Exchange Online Mailbox Audit Improvements: UpdateFolderPermissions

A few weeks ago, Microsoft added a new action to the Exchange mailbox auditing: UpdateFolderPermissions. As the name suggests, when this action is being logged, it records changes to folder permissions, be that Owner, Delegates, or Admin.

Microsoft has updated the default mailbox audit configuration to include the UpdateFolderPermissions action. In the following screenshot, we can see that auditing has not been enabled for the ServiceDesk shared mailbox, but UpdateFolderPermissions is part of the default auditing configuration for all 3 access types:

Existing mailboxes that have not deviated from the default configuration will be automatically updated to include the UpdateFolderPermissions action. My own mailbox has had the default auditing settings enabled for a long time, and now UpdateFolderPermissions was automatically added as well:

With mailbox audit configured with this action, we will find records in the audit logs when permissions of folders are added, deleted or modified. These records can be found both in the unified audit log:

Or in the mailbox audit log through the Search-MailboxAuditlog cmdlet.

In the following screenshot, we are searching the mailbox audit logs for the AddFolderPermissions action. Using these logs, we can see that I (LogonType: Owner) used OWA to give ServiceDesk Owner rights to my Clutter folder, and that I used Outlook to give them Reviewer rights to my Archive folder:

Besides AddFolderPermissions, we can also track ModifyFolderPermissions and RemoveFolderPermissions actions:

Outbound DKIM Signing in Office 365

About a year ago, I wrote an article entitled DKIM and DMARC in Office 365 where I explored what DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) are, and how exactly they work with Exchange Online in Office 365.

At the time of writing that article, Office 365 only supported inbound validation of DKIM over IPv4 and IPv6. Outbound DKIM signing was not yet available but was in the roadmap. Well, it is here now!

To continue reading about DKIM signing in Office 365, please check this article at MSExchange.org.

Search Admin Audit Log Old Properties

When searching the Admin Audit Log using the Search-AdminAuditLog cmdlet, you might find some useful information missing:

Search-AdminAuditLog -Cmdlets Set-TransportService

ObjectModified     : EXAIO
CmdletName         : Set-TransportService
CmdletParameters   : {MessageTrackingLogMaxAge, MessageTrackingLogMaxDirectorySize, Identity}
ModifiedProperties : { }
Caller             : nunomota.pt/Users/Admin
Succeeded          : True
Error              : None
RunDate            : 9/10/2015 8:47:48 AM
OriginatingServer  : EXAIO (15.00.1104.000)

From the above, we can see what was changed (the maximum age for the logs and the maximum allowed size for the directory) but not what these settings were changed to...

To see this, we have to dig deeper into CmdletParameters:

(Search-AdminAuditLog -Cmdlets Set-TransportService).CmdletParameters

Name                                 Value
----                                 -----
MessageTrackingLogMaxAge             45.00:00:00
MessageTrackingLogMaxDirectorySize   10 GB (10,737,418,240 bytes)
Identity                             EXAIO

Now we know exactly what the user Admin changed! But what about if we want to know what these settings were before this change?

By default, the administrator audit log records only the cmdlet name, cmdlet parameters (and values specified), the object that was modified, who ran the cmdlet, when the cmdlet was run, and on what server the cmdlet was run. The administrator audit log does not log what properties were modified on the object. If we want the audit log to also include the properties of the object that were modified, we need to enable verbose logging by setting the LogLevel parameter to Verbose:

Set-AdminAuditLogConfig –LogLevel Verbose

When we enable verbose logging, in addition to the information logged by default, the properties modified on an object, including their old and new values, are included in the audit log:

(Search-AdminAuditLog -Cmdlets Set-TransportService).ModifiedProperties

Name                                 NewValue      OldValue
----                                 --------      --------
MessageTrackingLogMaxAge             45.00:00:00   31.00:00:00
MessageTrackingLogMaxDirectorySize   10 GB         5 GB

Now we know exactly what got changed and what the old configuration was!

Office 365 Compliance Center

The new Compliance Center contains the key compliance-related features for an Office 365 administrator to manage compliance across Office 365, Exchange Online and SharePoint Online.

 

Currently many of the compliance features are still accessible through service-specific management interfaces, such as the Exchange Admin Center. However, this will change in the future as more service independent compliance features are added to the Compliance Center.

 

Consolidating compliance functionality across services into this single area will make compliance features easier to access and enhance your end-to-end task-based experience.

 

To access the Compliance Center you can either go directly to its URL at https://compliance.protection.outlook.com/Ucc or, if you are an Office 365 administrator:

1. Sign in to Office 365;

2. Select the app launcher icon in the upper-left and choose Admin:

 

3. In the lower-left navigation, expand Admin and choose Compliance:

 

4. You are then taken into the new Compliance Center:

 

 

As mentioned, this is currently being rolled out so it is possible that you will not see all the features in here just yet. For example, there will be an Auditing section as well which is not yet present in my tenant.

 

Stay tuned for a full article on the new Office 365 Compliance Center!

Exchange 2013 with Rights Management Connector

Windows Rights Management Services (also known as Rights Management Services, Active Directory Rights Management Services or simply RMS) is a form of Information Rights Management used on Microsoft Windows that uses encryption and a form of selective functionality denial in order to limit access to information, such as e-mails or Word documents for example, and enforce what operations authorized users can perform on them.

Users can use this technology to encrypt information stored in such document formats, and through policies embedded in these, prevent the protected content from being decrypted except by specified people or groups, under certain conditions, and even for certain periods of time. Specific operations such as printing, copying, editing, forwarding and deleting can be allowed or disallowed by the author.

 

Rights Management Server first debuted in 2005 as an add-on to Windows Server 2003, with client API libraries made available for Windows XP and Windows 2000. With Windows Server 2008, it was renamed to Active Directory Rights Management Services [ADRMS], reflecting its higher level of integration with AD.

The next big “upgrade” was in July 2013 when Microsoft released a preview of Azure Rights Management which allows organizations to protect their data in Office 365. Azure RMS is included with E3, E4, A3 and A4 plans at no additional cost, or it can be purchased as a standalone subscription.

 

For organizations that are in the process of migrating to Office 365 there is a feature called RMS Connector that enables protected content to work with an organization’s online services as well as on-premises servers.

 

RMS connector lets administrators enable existing on-premises servers, such as Exchange, SharePoint or even file servers running Windows Server to use their Information Rights Management [IRM] functionality with the cloud-based RMS. With this functionality, IT and users can easily protect information both inside and outside the organization, without having to install additional infrastructure or establish trust relationships with other organizations.

The RMS connector is a small-footprint service that is installed on-premises on servers that run Windows Server 2008 R2, 2012 or 2012 R2. After installed and configured, it acts as a communications interface (a relay) between the on-premises IRM-enabled servers and the cloud service.

To read the entire article, please check Exchange 2013 with Rights Management Connector on MSExchange.org.

 

 

Exchange 2013 Data Loss Prevention

Data Loss Prevention [DLP] is a system designed to detect a potential data breach/leakage incident in a timely manner and prevent it. When this happens, sensitive data such as personal/company information, credit card details, social security numbers, etc., is disclosed to unauthorized users either with malicious intent or by mistake. This has always been an important matter for most companies as the loss of sensitive data can be very damaging for a business. For many years now, there have been both software and hardware solutions that monitor data while:

• in-use: end-user actions such as copying data to USB or printing it for example;

• in-motion: network communications like e-mail, web traffic, Instant Messaging, etc.;

• at-rest: data stored in file shares or on users’ drives.

Up until now, Exchange Administrators had to rely on 3rd-party solutions to achieve this, but some solutions would cause more harm than good and user productivity would suffer. With Exchange 2013, Microsoft now makes it possible to enforce compliance requirements for such data and control how it is used in e-mail. DLP is the new feature that allows administrators to manage sensitive data in Exchange!

To read the full article, please go to MSExchange.org - Exchange 2013 Data Loss Prevention.