How to Manually Implement Auditing of Exchange Server Registry Keys
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
To manually implement auditing of Exchange Server 2007 registry keys, you must complete the following steps for each registry entry that is listed in the "Exchange Registry Keys for auditing Exchange Server 2007" table. Complete the applicable steps depending on the operating system that is running Exchange Server 2007.
To implement Exchange registry auditing in Windows Server 2003
On the computer that is running Exchange Server, run regedt32.
Note the first registry subkey that is listed in the Exchange Registry Keys for auditing Exchange Server 2007 table.
In Registry Editor, navigate to the noted registry subkey, right-click the subkey and then click Permissions.
Click Advanced, and then on the Auditing tab, click Add.
In the Enter the object name to select box, type everyone, click Check Names, and then click OK.
In the Apply onto list, click This key and subkeys.
In the Access area, click to select the Successful check box and the Failed check box for Set Value, Create Subkey, Delete, Write DAC, and Write Owner.
Click OK three times.
Repeat steps 1 to 8 for each registry subkey that is listed in the Exchange Registry Keys for auditing Exchange Server 2008 table, and then close Registry Editor.
To implement Exchange registry auditing in Windows Server 2008
On the computer that is running Exchange Server, run regedt32.
Note the first registry subkey that is listed in the Exchange Registry Keys for auditing Exchange Server 2008 table.
In Registry Editor, navigate to the noted registry subkey, right-click the key and then click Permissions.
Click Advanced, and then on the Auditing tab, click Add.
In the Enter the object name to select box, type everyone, click Check Names, and then click OK.
In the Apply onto list, click This key and subkeys.
In the Access area, click to select the Successful check box and the Failed check box for Set Value, Create Subkey, Delete, Change Permissions, and Take Ownership.
Click OK three times.
Repeat steps 1 to 8 for each registry subkey that is listed in the Exchange Registry Keys for auditing Exchange Server 2007 table, and then close Registry Editor., and then close Registry Editor.
| Exchange Registry Keys for auditing Exchange Server 2007 |
|---|
HKLM\System\CurrentControlSet\Services\MSExchange ActiveSync |
HKLM\System\CurrentControlSet\Services\MSExchange AD RMS Prelicensing Agent |
HKLM\System\CurrentControlSet\Services\MSExchange ADAccess |
HKLM\System\CurrentControlSet\Services\MSExchange Anti-spam Update |
HKLM\System\CurrentControlSet\Services\MSExchange Antispam |
HKLM\System\CurrentControlSet\Services\MSExchange Assistants |
HKLM\System\CurrentControlSet\Services\MSExchange Autodiscover |
HKLM\System\CurrentControlSet\Services\MSExchange Availability |
HKLM\System\CurrentControlSet\Services\MSExchange Availability Service |
HKLM\System\CurrentControlSet\Services\MSExchange Calendar Attendant |
HKLM\System\CurrentControlSet\Services\MSExchange Cluster |
HKLM\System\CurrentControlSet\Services\MSExchange Common |
HKLM\System\CurrentControlSet\Services\MSExchange Connection Filtering Agent |
HKLM\System\CurrentControlSet\Services\MSExchange Content Filter Agent |
HKLM\System\CurrentControlSet\Services\MSExchange EdgeSync |
HKLM\System\CurrentControlSet\Services\MSExchange Extensibility |
HKLM\System\CurrentControlSet\Services\MSExchange Extensibility Agents |
HKLM\System\CurrentControlSet\Services\MSExchange IMAP4 |
HKLM\System\CurrentControlSet\Services\MSExchange Journaling Agent |
HKLM\System\CurrentControlSet\Services\MSExchange Managed Folder Assistant |
HKLM\System\CurrentControlSet\Services\MSExchange Management Application |
HKLM\System\CurrentControlSet\Services\MSExchange Messaging Policies |
HKLM\System\CurrentControlSet\Services\MSExchange OWA |
HKLM\System\CurrentControlSet\Services\MSExchange POP3 |
HKLM\System\CurrentControlSet\Services\MSExchange Process Manager |
HKLM\System\CurrentControlSet\Services\MSExchange Protocol Analysis Agent |
HKLM\System\CurrentControlSet\Services\MSExchange Protocol Analysis Background Agent |
HKLM\System\CurrentControlSet\Services\MSExchange Recipient Cache |
HKLM\System\CurrentControlSet\Services\MSExchange Recipient Filter Agent |
HKLM\System\CurrentControlSet\Services\MSExchange Repl |
HKLM\System\CurrentControlSet\Services\MSExchange Replica Seeder |
HKLM\System\CurrentControlSet\Services\MSExchange Replication |
HKLM\System\CurrentControlSet\Services\MSExchange Resource Booking |
HKLM\System\CurrentControlSet\Services\MSExchange Search Indexer |
HKLM\System\CurrentControlSet\Services\MSExchange Search Indices |
HKLM\System\CurrentControlSet\Services\MSExchange Secure Mail Transport |
HKLM\System\CurrentControlSet\Services\MSExchange Sender Filter Agent |
HKLM\System\CurrentControlSet\Services\MSExchange Sender Id Agent |
HKLM\System\CurrentControlSet\Services\MSExchange Store Driver |
HKLM\System\CurrentControlSet\Services\MSExchange Store Interface |
HKLM\System\CurrentControlSet\Services\MSExchange System Attendant Mailbox |
HKLM\System\CurrentControlSet\Services\MSExchange Topology |
HKLM\System\CurrentControlSet\Services\MSExchange Transport Rules |
HKLM\System\CurrentControlSet\Services\MSExchange TransportService |
HKLM\System\CurrentControlSet\Services\MSExchange Unified Messaging |
HKLM\System\CurrentControlSet\Services\MSExchange Update Agent |
HKLM\System\CurrentControlSet\Services\MSExchange Web Services |
HKLM\System\CurrentControlSet\Services\MSExchangeADTopology |
HKLM\System\CurrentControlSet\Services\MSExchangeAL |
HKLM\System\CurrentControlSet\Services\MSExchangeAntispamUpdate |
HKLM\System\CurrentControlSet\Services\MSExchangeEdgeSync |
HKLM\System\CurrentControlSet\Services\MSExchangeEdgeSync Job |
HKLM\System\CurrentControlSet\Services\MSExchangeEdgeSync Topology |
HKLM\System\CurrentControlSet\Services\MSExchangeFBPublish |
HKLM\System\CurrentControlSet\Services\MSExchangeFDS |
HKLM\System\CurrentControlSet\Services\MSExchangeFDS:OAB |
HKLM\System\CurrentControlSet\Services\MSExchangeFDS:UM |
HKLM\System\CurrentControlSet\Services\MSExchangeImap4 |
HKLM\System\CurrentControlSet\Services\MSExchangeIS |
HKLM\System\CurrentControlSet\Services\MSExchangeMailboxAssistants |
HKLM\System\CurrentControlSet\Services\MSExchangeMailSubmission |
HKLM\System\CurrentControlSet\Services\MSExchangeMonitoring |
HKLM\System\CurrentControlSet\Services\MSExchangeMU |
HKLM\System\CurrentControlSet\Services\MSExchangePop3 |
HKLM\System\CurrentControlSet\Services\MSExchangeRepl |
HKLM\System\CurrentControlSet\Services\MSExchangeSA |
HKLM\System\CurrentControlSet\Services\MSExchangeSearch |
HKLM\System\CurrentControlSet\Services\MSExchangeServiceHost |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport Batch Point |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport Database |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport DSN |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport Dumpster |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport Pickup |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport Queues |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport Resolver |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport Routing |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport SmtpReceive |
HKLM\System\CurrentControlSet\Services\MSExchangeTransport SmtpSend |
HKLM\System\CurrentControlSet\Services\MSExchangeTransportLogSearch |
HKLM\System\CurrentControlSet\Services\MSExchangeUM |
HKLM\System\CurrentControlSet\Services\MSExchangeUMAutoAttendant |
HKLM\System\CurrentControlSet\Services\MSExchangeUMAvailability |
HKLM\System\CurrentControlSet\Services\MSExchangeUMCallAnswer |
HKLM\System\CurrentControlSet\Services\MSExchangeUMClientAccess |
HKLM\System\CurrentControlSet\Services\MSExchangeUMFax |
HKLM\System\CurrentControlSet\Services\MSExchangeUMGeneral |
HKLM\System\CurrentControlSet\Services\MSExchangeUMPerformance |
HKLM\System\CurrentControlSet\Services\MSExchangeUMSubscriberAccess |
HKLM\System\CurrentControlSet\Services\MSExchangeWS |
HKLM\SYSTEM\CurrentControlSet\Services\msftesql-Exchange |
HKLM\SYSTEM\CurrentControlSet\Services\msftesqlFD-Exchange |
HKLM\SYSTEM\CurrentControlSet\Services\msftesqlIDX-Exchange |
For more information about auditing Exchange Server 2007, view the following White Paper: White Paper - Auditing Configuration Changes for Exchange 2007 Organizations.