Finding confidential user information with Exchange Search

The nature of advanced training is that the people who attend often pose some pretty thought-provoking and interesting questions. Paul Robichaux and I recently ran an Exchange 2010 Maestro event where we had some intense discussions about various aspects of Exchange deployment at the end-of-event wrap-up. And then the question was asked:

“Can I use Exchange 2010’s search capabilities to find passwords that people have stored in their mailboxes"?”

Of course, the answer is “absolutely!” Exchange 2010 (and indeed, the search capabilities that Office 365 administrators can use for their tenant domain) doesn’t apply restrictions to the kind of searches that administrators execute on the basis that Exchange assumes that people who hold the necessary privileges that are required to execute searches against user mailboxes know what they are doing. And, possibly more importantly, have been granted that ability by a company in the full knowledge that some confidential information will probably come to light during a search. After all, isn’t that what searching is all about?

Exchange protects users against casual searching – the kind of thing that some officials who have access to confidential information do when they look up the tax records or other information held by governments and public authorities – by requiring administrators to be members of the Discovery Management role management group before they can create and execute mailbox searches. Furthermore, the results of searches can be directed to a discovery search mailbox that is only accessible to specific individuals that might not include administrators. This arrangement allows for a division of responsibilities between those who execute the searches and those who review whatever is found. Of course, it’s entirely possible that the same individuals perform both tasks, especially in small companies, but the ability is there to protect users against casual searches.

And if you want, you can turn on administrator auditing to capture information about new searches and mailbox auditing on the discovery search mailboxes to track actions performed against the items in those mailboxes. Auditing isn’t perfect because it won’t tell you if someone merely browses the items that are copied into the discovery search mailbox by a search, so at the end of the day you come back to the age-old principle that the ability to execute an action should only be assigned to those who have good reason to perform that action. In addition, these privileges should be reviewed frequently to ensure that user data cannot be compromised.

Getting back to the original question, it is entirely possible that a rogue administrator might create a search that scans all user mailboxes to look for email and other items that contain details of passwords and login information that users have stored. Given that so many web sites send information about login details to users in email, including new passwords and password reminders, it’s not surprising that this data lingers in mailboxes. Sites run by banks and other financial institutions usually don’t send sensitive data in email but that doesn’t mean that users don’t use Exchange as a convenient storage repository to hold information that they might need in the future. After all, the powerful search facilities offered by clients such as Outlook mean that it’s easy to find the password and login information for a web site in the blink of an eye.

How would our rogue administrator rummage through user mailboxes to look for password data? Roughly the same steps are required for both on-premises Exchange 2010 and Exchange Online in Office 365. Here are the steps that you can take to create and execute a multi-mailbox search for some confidential user data.

First, make sure that you are a member of the Discovery Management role group. An administrator can do this by running the New-ManagementRoleAssignment cmdlet or by using the Exchange Control Panel (ECP) to add themselves to the Discovery Management role group.

Next, make sure that you have access to the discovery search mailbox that will be used to store copies of items that match the search criteria. By default, members of the Discovery Management role group have full access to the default search mailbox that is created when the first Exchange 2010 mailbox server is installed in an organization. If you create additional discovery search mailboxes, you have to assign access to those mailboxes before they can be opened. With on-premises Exchange 2010, you can use the Exchange Management Console (EMC) to grant full access to the mailbox. With Office 365, you need to follow the steps described in this article.

Once you have the necessary privileges, you can go to ECP and select “Manage My Organization” and go to the Reporting node (on-premises Exchange 2010) or Mail Control (Office 365). You can then create a new multi-mailbox search and specify whatever search criteria seem to make sense. For example, you might opt to search specific mailboxes or scan all the mailboxes in the organization, up to a limit of 25,000 mailboxes (by default) in any one search. As described in this article, if necessary, you can increase the maximum number of mailboxes for a single search.

When we're looking for confidential information, keywords are the most important criteria for our search. In the screen shot below, you’ll see that I’ve chosen to look for items that contain “Password” and “Login” as these seem to have a reasonable chance of locating items that contain the information I want to locate. I'm sure that you can come up with other search terms that can find equally compelling information.

When you’re ready, you can start the search and wait for it to complete. Exchange will thoughtfully send you a message to let you know when the results are ready. Depending on the number of mailboxes that are searched and the number of items in these mailboxes, a search might take anything from a few minutes to a few hours. Searches performed in hybrid on-premises/cloud organizations have to be launched from a on-premises server. Another delay might occur if the server that hosts the chosen discovery search mailbox is under load or found items have to be copied across extended network links from the mailbox servers where they are stored. Remember that you can only search items held on Exchange 2010 mailbox servers – anything on earlier versions will be ignored because those versions don't support the necessary service or indexes on which these searches depend.

Eventually the search will complete and you’ll be able to open the discovery search mailbox to find out what’s been discovered. As you can see below, I’ve turned up some information that could allow me to log onto a user’s account on a web site. In this case it’s obviously my own account but you can quickly see how this facility might be abused. It’s possible that much of the account and login information held in email is obsolete because the user has subsequently changed the password, but the ability to trawl through mailbox contents is a rich hunting ground for a potential hacker.

Notice that the item containing the password is in the "Deletions" folder. This is one of the sub-folders of the Deleted Items folder, aka "Dumpster 2.0", introduced in Exchange 2010. Deleted items remain indexed and discoverable as long as they are in the database. In fact, if you put users on litigation hold, deleted items will remain in the database for as long as the users remain on litigation hold to ensure that any information required from their mailboxes can be found.

As in all situations to do with the management of systems that contain confidential user data, the only way to protect against administrator abuse is to set clear expectations of when discovery searches are appropriate, who can authorize these operations, what happens to the data that is found, who can access that data, and the consequences that flow if someone oversteps the mark. You wouldn’t allow an administrator to delete a user mailbox without some form of control and the same degree of oversight is required for discovery searches. In fact, this is a great example of how features should be reviewed as new versions of software are deployed to ensure that administrator responsibilities are kept updated.

For more information about how Exchange 2010 multi-mailbox search works, see pages 1033 to 1049 of Exchange 2010 Inside Out or consult any of the other good books on Exchange 2010 that are now available.