on the targeted host:

l Ensure the Administrator group has been granted Full Control over Message Tracking Log Directories

l WMI Control (wmimgmt.msc) > Right Click Properties > Security

l Security Tab > Root > CIMV2 > Click Security

l Ensure the Administrators group has been assigned:

Doc_ID 667 7

l Execute Methods

l Remote Enable

l Enable Account

l Local Security Policy (secpol.msc):

l Local Policies > User Rights Assignment:

l Ensure the ‘Replace a Process Level Token’ right grants access to Local Service, Network Service, and Administrators

l Ensure the ‘Adjust Memory Quotas for a Process’ right grants access to Local Service, Network Service, and Administrators

l Ensure the ‘Impersonate a client after authentication’ right grants access to Local Service and Administrators

l Ensure the Administrators group has been granted the following rights:

l Access this computer from a network

l Allow Log on Locally

l Log on as a batch job

Doc_ID 667 8

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Exchange Remote Connections Permissions The SMARTLog Data Collector processes the IIS Logs on the server running the Client Access Service to return information about the remote connections being made to Exchange. This data collector uses an applet to process and collect the IIS Logs.

The SMARTLog Data Collector supports Exchange 2010 through Exchange 2019. Since this data collector is an applet and requires running on the Exchange server, it does not support Exchange Online.

The Connection Profile assigned to the 2. CAS Metrics Job Group requires the following permissions (based on default settings):

NOTE: The 2. CAS Metrics Job Group also requires PowerShell permissions. See the Exchange PowerShell Permissions section for additional information.

l Local Administrator group membership on the targeted Exchange servers where the Client Access service is running

l Log on as a Service Group Policy:

l Go to GPedit.msc

l Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights

Local Administrator on the Target Hosts

This is required because the SMARTLog Data Collector is an applet-based data collector. It requires local Administrator group membership on the target host which contain the IIS Logs to be able to create the process logs folder which will contain the applet files and logs. For example: \\ExchangeServerName\c$\Program Files (x86)\STEALTHbits\StealthAUDIT\LogProcessor

If there have been additional security or permission modifications on the server(s), the following rights and policies may need to be enabled on the targeted host:

l Ensure the Administrator group has been granted Full Control over IIS Log Directories

l WMI Control (wmimgmt.msc) > Right Click Properties > Security

l Security Tab > Root > CIMV2 > Click Security

l Ensure the Administrators group has been assigned:

Doc_ID 667 9

l Execute Methods

l Remote Enable

l Enable Account

l Local Security Policy (secpol.msc):

l Local Policies > User Rights Assignment:

l Ensure the ‘Replace a Process Level Token’ right grants access to Local Service, Network Service, and Administrators

l Ensure the ‘Adjust Memory Quotas for a Process’ right grants access to Local Service, Network Service, and Administrators

l Ensure the ‘Impersonate a client after authentication’ right grants access to Local Service and Administrators

l Ensure the Administrators group has been granted the following rights:

l Access this computer from a network

l Allow Log on Locally

l Log on as a batch job

Doc_ID 667 10

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Exchange PowerShell Permissions The ExchangePS Data Collector utilizes PowerShell to collect various information from the Exchange environment. This data collector utilizes Remote PowerShell to collect information about Exchange Users Configuration, Mailboxes, Public Folders, and Exchange Online Mail-Flow.

The ExchangePS Data Collector supports Exchange 2010 through Exchange 2019 and Exchange Online.

The Connection Profile is assigned to the following job groups:

l 2. CAS Metrics

l This job group does not support Exchange Online because it also requires remote connection permissions. See the Exchange Remote Connections Permissions section for additional information.

l 3. Databases

l This job group does not support Exchange Online because it also requires MAPI-based permissions. See the MAPI-Based Data Collector Permissions section for additional information.

l 4. Mailboxes

l This job group also requires Exchange Mailbox Access Auditing to be enabled. See the Enable Exchange Mailbox Access Auditing section for additional information.

l 5. Public Folders

l This job group does not support Exchange Online because it also requires MAPI-based permissions. See the MAPI-Based Data Collector Permissions section for additional information.

l 8. Exchange Online

The ExchangePS Data Collector needs the following permissions to run a scan (based on default settings):

l On-premise Exchange environments:

l Remote PowerShell enabled on a single Exchange server

l Windows Authentication enabled for the PowerShell Virtual Directory on the same Exchange server where Remote PowerShell has been enabled

l View-Only Organization Management Role Group

l Discovery Search Management Role Group

Doc_ID 667 11

l Public Folder Management Role Group

l Mailbox Search Role

l Exchange Online environments:

l Discovery Management Role

l Organization Management Role

l Application Impersonation Role (create new role to impersonate users in the organization)

See the Appendix: Create Custom Application Impersonation Role in Exchange section for additional information.

NOTE: For Exchange Online, PowerShell needs to be set to ‘unrestricted’ on the StealthAUDIT Console server. It must be set in both the 64-bit and 32-bit versions of PowerShell.

Remote PowerShell Enabled & Windows Authentication for the PowerShell Virtual Directory

These configurations are required to be enabled on at least one (1) Exchange server running the Client Access Service so that the ExchangePS Data Collector can make a remote PowerShell connection and authenticate through StealthAUDIT.

StealthAUDIT passes credentials saved inside the console (Connection Profile) to the data collector so that it is able to authentication to the targeted host. This requires the Exchange server to allow for Windows Authentication.

See the Enable Remote PowerShell for ExchangePS Data Collector section and the Enable Windows Authentication for PowerShell Virtual Directory section for additional information.

View-Only Organization Management

This is required so the ExchangePS Data Collector is able to run the various Exchange PowerShell cmdlets.

Public Folder Management

This permission is only required if utilizing the ExchangePublicFolder Data Collector or ExchangeMailbox Data Collector, as well as the PublicFolder or Mailbox Action Modules. This is required in order to make a connection through the MAPI protocol. The following job group requires the Public Folder Management Role Group:

l 5. Public Folders > Ownership If not running this collection, then this permission is not required.

Mailbox Search Role

This is required to collect Mailbox Access Audit logs and run Mailbox Search queries through the ExchangePS Data Collector. The following job group requires the Mailbox Search Role:

Doc_ID 667 12

l 4. Mailboxes > Logons

Scoping Options There are five (5) different scoping options within this data collector. Since not all query categories support all scoping options, No Scoping is an option. If there are no scoping options available, then the data collector should be run against the host specified in the Summary page of the data collector wizard.

No Scoping This option will gather information about the entire Exchange Organization. When using the applet, the data collector will gather information about the Exchange Forest in which the StealthAUDIT Console currently resides. For Remote PowerShell, the data collector will gather information about the Exchange Organization to which the Remote PowerShell connection was made. This refers to the server entered in the Client Access Server (CAS) field of the global configuration from the Settings > Exchange node or on the Scope Page of the data collector wizard.

Scope by Database This option will gather information about any databases which are chosen. When using the applet, the data collector will return databases in the Scope by DB page of the data collector wizard for the Exchange Organization in which the StealthAUDIT Console currently resides, as well as, only return information about those databases. For Remote PowerShell, the data collector will return databases in the Scope by DB page of the data collector wizard for the Exchange Forest, as well as, only return information about those databases.

Scope by Mailbox This option will gather information about any mailboxes which are chosen. When using the applet, the data collector will return mailboxes in the Scope by Mailboxes page of the data collector wizard for the Exchange Forest in which the StealthAUDIT Console currently resides, as well as, only return information about those mailboxes. For Remote PowerShell, the data collector will return mailboxes in the Scope by Mailboxes page of the data collector wizard for the Exchange Forest, as well as, only return information about those mailboxes.

Doc_ID 667 13

Scope by Server This option will gather information about objects which reside on the chosen server. When choosing this option, the data collector will then use the Host List applied to the job’s Configure > Hosts node as the servers scoping list. When using the applet, the data collector will deploy a process to the targeted host to run the PowerShell on that server. For Remote PowerShell, the data collector will deploy no applet and utilize the WinRM protocol to gather information about the objects on that server.

Scope by Public Folder This option will gather information about any public folders which are chosen. When using the applet, the data collector will return public folders in the Scope by Public Folders page of the data collector wizard for the Exchange Forest in which the StealthAUDIT Console currently resides, as well as, only return information about those public folders. For Remote PowerShell, the data collector will return public folders in the Scope by Public Folders page of the data collector wizard for the Exchange Forest, as well as, only return information about those public folders.

Doc_ID 667 14

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Exchange Web Services API Permissions The EWSMailbox and EWSPublicFolder data collectors utilizes Exchange Web Services API to access and communicate with Exchange. These data collectors collect statistical, content, permission, and sensitive data information from mailboxes and public folders.

The EWSMailbox and EWSPublicFolder data collectors supports Exchange 2010 Service Pack 1 through Exchange 2019 and Exchange Online.

The EWSMailbox Data Collector is assigned to a job within the Exchange > 7. Sensitive Data Job Group. The Connection Profile assigned to the 7. Sensitive Data Job Group requires the following permissions (based on default settings):

l Discovery Management Role

l Application Impersonation Role (create new role to impersonate users in the organization)

l Also needed for Exchange Online or hybrid environments:

l Customized Administrator > Exchange Administrator Role

l Exchange Online License

The EWSPublicFolder Data Collector is not assigned to a job within the Exchange Solution. To use this data collector it requires the following permissions:

l Discovery Management Role

l Application Impersonation Role (create new role to impersonate users in the organization)

l Also needed for Exchange Online or hybrid environments:

l Customized Administrator > Exchange Administrator Role

l Exchange Online License with a mailbox

See the Appendix: Create Custom Application Impersonation Role in Exchange section for additional information.

Doc_ID 667 15

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® MAPI-Based Data Collector Permissions The Exchange2K, ExchangeMailbox, and ExchangePublicFolder data collectors have other permission requirements.

These data collectors supports Exchange 2010 through Exchange 2013. Since this data collectors are MAPI-based, they do not support Exchange Online, Exchange 2019, nor Exchange 2016.

All MAPI-based data collectors have the following prerequisites:

l Microsoft MAPI CDO installed on the StealthAUDIT Console

l StealthAUDIT MAPI CDO installed on the StealthAUDIT Console

l Settings > Exchange node configured in the StealthAUDIT Console

The Exchange2K Data Collector is used in the 3. Databases Job Group has the following permission requirements:

l Public Folder Management

The ExchangePublicFolder Data Collector is used in the 5. Public Folders Job Group has the following permission requirements:

l Organization Management

The ExchangeMailbox Data Collector is used in the 7. Sensitive Data Job Group has the following permission requirements:

l Organization Management

l Discovery Management

Doc_ID 667 16

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Enable Exchange Mailbox Access Auditing In order to collect Mailbox Access Auditing events, it is necessary to enable Exchange Mailbox Access Auditing for Exchange. See the following Microsoft articles:

l Exchange Online – Enable mailbox auditing in Office 365 article

l Exchange 2016 – Exchange 2019 – Enable or disable mailbox audit logging for a mailbox article

l Exchange 2013 – Enable or disable mailbox audit logging for a mailbox article

l Exchange 2010 – Enable or Disable Mailbox Audit Logging for a Mailbox article

The 4. Mailboxes Job Group requires the Exchange Mailbox Access Auditing to be enabled.

Doc_ID 667 17

Appendix: Enable Remote PowerShell for ExchangePS Data Collector Remote PowerShell must be enabled on a single CAS Exchange server in the target environment for the ExchangePS Data Collector. Follow these steps to enable Remote PowerShell.

Step 1 – On the server which StealthAUDIT will connect with Remote PowerShell, open PowerShell.

Step 2 – Run the following command: Enable-PSRemoting

Step 3 – When prompted, type “A” and “A” again to enable the appropriate services and protocols.

Remote PowerShell has been enabled. See the Microsoft Tip: Enable and Use Remote Commands in Windows PowerShell article for additional information.

It is then necessary to enable Windows Authentication for PowerShell Virtual Directory on the same server. See the Appendix: Enable Windows Authentication for PowerShell Virtual Directory section for additional information.

Appendix: Enable Windows Authentication for PowerShell Virtual Directory Once Remote PowerShell has been enabled on an Exchange Server in the environment, it is necessary to also enable Windows Authentication for the PowerShell Virtual Directory on the same Exchange server. Follow these steps to enable Windows Authentication.

Step 1 – On the server where Remote PowerShell was enabled, open the Internet Information Services (IIS) Manager.

Doc_ID 667 18

Step 2 – Traverse to the PowerShell Virtual Directory under the Default Web Site. Select Authentication and click Open Feature.

Step 3 – Right-click on Windows Authentication and select Enable.

Windows Authentication has been enabled for the PowerShell Virtual Directory.

Doc_ID 667 19

Appendix: Create Custom Application Impersonation Role in Exchange Follow the steps to create the custom Application Impersonation role. The process is the same for Exchange 2010 Service Pack 1 through Exchange 2019 and Exchange Online.

Step 1 – Within the Exchange Admin Center, navigate to the permissions section and select admin roles.

Step 2 – Add a new role group by clicking on the + button, and the New Role Group window opens.

Step 3 – Configure the new role group with the following settings:

Doc_ID 667 20

l Name – Provide a distinct name for the role group, e.g. Application Impersonation

l Description – Optionally indicate in the description that the new role group is required for StealthAUDIT

l Write scope – Remain set to Default

l Roles – Click the + button to open the Select a Role window. Select the ApplicationImpersonation role from the available list and click Add. Then click OK to close the Select a Role window.

l Members – Click the + button to open the Select Members window. Select the account from the available list and click Add. Remember, the account needs to be assigned the other permissions required for the EWSMailbox and/or EWSPublicFolder data collectors. Then click OK to close the Select Members window.

Step 4 – Save the new role group.

The new role group appears in the list.

Doc_ID 667 21

Stealthbits, now part of Netwrix is a data security software company focused on protecting an organization’s credentials and data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, we reduce security risk, fulfill compliance requirements, and decrease operations expense.

For information on our products and solution lines, check out our website at www.stealthbits.com or send an email to our information center at [email protected].

If you would like to speak with a Stealthbits Sales Representative, please contact us at +1.201.447.9300 or via email at [email protected].

Have questions? Check out our online Documentation or our Training Videos (requires login): https://www.stealthbits.com/documentation. To speak to a Stealthbits Representative: please contact Stealthbits Support at +1.201.447.9359 or via email at [email protected].

Need formal training on how to use a product more effectively in your organization? Stealthbits is proud to offer FREE online training to all customers and prospects! For schedule information, visit: https://www.stealthbits.com/on-demand-training.

Doc_ID 667 22