Exchange must have Administrator audit logging enabled.

From MS Exchange 2013 Mailbox Server Security Technical Implementation Guide

Part of SRG-APP-000027

Associated with: CCI-001403

SV-84563r1_rule Exchange must have Administrator audit logging enabled.

Vulnerability discussion

Unauthorized or malicious data changes can compromise the integrity and usefulness of the data. Automated attacks or malicious users with elevated privileges have the ability to effect change using the same mechanisms as email administrators. Auditing changes to access mechanisms not only supports accountability and nonrepudiation for those authorized to define the environment but also enables investigation of changes made by others who may not be authorized. Note: This administrator auditing feature audits all exchange changes regardless of the users' assigned role or permissions.

Check content

Open the Exchange Management Shell and enter the following command: Get-AdminAuditLogConfig | Select Name, AdminAuditLogEnabled If the value of AdminAuditLogEnabled is not set to True, this is a finding.

Fix text

Open the Exchange Management Shell and enter the following command: Set-AdminAuditLogConfig -AdminAuditLogEnabled $true

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer