SUMMARY
A group policy can be manually set to monitor user logons, this level of auditing helps in identifying unauthorized logons. You can set and enable a group policy using the steps below.
STEPS
Domain Controller
- On the domain controller, run “gpmc.msc” (Group Policy Management)
- Right-click on the domain, and select “Create a new GPO in this domain and link it here”
- Give it a descriptive name
- Under the ‘Scope’ tab of the new group policy, click ‘Add’ under Security Filtering
- Click on Object Types and enable ‘Computers’ and click OK
- Type in the name of the Exchange Server and click ‘Check Names’ to resolve it. Click OK.
- Click on ‘Authenticated Users’ and click Remove.
- Right-click on this new policy which appears beneath the domain name, and select ‘Edit’
- A new window will pop up to edit this group policy.
- Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff:
- Double-click on ‘Audit Logon’, check ‘Configure the following audit events:’, and check ‘Failure’. Click OK
- Close the window to return back to the Group Policy Management window.
- Select the Domain, and on the Linked Policy Objects tab, you should see the policies that have been linked. Our newly added policy is already linked, but can be unlinked / re-linked to quickly enable or disable the policy.
Exchange Server
- On the Exchange Server, check the audit policy
- auditpol /get /category:*
- Run ‘gpupdate’ to get the latest policy applied locally
- gpupdate
- Can run the auditpol command again to see if the expected policy has been applied.
- auditpol /get /category:*
- In the security log, filter on event ID 4625.
- Generate a logon failure using OWA, and confirm that an event ID 4625 is logged.