2. Dell - Restricted - Confidential2
Modules covered in this presentation
• Change Auditor for Active Directory
• Change Auditor for AD Queries
• Change Auditor for Exchange
• Change Auditor for SharePoint
• Change Auditor for Windows File Servers
• Change Auditor for NetApp
• Change Auditor for EMC
• Change Auditor for SQL Server
3. Dell - Restricted - Confidential3
The Challenges
Microsoft Active Directory, Exchange, SharePoint, Windows File Servers, VMware,
NetApp, EMC and SQL Server are part of your mission-critical infrastructure
• Event logging and change reporting are required to satisfy auditor requests and prove
compliance
• No comprehensive view of all changes and event logs, they scattered in various locations
and formats
• Searching for a specific event is time consuming and frustrating
• Native event details contain limited information which is difficult to decipher without
application expertise
• No protection exists to prevent sensitive objects from being deleted or logs from rolling
over. Administrators aren’t usually made aware of problems until it is too late causing
potential compliance violations and system downtime
• Reporting is a time consuming process
• Event context is lost when viewing any single event across the Microsoft eco-system
4. Dell - Restricted - Confidential4
Enables enterprise-wide change
management from an intuitive client.
Sort, group, filter and graph on the fly.
Ensures a secure and compliant
infrastructure by tracking changes in
real time, while logging the origin as
well as before and after values.
Strengthens internal controls through
object protection and insight into both
authorized and unauthorized changes.
The Solution: Change Auditor
• Real-time, consolidated change auditing for:
AD, AD Queries, Exchange, SharePoint, SQL, Windows file servers, VMware, NetApp, EMC, Lync, User logon
Activity, SonicWALL NGFW devices, cloud storage auditing, Registry, Services, Local Users & Groups
5. Dell - Restricted - Confidential5
What is Change Auditor?
Change Auditor provides complete, real-time change auditing, in-depth forensics and comprehensive reporting on all key
configuration, user and administrator changes for Active Directory, ADLDS, AD Queries, Exchange, SharePoint, Lync, VMware,
NetApp, Windows File Servers, EMC, and SQL Server. Change Auditor also tracks detailed user activity for web storage and
services, logon and authentication activity and other key services across enterprises.
Who made the change?
When the change was made?
Why the change was made? (Comment)
Where the change was made from?
What object was changed (before and after)?
Smart Alerts
Workstation where the request originated?
6. Dell - Restricted - Confidential6
Change Auditor - Key Features
• In-depth auditing for:
• Active Directory & ADLDS
• Exchange
• SharePoint
• Windows File Servers
• EMC
• NetApp
• Microsoft Lync
• Detailed who, what, when, where, why and workstation, plus original and current values for all
changes – presented in simple terms
• Event Context – provides change information in relationship to other things happening in your
environment
• Optionally log events to a Windows event log
• Protect against undesirable changes to AD objects, mailboxes, Windows files and folders
• Restore unwanted changes to AD with a single click
• User Logon Activity
• SonicWALL NGFW devices
• Cloud storage providers
• SQL Server
• VMware vCenter /ESX Hosts
• AD queries against Active Directory
(Applications and scripts)
• Registry, Local Users & Groups, and
Services
15. Dell - Restricted - Confidential15
The Challenges of Managing Exchange
• Impossible to natively track changes to Exchange Store settings
• Event log and audit data that is distributed throughout the
enterprise
• Volume of audit data is difficult to archive
• Audit data is takes time to analyze, trend, report on and distribute
• Native auditing does not provide detailed information on:
– Non-owner mailbox access and specific activity related to this access
– Changes to permissions at the client level
– Changes to permissions to the Configuration Store
• Native auditing does not provide detailed change tracking of
permission changes made to a mailbox within AD
16. Dell - Restricted - Confidential16
• No visibility into administrator or user activity in the cloud
• Remote logs must be subscribed and downloaded
• No alerting based on activity
• Events are only in Excel 2010 format
• Requires programming skills to turn on and collect audit data
Managing Exchange Online / Office 365
17. Dell - Restricted - Confidential17
What to consider if your going to audit Exchange
• Access to Key Mailboxes
– Executives, Board members, HR, …
– Ignore Non-Owner auditing messages from Departmental Mailboxes
• Changes to membership to Key Distribution Lists
– Senior Leadership Team – discuss company strategies
• Changes to administrative security groups
• Exchange Server configuration changes
22. Change Auditor for Windows
File Servers
Change Auditor for NetApp
Change Auditor for EMC
23. Dell - Restricted - Confidential23
Managing Files and Access can be difficult
• Providing timely information to help compliance/security teams meet requirements around
file/object access is critical:
– What are users doing with their access?
– When potential violations occur to permission changes?
– When ownership changes take place?
• Critical documents may be at risk without reporting/alerting on permission and ownership
changes.
• File/Folder access auditing has always been a big hole in regards to compliance and security
initiatives.
• The collecting and reporting on file access audit data is difficult and takes many man hours.
• Archiving and consolidating event logs takes up a large amount of network bandwidth and disk
space.
• Native file access auditing degrades server performance.
• Permission changes made to files and folders is difficult to capture and interpret.
24. Dell - Restricted - Confidential24
With Change Auditor for Windows File Servers,
NetApp & EMC you can…
• Centralize File System and NAS auditing into a single task
– Normalized events across differing file infrastructure
– Simplify and centralize alerting & configuration
• Reduce cost & complexity and meet security objectives
– Easily determine what permission changed
– Easily determine what action was performed
• Improve IT Operational Management and Efficiency
– Critical system resources are saved & security is improved
• Block users from destructive and dangerous actions
– Prevent deletion and changes to permissions
– Windows File System only
25. Dell - Restricted - Confidential25
Change Auditor for Windows File Servers, NetApp & EMC
26. Dell - Restricted - Confidential26
Change Auditor for Windows File Servers
27. Dell - Restricted - Confidential27
Change Auditor for Windows File Servers
ShareAudit
Real-Time Alert
RapidReport
28. Dell - Restricted - Confidential28
Change Auditor for Windows File Servers
ShareAudit
30. Dell - Restricted - Confidential30
Change Auditor for SQL Server
• Organizations face increased demands to improve security to meet
regulatory requirements surrounding sensitive and financial data.
• Reduce the risks of operational outages from accidental or malicious
actions by privileged users.
• Report on DBA and other privileged users activity on your SQL Servers
across the enterprise and answer questions such as:
– How do you monitor access to confidential information?
– How do you log SQL Server security events such as startups, shutdowns, and logins and do
you review exceptional events?
– How do you report on direct access to production data that is outside of normal
application controls?
– How do you monitor database configuration and parameter setting changes?
31. Dell - Restricted - Confidential31
Change Auditor for SQL Server (2)
• Automates the process of collecting data about both privileged and
non-privileged access.
• Centralizes the collected events
• Normalizes SQL and other Windows events into a single platform in
simple to understand terms
• Allows privileged users to perform their important and required job
duties by unobtrusively monitoring and auditing behaviors
• Allows you to answer your auditors’ and regulators’ questions about
how you manage activity of users on SQL Servers across the enterprise
32. Dell - Restricted - Confidential32
Change Auditor for SQL Server Auditing Templates
• Enable SQL Server auditing by adding a SQL Auditing template to an
agent configuration.
– Which can then be assigned to a Change Auditor agent (SQL Server)
• Change Auditor ships with a pre-defined SQL Auditing template
– Best Practice SQL Auditing Template
33. Dell - Restricted - Confidential33
Common SQL Configuration Examples
Only audit events for databases named “Accounting”:
Audit any activity that is not from this service account:
Audit any activity that is not from my application server:
34. Dell - Restricted - Confidential34
Change Auditor for SQL Server Supports:
SQL 2005, 2008+R2, & 2012
38. Dell - Restricted - Confidential38
SQL Server Audit Events in the Best Practices Template
• Add DB User
• Add Login
• Add Login to server role
• Add Member to DB role
• Add Role
• Change Database Owner
• Change Member in DB Role
• Create database
• Delete database
• Delete DB user
• Delete Login
• Delete Login from Server
role
• Delete member from DB
role
• Delete Role
• Grant database access to DB
user
• Revoke database access
from DB user
In Total Almost 400 SQL events can be captured
40. Dell - Restricted - Confidential56
Change Auditor for SharePoint
• Audit SharePoint 2010 & 2013
– Includes Foundation Servers
– Doc libraries, Lists, Permissions, etc.
• Powerful tool when combined with CA UI grouping/sorting/filtering
– See historical changes to sites and documents
– Track users activity on a site by site basis
• Track changes to farm/site configuration
– Audits changes to Central administration
– Additions of Sites and Site Libraries
48. Dell - Restricted - Confidential64
Make sense of your IT data with on-the-fly
investigations
• InTrust: consolidate, store, search and
analyze massive amounts of IT data in
one place with real-time insights into
user activity for security, compliance
and operational visibility.
– Reduce the complexity of searching,
analyzing and maintaining critical IT data
scattered across information silos
– Speed security investigations and
compliance audits with complete real-
time visibility of your privileged users and
machine data in one searchable place
– troubleshoot widespread issues should an
incident occur
– Save on storage costs and adhere to
compliance event log requirements
(HIPAA, SOX, PCI, FISMA, etc.) with a
highly compressed and indexed online
long-term event log repository
49. Dell - Restricted - Confidential65
InTrust as a big data solution with IT Search
“Make sense of your IT data”
• IT Search lets your
organization make sense
of the “big IT data”
including log events,
changes, file permissions,
users entitlements and
more to streamline
regulatory compliance,
conduct security incident
investigations and
improve day to day
operations
50. Dell - Restricted - Confidential66
Search all IT assets in one place
51. Dell - Restricted - Confidential67
Exploit relationships between events and state based data
52. Dell - Restricted - Confidential68
See what resources users had accessed
55. Dell - Restricted - Confidential71
Other Enhancements
Task The old way The new way
Gathering of Windows
logs
Schedule based, have to wait hours
until data becomes available
Real-time, data is available seconds after
it is generated
Support of network
devices (syslog data)
Separate set up, unnecessary
Windows event log overhead, poor
performance
Built into the main InTrust components,
no overhead, great performance
Running reports Slow import to the SQL database,
clunky SSRS infrastructure, hard to
create custom reports
Reports directly from the repository, RV
as the reporting client, every search
easily converts into a report
Integration with CA and
ER
Clunky and limited integration
through QKP
Unified and fast access to data from
multiple products through web based
search engine
Integration with SIEM Schedule based querying of the
audit DB
Real-time forwarding of all logs that are
collected
Incidents investigation Slow, static and raw analysis of
events from the audit DB
Fast, customizable and free form
searches against the indexed repository
with rich results visualization
58. Dell - Restricted - Confidential74
InTrust
(Short Term Storage)
Reports
(Knowledge Portal)
InTrust - Scheduled
(Long Term Storage)
Exchange
Active
Directory/
LDAP
Windows
File Server
Change Auditor
Real Time
Change Auditor
Client)
SQL Server
EMC
NetApp
Change Auditor Long Term Storage & InTrust Architecture
40Xcompression ratio
60. To learn more about
Change Auditor
• http://www.software.dell.com/products/change-auditor
• Write an e-mail to vs@bakotech.com
Editor's Notes
Proving ongoing compliance to critical government regulations such as HIPAA, FISMA, GLBA, ISO, PCI, SAS 70 and Sarbanes-Oxley, is a requirement today
Knowing when violations to security policies occur is not possible through native tools
Meeting the reporting needs of your organization – from management to auditor – is time consuming and manual
Collecting event logs is like a puzzle, they are scattered across locations
The lighter colored arrows in the System Overview diagram below illustrate how Change Auditor communicates with InTrust through the Data Gateway
User Logon Activity Event Flow:
1. Using the Change Auditor Client, users run a built-in User Logon Activity search (or create and run a custom user logon activity query).
2. The Change Auditor Coordinator contacts the Data Gateway to forward the query to the InTrust Repository Viewer.
3. The InTrust Repository Viewer passes the query to and receives the results from the specified InTrust Repository.
4. The query results are then passed back to the Data Gateway, where the data is reformatted so Change Auditor can read the event details.
5. The reformatted event details are then forwarded on to the Change Auditor Coordinator, which forwards them on to the Change Auditor Client for display
AtAGlance: streams change-related activity from all DCs in AD, creating a centralized view and uses a color coding system that enables administrators to immediately detect events and their severity on all DCs in one quick glance
ObjectProtect: provides protection against changes to the most critical AD objects, such as OUs being accidentally deleted and GPO settings being modified.
EventFilter: searches quickly, enabling administrators to pinpoint the source of the problem providing faster time to resolution
EasyRead: provides the 6Ws for every event; who, what, where, when, workstation and why for each change event in simple terms with before and after values
Real-TimeAlert: dispatches alerts in real time for events that meet predefined criteria enabling administrators to address problems immediately
RapidReport: delivers preconfigured and customizable reports to satisfy auditor and management requests, so administrators can get back to their regular jobs fast
Use case scenarios to mention:
CAAD cases:
- One of our customers was having trouble tracking changes made to nested group memberships, they weren’t able to track this using native tools, CAAD solved this problem for them.
- Ever accidentally deleted an object in AD not realizing it was the parent to many other objects – gone. ObjectProtect functionality in Change Auditor can lock critical objects and OUs from being changed or deleted, you can even use the Real-TimeAlerts to receive a notification if someone else attempts to do so.
RoleBased-Access: configures access so auditors can run searches and reports without the ability to make any configuration changes to the application.
Active Directory administrators will note that there are technical challenges in dealing with activity tracking and change auditing of Active Directory, as well.
Link to White Paper: http://www.quest.com/documents/landing.aspx?id=12268&technology=&prod=&prodfamily=&loc
MailboxProtect: Tracks non-owner mailbox access and changes to server configurations
ConfigTracker: tracks changes to Exchange Server configuration parameters such as policy changes, message size and mailbox size limits
Real-TimeAlert: dispatches alerts in real time for events that meet predefined criteria enabling administrators to address problems immediately
RapidReport: delivers preconfigured and customizable reports to satisfy auditor and management requests, so administrators can get back to their regular jobs fast
RoleBased-Access: configures access so auditors can run searches and reports without the ability to make any configuration changes to the application.
CAEX cases:
Security: There have been cases where intellectual property has been stolen from a company. Some in particular involve a delegate who has been granted access to a C level employee’s mailbox. Thefts like this can be very difficult to detect and prove after the fact. With the MailboxProtect functionality of CAEX, administrators will be able to monitor non-owner mailbox access and see exactly what emails have been accessed, by who, when, where from which workstation.
Cont’d next page
CAEX Case scenario
- Performance and Stability: A simple change in a policy for server configuration such as bumping up the maximum mailbox size for one employee, can actually have a drastic affect across your whole network. It can change everyone’s tolerance and pretty soon, your server can max out resulting is costly system downtime. ConfigTracker tracks changes to Exchange Server configuration parameters such as policy changes, message size and mailbox size limits. This captures all activity that could impact performance and stability.
AtAGlance: streams change-related activity from all file servers, creating a centralized view and uses a color coding system that enables administrators to immediately detect events and their severity on all servers in one quick glance
ShareAudit: tracks all events related to shares, including deletions, helping administrators ensure access to shared directories is maintained
EventFilter: searches quickly, enabling administrators to pinpoint the source of the problem providing faster time to resolution
EasyRead: provides the 6Ws for every event; who, what, where, when, workstation and why for each change event in simple terms with before and after values
Real-TimeAlert: dispatches alerts in real time for events that meet predefined criteria enabling administrators to address problems immediately
RapidReport: delivers preconfigured and customizable reports to satisfy auditor and management requests, so administrators can get back to their regular jobs fast
RoleBased-Access: configures access so auditors can run searches and reports without the ability to make any configuration changes to the application.
CAWFS Cases:
- Shares are a great way for employees in large organizations or remote locations to share files. However, organizations are still required to track access, changes, deletion to files in the shares and that’s exactly what Change Auditor’s ShareAudit functionality does.
- It can be very time consuming to configure and deploy auditing templates in each server, Change Auditor’s CentralManagment functionality saves administrators time by enabling them to do the above all from one console for all servers in the organization.
we leverage the SQL Profiler using Event Tracing for Windows API, to gather SQL events and forward them to the coordinator. The client will then show the detailed information of the event such as who created, when it happened, what action and change happened.
Agent deployment to SQL server (license needed)
Agent event capture based on the template setup in the client
DEFAULT template that contains 20 of the most common events in SQL that System Administrators are looking for
Assign template to a configuration, and the configuration to the SQL agent
CREATE or add your own template for named instances or to add additional events to audit
Audit any activity that is not from my service account:
Audit any activity that is not from my application server:
SQL 2000 support:
Microsoft has no direct connection support to interface with SQL 2000 events.
We used to create trace sessions and capture events dumped into tables in Change Auditor v4.9.
SQL 2005 added kernel event support (EWS) and that is much better since we have a supported mean to capture events without messing with customer’s database.
Handful of events (14) not supported in SQL 2005 – (seen on the second page of the template)
Optional Column Filters to limit the amount of data retrieved
Agent captures what the SQL PROFILER trace would capture, based on the template setup in the client. It translates the data into readable information for the SQL administrator and forwards the events to the coordinator. This information can then be searchable in the client
---Set event would contain, who made the change/addition etc, what information was modified in a detailed table with all the attributes listed for the object, what kind of change was (remove/add).
*** http://support.microsoft.com/kb/823938
SQL Browser listens on UDP port 1434.
The default SQL Server port is 1433 but only if it's a default install. Named instances get a random port number.
The browser service runs on port UDP 1434.
Reporting services is a web service - so it's port 80, or 443 if it's SSL enabled.
Analysis services is 2382 but only if it's a default install. Named instances get a random port number.
The lighter colored arrows in the System Overview diagram below illustrate how Change Auditor communicates with InTrust through the Data Gateway
User Logon Activity Event Flow:
1. Using the Change Auditor Client, users run a built-in User Logon Activity search (or create and run a custom user logon activity query).
2. The Change Auditor Coordinator contacts the Data Gateway to forward the query to the InTrust Repository Viewer.
3. The InTrust Repository Viewer passes the query to and receives the results from the specified InTrust Repository.
4. The query results are then passed back to the Data Gateway, where the data is reformatted so Change Auditor can read the event details.
5. The reformatted event details are then forwarded on to the Change Auditor Coordinator, which forwards them on to the Change Auditor Client for display
Over 700 built in and customizable reports come with Change Auditor
Collect, store, report and alert on heterogeneous event data to meet the needs of external regulations, internal policies, and security best practices.
With Event logging enabled all Change Auditor events can also be written locally in a Windows Event log and collected using InTrust