Running SBS 2003.

Have a user we kindof want to monitor...

Nightly backups don't prevent a user from sending then deleting an email all in the same day!

How do I monitor emails?

And is there any way at all to monitor websites visited or something (via DNS queries or something?)

You can always access their email account anytime you want. Hell if you want to monitor email that is being recieved you can forward it to your own account. As far as outgoing email.

Generaly the best way is with a 3rd party program. We use GFI mail archiver at a clients and it works well.

Anyway look into Journaling with exchange. 2003 does support it and it should do what you need.

http://technet.microsoft.com/en-us/library/aa997525.aspx

As far as monitoring web sites if you have premium sbs isa can do it.

Edit:
I should add the journaling really does it for the entire store. Only time I've ever used it is sending the data to another email server.

They do have some products like this
http://www.ivasoft.biz/sj.shtml
That can do a selective one of only one user but I've never used it. Really something like gfi's solution is prob the best one. Exchange 07 has another way of doing this but I can't think of it off the top of my head and it wouldn't help you.

Your email spam filter(since I'm asuming you have one) may have something in it as well to forward outgoing email. Might be something to look into.

You can always access their email account anytime you want. Hell if you want to monitor email that is being recieved you can forward it to your own account.

How do I view their email from the server?
Can't see it anytime I want because if they aren't there, I can't see their Outlooks, and me changing their passwords on them raises too many flags.

Would forwarding the messages to my own account still let him get his just fine?


They do have some products like this
http://www.ivasoft.biz/sj.shtml
That can do a selective one of only one user but I've never used it. .
Looked promising... Followed their instructions just fine, but my account never gets the archive messages (even doing it the plain old Exchange way).


I really don't want to archive the whole company's messages. That would eat up gobs of space... so something individual like that would be good. However I wasn't able to get it to work perhaps I'll email him.

Forwarding the incomming mail is easy. In the active directory you right click on the user and go to properties. Under exchange general, delivery options you can forward the mail to another ad user or group or even an external user if you make an smtp contact in the ad for the external address. There is a check box to deliver messages to the forward and the mail box. This works for incomming mail only.

Under Exchange Advaned in the ad users properties you can click on mailbox rights and give yourself full access to the mail box.

After that in outlook you can just go under file, open and select another users mailbox. You can do it under your mail setup as well. It has an option under advanced when you setup exchange to open extra mail boxes. That way you could check it whenever you wanted but if they remove something from exchange it will be removed from your copy as well.

What Mail security(both av protection and anti spam) are you using? One of them may be able to archive mail. With filters you could limit it to one user. I know you can with gfi's anti spam. I think you can in symantecs mail secuirty too but haven't tried it. I don't think you can in programs like ORF though.

but if they remove something from exchange it will be removed from your copy as well
That is my issue with that.

A questionable email was sent (supposedly), yet I checked sent items, deleted items, nothing there.



What Mail security(both av protection and anti spam) are you using? One of them may be able to archive mail.
NOD32 and IMF.
IMF seems to do a decent job. Some spam still gets through, but it cuts the bulk of it out even on the lowest setting.


That would work great on incoming mail.

This questionable email was sent to another user on the same box- would it see that as "incoming" on the other box or is "incoming" only from external sources?

That is my issue with that.

A questionable email was sent (supposedly), yet I checked sent items, deleted items, nothing there.



NOD32 and IMF.
IMF seems to do a decent job. Some spam still gets through, but it cuts the bulk of it out even on the lowest setting.


That would work great on incoming mail.

This questionable email was sent to another user on the same box- would it see that as "incoming" on the other box or is "incoming" only from external sources?

If you were forwarding email of user b and user a sends them an email even if it is internal it would go to the forward as well. In the same sence if they send an email to another user you could always open their mail box to see it if you wanted to.

OK Thanks!

This may be illegal and even as the system administrator, your user has privacy rights which you are invading on. I work for the U.S. DoD and in order to monitor Internet usage or email traffic, you must have our legal dept. approve this...

I would be careful as this seems to be a grey area depending on your EUA with staff.

The reason you can't access other's mailboxes is due to the explicit deny security for domain admins and enterprise admins in Exchange 2003. This can be changed via the Exchange System Manager. Keep in mind an explicit deny will always override an allow. For example if you are a member of both Enterprise Admins and Domain Admins, Enterprise Admins have allow but Domain Admins have deny, then you will be denied.

If you trust your domain admin(s) (and you should!!) then its easier to remove the deny from both. When I was working for a small firm (and a new guy) years ago, I let the bosses know that changing this will allow me to open their mailboxes like they do. While most of the time this is assumed, it's good to cover your ass. Also keep in mind the possible legalities in doing so, our usage policy states that we can monitor either directly or indirectly at anytime. FL Government also states on their emails that all emails are filed as public record and can be requested via FOIA at any time, even those deemed 'personal.'

To do this, do the following;

Open Exchange System Manager
Under "Administrative Groups" > "First Administrative Group" > "Server" right click on the server you want to modify and open 'properties'
Click on the security tab, then click 'advanced' and uncheck 'Allow inheritable permissions," then click 'copy' on the dialog. Click OK
Now back the permissions screen, uncheck the deny from both the admin group and enterprise admin group.*** Keep in mind the above method can cause some security issues, not only will all users who have 'Domain Admin' rights be able to open anyone's mailbox, but they will be able to send as any user. This could cause a lot of problems if a disgruntled user has domain admin privileges, I prefer the next method.

A per-user way (this provides much more security) is;

Open "Active Directory users and computers" on the SBS server
Click on "View" then click on "Advanced Features"
Look for and open the user account you want access to
Click on the 'exchange advance' tab and then on 'mailbox rights'
add your account and click on 'Full Mailbox rights' as your permissionsNow, either way you can open the mailbox in outlook to look into.

This may be illegal and even as the system administrator, your user has privacy rights which you are invading on. I work for the U.S. DoD and in order to monitor Internet usage or email traffic, you must have our legal dept. approve this...

I would be careful as this seems to be a grey area depending on your EUA with staff.

You're situation is probably a little more specialized. When I worked for a company that held DOD contracts, it had a lot to do with the possibility of sensitive information (in my case, health records) getting into unauthorized hands. This doesn't always depend on whether or not the data itself is secret. I have a friend that works for a company called JTASK that does military training and various other DoD related stuff. They need permission to even backup certain systems.

Of course it all depends on where you're from and what laws apply, here is an interesting security focus (http://www.securityfocus.com/columnists/412/2) article on the subject. What gets even more interesting is if there are multiple laws and some of those (federal or local) actually require the backup (which at times has been viewed as 'interception' according to some cases) of emails.

I would be careful as this seems to be a grey area depending on your EUA with staff.
I would also agree that your situation may be different than others. I did contract work for the DoD, and their rules were much different than the private sector. I can only speak for my company, but as the System Admin, I have rights to view anyone's e-mail or access anyone's files stored on the company issued computer or one of my servers. I can also tell you I don't do this, unless instructed to do so by the user or their manager. There are ethics involved...just because I have the key to a door, doesn't mean I should open it.

I should also note, that what i said above is clearly detailed in our company employee handbook, which is given to each employee when they start. Company systems should be used for company business, and the user doesn't own their computer.

Now, if I do work on someone's personal computer that they bring in for me to work on, the rules are different. I was ask their permission each and everytime I need to access something.