Email Security Audit...on my Boss

genXrcist

Hey guys,

Yep, the title says it all. The head honcho of the company I work for has discovered that my boss is reading employee email, including his. Now I've been charged with "proving" that it's happening. I don't have any experience in this sort of thing and I haven't even finished my 70-284/285 exams so I'm not really sure how to go about this. What I do know is that my boss replicates all email that comes into the organization and has it sent to the administrator mailbox. This is what makes it hard to prove, he's not actually reading other people's mail but the mail that is delivered to that mailbox. On top of that, I know he logs into the PC as the domain administrator which myself and another IT employee have the password for so I can't prove definitively that he is the one logged in reading the email.

So my best bet, I think, is to install a keylogger/spyware onto the PC he uses to read email and record his actual actions. This of course doesn't get around the logging in as the domain admin but it's the best I can think of.

Any thoughts or suggestions?

Thanks!

dynamik

Yea, it's difficult to pin something like that down when multiple people share an account. A keystroke logger isn't going to do you much good since you're going to be missing out the bulk of what's going on, but you might want to try something like this: Employee Monitoring Software. Download REFOG Employee Monitor.

Keep in mind that is just a random utility I found via google, and I'm not endorsing it nor do I have any experience with it. It just seems something like that is in the vein if what you're looking for.

stephens316

I would force a change of password on the domain admin account if you have the rights to. This way he is the only person that would know the password. Then from your computer review the event log of what ever system he logs into while he is doing and take a screen capture of his log in times and go from there document everything in a small spiral note book that you can keep in your back pocket.

You may get caught with a keylogger or spyware and it would be grounds for your boss to say it was there so that what was doing not him. I would ask who ever asked to get a paper in writing authorization to perform the investigation this is to CYA. Remember the most important thing is chain of custody in all that you that pertain to this matter document everything and anything.

dynamik

That may not be feasible since multiple people could use that account for performing their duties, and he may not read the email for days. If anything, I'd push for separate domain admin accounts for everyone (which should be done anyway), and disallow password sharing. You can offer to leave him with that one and you and the other guy take new ones.

Auditing email access will be difficult for the reasons you mentioned, and there's no guarantee he wouldn't clear logs, etc.

I don't think he could use the software as a defense as long as it's legitimate monitoring software that upper management has approved and not random spyware.

I completely agree about getting everything in writing and documenting everything you do.

stephens316

dynamik wrote: »

That may not be feasible since multiple people could use that account for performing their duties, and he may not read the email for days. If anything, I'd push for separate domain admin accounts for everyone (which should be done anyway), and disallow password sharing. You can offer to leave him with that one and you and the other guy take new ones.

Auditing email access will be difficult for the reasons you mentioned, and there's no guarantee he wouldn't clear logs, etc.

I don't think he could use the software as a defense as long as it's legitimate monitoring software that upper management has approved and not random spyware.

I was thinking more along the lines of a live capture, I did something similar when HR found out that the person in charge of Budget have a full copy of the HR database I as well some other ppl caputred live traffic of him deleting files to cover his tracks not logs, files my boss at the time was to much of a pussy to pursue it let alone know how i did what i did.

dynamik

That crossed my mind as well, but he's more than likely accessing it over an encrypted channel if it's a typical MS implementation. I suppose there's a chance it might be something like HTTP OWA though.

malcybood

Sorry, can't help with a solution, but had to comment......

In my opinion, for somebody to want to do this they must;

1) be extremely sad and have no life if they want to read other people's email

or

2) have some kind of mental problem / are extremely paranoid & insecure.

The only valid reason to read someone's email is if they were under some kind of company investigation i.e. fraud etc, where the correct procedure would be to channel through the HR department then carry out the investigation.

I thought reading other people's email without consent is classed a breach of data protection, but I could be wrong.

Claymoore

I'm going to defend your boss here. If I read yor first post correctly it sounds like your boss is journaling all the mail to another mailbox for compliance reasons. In 2003 you can only journal the entire database not just groups of people or individual mailboxes like later versions of Exchange. Your boss was probably asked to do this by the CEO without fully understanding that journaling all mail really means all mail.

For better compliance support you should consider a real archiving solution and a current version of Exchange. However, as long as your boss has admin access to Exchange he can grant himself access to any mailbox. If your CEO doesn't trust him with that responsibility then he shouldn't have those rights.

Chivalry1

Wow great job title!!! First there needs to be some level of accountability here. The CEO needs to make the administrator decision to disallow IT staff from using a single non-decriptive Domain Admin account. This should be apart of the companies Security Policy. Implement this practice first and your job will become a lot easier; now and in the future. Additionally, you should now report to someone else, because there is conflict of interest within the chain of command.

Likely installing some type of monitoring software will be caught by a trained IT admin. The only thing that makes this situation challenging is if your department is responsible for performing e-discovery/investigation. Your boss could legitimize what he is doing as performing a investigation.

As a email administrator I have to perform many email investigations. The difference is that all of my actions are tracked by my login ID. Implement the security policy and inform users (your boss) that these type of actions are monitored and there are consequences.

the_Grinch

Couldn't you do a port cloning on the switch he's plugged into and then perform a wireshark capture?

dynamik

Claymoore wrote: »

I'm going to defend your boss here. If I read yor first post correctly it sounds like your boss is journaling all the mail to another mailbox for compliance reasons. In 2003 you can only journal the entire database not just groups of people or individual mailboxes like later versions of Exchange. Your boss was probably asked to do this by the CEO without fully understanding that journaling all mail really means all mail.

For better compliance support you should consider a real archiving solution and a current version of Exchange. However, as long as your boss has admin access to Exchange he can grant himself access to any mailbox. If your CEO doesn't trust him with that responsibility then he shouldn't have those rights.

Yes, the entire procedure is fundamentally flawed. However, it's one thing if he's been instructed to archive emails and another if he's wasting time digging through them. It sounds like they're trying to verify that he's trustworthy or something; quite a difficult position to be in.

the_Grinch wrote: »

Couldn't you do a port cloning on the switch he's plugged into and then perform a wireshark capture?

That's what Stephens was suggesting, and that would be fine if whatever he was doing was being transmitted in clear text.

genXrcist

Hey guys! Thanks for the responses! I'm glad the title/post was interesting enough to garner so many good replies. I wanted to address a couple of things as I was reading through everything here.

1) We're a Mid-sized, denominational non-profit. Most organizations like the one I work for don't even have an IT department, let alone 3 employees dedicated, myself, my manager and a project co-ordinator. I bring this up because of the security policy/compliance posts. Policy? What policy? I guarantee you that the CEO did not ask him to journal the emails. In fact, my boss told me he does what he does (yes, he's open about it with me and my colleague) because it helps him determine what is SPAM and what isn't. Yes, he's dead serious when he says this.

I agree with you too Claymoore, if the CEO doesn't trust the IT Director then he shouldn't be in the position he is. I've said as much but my comments have fallen on deaf ears. The only reason the CEO is mad about this now is because there have been recent communications between him, HR and the Board of Directors which no one else was supposed to be privy to. Well, my manager was so now the CEO is hopping mad. Prior to this I had dropped hints about this behavior to many people...heck I even outright told the HR Director and the Chief Controller about what he was doing!

Yes, I work for a very dysfunctional organization (no idea of this when I started last Feb.) but a FT job is better than no job in this economy right?

I'm intrigued about this chain of command recommendation, why do you think this is necessary?

Yes, my manager is a sad individual. He likes the 'god-like' power of being able to know what's going on with other people and departments. He does this sort of thing when it comes to files to. The only thing that stops him from being nosier than he is is the fact that he's technically inept. I don't say this as an insult either, I'm being quite truthful.

Stephens316, could you tell me a little bit more about this live video capture? That's really the only way I think this will work because the keylogger is pretty limited. Not only that, but the live feed would need to be running on my system 24x7 so I could catch him in the act. I would then need to notify HR immediately so they could walk in on him red-handed.

I would love to change the domain administrator password, or put a policy in place but I can't. Not only do I not have the authority but a number of our critical apps run with that uid and password. These apps were installed well before I got there and no one knows how to change that password, not even my manager. So if we change the password we run the risk of major applications going down and that's unacceptable of course. Also, the CEO would have to give him that order and trust me, that would be outside of his normal behavior to request IT to do anything specific. That would make my manager suspicious enough that he might put a hold on a lot of his ill-intentioned behaviors. We want to catch him in the act because truth be told, his termination has been a long time coming. HR and the ED are just using this instance because it crosses legal lines.

I think it does, right? I know an organization can review emails, data etc at any time, but I don't think IT should have rights to view communications between other officers and the Board, right?

genXrcist

Oh, the manager uses Outlook to access the Administrator mailbox so everything is using integrated authentication.

Kaminsky

What a strange situation. If this is a beef between your ceo and your manager why are you getting mixed up in it ? I've never met an IT director or ceo yet who wouldn't have come down and torn strips out of a departmental manager for doing something they didn't like.

However, I can see this going horribly wrong and your manager finding out what you are doing and you getting booted for it. Do you have this request in writing from your ceo ? Will he protect you if your manager finds out what you are scheming and cans you ? As much as you are all caught up in helping your ceo and getting rid of a manager you are not very impressed with, you should really step aside and let them two sort it out.

You should get clarification of why your manager is doing what he does and is it a policy decision and then take that to the ceo and let him deal with the policy. The ceo should be the one addressing this by stopping your manager monitoring all emails or a subset therof.

These clandestine actions could come back and bite you in the back side. If you do get some evidence and take it to your ceo and your boss gets fired, will you become the new it manager ? If not, how could your new manager ever trust you when they find out what you got up to with his predecesor ?

genXrcist

Kaminsky wrote: »

What a strange situation. If this is a beef between your ceo and your manager why are you getting mixed up in it ? I've never met an IT director or ceo yet who wouldn't have come down and torn strips out of a departmental manager for doing something they didn't like.

However, I can see this going horribly wrong and your manager finding out what you are doing and you getting booted for it. Do you have this request in writing from your ceo ? Will he protect you if your manager finds out what you are scheming and cans you ? As much as you are all caught up in helping your ceo and getting rid of a manager you are not very impressed with, you should really step aside and let them two sort it out.

You should get clarification of why your manager is doing what he does and is it a policy decision and then take that to the ceo and let him deal with the policy. The ceo should be the one addressing this by stopping your manager monitoring all emails or a subset therof.

These clandestine actions could come back and bite you in the back side. If you do get some evidence and take it to your ceo and your boss gets fired, will you become the new it manager ? If not, how could your new manager ever trust you when they find out what you got up to with his predecesor ?

Thanks for the reply and I agree with you. No, I don't have anything in writing but it is something I need to get. I've been told by the HR Director that if there is any form of retribution from my manger (assuming he's discovered) then he would be fired, not me.

This is all very soap-opera'ish and I don't like being a part of it. I do have to do what I'm told though when the directive comes from the CEO so I don't think I can just step aside and not do anything. However, we have internal IT auditors coming next week (a shear coincidence since this department has never been audited) and I suggested they use them to do what they're asking me to do. Not only will they be better at it but then it's a 3rd party entity and I don't have to get involved. They are going to do this but they want me to see what I can do as well.

There is a strong indication that I would be promoted but I don't necessarily think that's the best thing for the organization. I've never been a manager before and up until 2007 I was only doing Helpdesk work. I'm confident I could do the job so if asked I'll take it but in the off chance someone else is brought in, I would be fine with that too.

I am going to pursue the in writing suggestion though. It doesn't matter what's said when fit hits the shan.

RobertKaucher

genXrcist wrote: »

Yes, I work for a very dysfunctional organization (no idea of this when I started last Feb.) but a FT job is better than no job in this economy right?

I believe the comment about a FT job being better than no job indicates a lack of imagination on your part.

Some people have mentioned getting things in writing. But if you truely work for a dysfunctional organization, as it seems you do and as you have stated here, I would suggest not only getting things in writing but also getting a journal and documenting what you do and when you do it, who tells you what, and print out any emails relating to this and keep them in the journal off site.

Obdurate

genXrcist wrote: »

Hey guys,

Yep, the title says it all. The head honcho of the company I work for has discovered that my boss is reading employee email, including his. Now I've been charged with "proving" that it's happening. I don't have any experience in this sort of thing and I haven't even finished my 70-284/285 exams so I'm not really sure how to go about this. What I do know is that my boss replicates all email that comes into the organization and has it sent to the administrator mailbox. This is what makes it hard to prove, he's not actually reading other people's mail but the mail that is delivered to that mailbox. On top of that, I know he logs into the PC as the domain administrator which myself and another IT employee have the password for so I can't prove definitively that he is the one logged in reading the email.

So my best bet, I think, is to install a keylogger/spyware onto the PC he uses to read email and record his actual actions. This of course doesn't get around the logging in as the domain admin but it's the best I can think of.

Any thoughts or suggestions?

Thanks!

I have no real skill with working with security and auditing; but I got to wondering, would it not be better and easier for you to just audit specific Email accounts?

I can't see your boss reading the receptionist's Email, but the Manager for Accounting's Email would be prime target.

~Obdurate~

Jamesm3

I hope your boss has not tapped in to your computer and found this thread.

Just get everything in writing and document all your involvement

Personal, I'd admit to the top dog due to the way your network is setup, monitoring is next to impossible. This should give them the motivation to implement best practises.

Also, if you install monitoring software, what would really happen if your boss came across it? He may stop reading other peoples mail and set you up.

veritas_libertas

Definitely get it in writing! When I was working for a county-wide police/fire dispatch they used VNC for everything. Nice thing is it can run stealth and you can watch everything without anyone knowing that it is happening. It's an option.

Amusing side note, you wouldn't believe how much cops love solitaire.

genXrcist

Obdurate wrote: »

I have no real skill with working with security and auditing; but I got to wondering, would it not be better and easier for you to just audit specific Email accounts?

I can't see your boss reading the receptionist's Email, but the Manager for Accounting's Email would be prime target.

~Obdurate~

I can audit a mailbox but all I'd be proving is the domain Administrator account was accessing email sent to [email]administrator@<domain>.org[/email]. The same goes even with keyloggers that take snapshots coupled with Account Logon events, all I'm doing is proving the account is accessing said email. Because myself and another IT person have the password, I'm not implicating anyone.

Jamesm3 wrote: »

I hope your boss has not tapped in to your computer and found this thread.

Just get everything in writing and document all your involvement

Personal, I'd admit to the top dog due to the way your network is setup, monitoring is next to impossible. This should give them the motivation to implement best practises.

Also, if you install monitoring software, what would really happen if your boss came across it? He may stop reading other peoples mail and set you up.

This thread has no identifying information and I'm reading/posting from my personal PCs.

I am pursuing the in-writing advice but with the Director of HR out today, I wasn't able to get it yet. I've explained that as things are, there isn't a way to prove anything without catching him in the act.

I'm not worried if he finds out as long as I have the directive in writing.

veritas_libertas wrote: »

Definitely get it in writing! When I was working for a county-wide police/fire dispatch they used VNC for everything. Nice thing is it can run stealth and you can watch everything without anyone knowing that it is happening. It's an option.

Amusing side note, you wouldn't believe how much cops love solitaire.

Ya know, I just started looking at VNC for remote support and so far it works great. I didn't know there was a stealth mode as I haven't had time to properly evaluate it yet. So does this mean that when under Stealth mode, the little white box does NOT turn black? Is that correct?

fluk3d

I had a similar type of request on a contract I did. I made sure to get everything in writing from whomever was requesting it. This prevent alot of problems in the end in case things went sour.

Speaking on the technical side of things there are various ways to "see" if someone is reading someone else' email.

This method will work if the end user is accessing the mailbox straight through outlook

Auditing Mailbox Access Using Exchange System Manager and Event Viewer

If the user is smarter and using OWA, then ensure IIS logging is turned on for the exchange virutal directories, and you can trace it back to IP & NT login.

cheers.

veritas_libertas

genXrcist wrote: »

Ya know, I just started looking at VNC for remote support and so far it works great. I didn't know there was a stealth mode as I haven't had time to properly evaluate it yet. So does this mean that when under Stealth mode, the little white box does NOT turn black? Is that correct?

It keeps your mouse movement from showing up on the remote pc, and it hides vnc in the tray. Of course you will have to remove VNC from showing up in the start menu! Your ability to hide the program will all depend on how paranoid your boss is about the programs running in the background Remember your most important objective is to get screen captures.

fluk3d

veritas_libertas wrote: »

It keeps your mouse movement from showing up on the remote pc, and it hides vnc in the tray. Of course you will have to remove VNC from showing up in the start menu! Your ability to hide the program will all depend on how paranoid your boss is about the programs running in the background Remember your most important objective is to get screen captures.

You can try DameWare NT - it's similar to VNC, and you can hide the server so the end user will never know anyone is watching.

Welcome to DameWare Development. Home of the DameWare NT Utilities & Mini Remote Control remote systems management software for Windows. Now Featuring Smart Card Login & Authentication

Chivalry1

This would also be a great opportunity to gathering funding for the new Exchange 2007 project. With Exchange 2007 you could perform a quick powershell command on the server that would identify his workstations IP Address.

(Get-LogonStatistics -Server "MyServer" | where {$_.ClientIPAddress -like "192.168.2.101"} )

That will tell you which mailboxes he is hitting.

JoJoCal19

fluk3d wrote: »

You can try DameWare NT - it's similar to VNC, and you can hide the server so the end user will never know anyone is watching.

Welcome to DameWare Development. Home of the DameWare NT Utilities & Mini Remote Control remote systems management software for Windows. Now Featuring Smart Card Login & Authentication

Ah yes. What I would do is get it in writing from BOTH HR and the CEO that you are being authorized to actively monitor (audit) your bosses PC use. If Dameware has the ability to act in a stealth manner, you can actively watch everything he is doing on his workstation. Our Help Desk uses Dameware for troubleshooting remote users. Also I havent used it in quite some time but I think Dameware can do screen caps. Im not sure though.

genXrcist

Hey guys, thanks for all the posts. Instead of getting anything in writing, I told HR that I would just teach him how to audit my boss. HR agreed to this so that my involvement would be minimized. All he wants from me now is a written statement explaining what I've seen and he's gonna take it from there.

What I settled on was to use UltraVNC in stealth mode and Camstudio for recording the session. I installed the viewer on his PC as well as Camstudio and then showed him how to use it. He will then install the silent-server portion of UltraVNC on the PC in question and take it from there.

Thanks everyone for your help. I'll be sure to post what happens after the IT audit and when everything is all said and done.

genXrcist

Hey guys,

Well, today it happened. My boss was fired and escorted out of the building. HR said it was one of the ugliest firings he had ever gone through. Ugh. Well, I'm glad our organization can finally move forward on this.

We've got two independant IT Audit firms coming in tomorrow to begin thorough Audits in our system. I know exactly what they'll find so I'm glad I'm not going to be the only one sounding the alarm.

Thank you all for the comments and suggestions, they were all very helpful!

p.s. If anyone has experience with Sonicwall Email security, would you mind PM'ing me? The boss implemented this today and so I don't have the password for this new application, which is now the 1st depository for all incoming, external email into our organization! Who knows what this thing is setup to do!

netteaser

I have clients were I have installed Spectorsoft 360 so they can monitor some employees.

What version of Exchange are you using on your network?

You can check what type of permissions his account or admin account has on the users mailboxes this way he simply adds the users mailbox in his Outlook profile, reads the email, and then removes the mailbox.

Let me know

genXrcist

Thanks for the response Netteaser!

netteaser wrote: »

I have clients were I have installed Spectorsoft 360 so they can monitor some employees.

Never heard of this, is it any good?

netteaser wrote: »

What version of Exchange are you using on your network?

We're running Exchange 2003 but this thing sits in front of our front side/back side server, of which both are running inside our firewall. **Don't look at me, he set it up this way**
He had setup a new NAT entry in Sonicwall so that the MX routed traffic was being sent to this new server, which is not running Exchange, before being sent on to the Exchange Front server. For now, I disabled the NAT entry (the old one was still enabled) and restarted the Sonicwall. External Emails were still not coming in until I shut this server down.

netteaser wrote: »

You can check what type of permissions his account or admin account has on the users mailboxes this way he simply adds the users mailbox in his Outlook profile, reads the email, and then removes the mailbox.

Let me know

Thanks for this comment, I'll need to purge any ACL with his name on it anywhere.

netteaser

genXrcist wrote: »

Thanks for the response Netteaser!


Never heard of this, is it any good?


We're running Exchange 2003 but this thing sits in front of our front side/back side server, of which both are running inside our firewall. **Don't look at me, he set it up this way**
He had setup a new NAT entry in Sonicwall so that the MX routed traffic was being sent to this new server, which is not running Exchange, before being sent on to the Exchange Front server. For now, I disabled the NAT entry (the old one was still enabled) and restarted the Sonicwall. External Emails were still not coming in until I shut this server down.

Thanks for this comment, I'll need to purge any ACL with his name on it anywhere.

Spectorsoft 360 is a good software it records everything on a workstation playing back as a video. They also sell Spectorsoft that can be installed on an individual workstation, the 360 version is centrally managed and the agent is pushed out to the workstation.

Everlife

netteaser wrote: »

Spectorsoft 360 is a good software it records everything on a workstation playing back as a video. They also sell Spectorsoft that can be installed on an individual workstation, the 360 version is centrally managed and the agent is pushed out to the workstation.

I would highly recommend a review of your company's AUP by your legal team prior to installing any sort of monitoring. Privacy laws can be fairly insane depending on the state your company is based in, and a good AUP is key to protecting yourself and your company from any lawsuits that could develop from the use of the information in the termination of your boss.

Take a look at the following link for more information:

MONITORING EMPLOYEE E-MAIL: EFFICIENT WORKPLACES VS. EMPLOYEE PRIVACY

Best of luck!

PS: +1 for Spectorsoft 360, it is an amazing product.