Awhile back we had a little 'situation' in our organization where we needed to be able to produce copies of emails sent or received by several of our employees. I thought I had it handled and that it would be no problem. I do two backups of our Exchange server each night - one of the entire Information Store (the database) and one of the individual mailboxes (aka brick level).
I have a twenty-day tape rotation and pull a tape once a month so I figured the chances of being able to reproduce the emails would be fairly high. Just pull a tape from the month-end after the time period in question, restore it to a recovery database and viola - there are the emails. The only problem is that the emails weren't there.
What happened? I know they were sent because I could see the headers on my Exchange Server tracking log which I had turned on long ago. I could even see log entries on my SMTP gateway log in Symantec AV for SMTP gateways. I had also turned that log on long ago. I was scratching my head for days all the while under the gun from the boss and the attorneys.
Here's what happened. The employee in question was a high-level executive who had done some social engineering with the IT Manager - me. I got took by a trusted employee because she sweet-talked me into revealing how emails could be permanently deleted in Exchange using a little known feature in OWA - the MS Outlook web client.
As soon as an email was sent or received by the employee that they didn't want tracked, they would delete it and then empty their deleted items folder. Then they would go into the OWA client into the options section and click on the 'View Items' in the 'Recover Deleted Items' section. From there you select the items and then click on 'Permanently Delete'.
You see, normally I have a 30-day window when any employee can recover their own deleted items or I can do it for them. This feature of Exchange is not turned on by default but I have found it very useful. I can't tell you how many times an employee has asked me to help them recover a deleted email before I turned this feature on so they could do it themselves.
If you do the permanent delete right away or at least before the end of the day when I do the nightly backup the items will not be saved. The trick is to catch it before the nightly backup. Otherwise I could still recover them from tape. I would have never revealed that little trick to just any employee but why should I question what a long-term trusted executive asked of me?
Well, that will never happen again. I have now put into place a new archive mailbox and turned on a feature in the Information Store that copies every single piece of email - in or out of the company or even intra-company - to this mailbox. Yes, it grows extraordinarily fast. I have to archive it off to a PST file and purge it at the end of every month or it would be unmanageable.
So now I can produce on demand any email from any employee and any time period even if it was deleted immediately. Yes, it even copies the porn, the jokes, the videos, the personal emails, everything except the spam. 99% of our spam is stopped by Commtouch before it gets to our Information Store. That's a fairly bulletproof backup solution if I say so myself.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment