SlideShare a Scribd company logo

Better Active Directory auditing - Less overhead more power by Don Jones

Netwrix Corporation
Netwrix Corporation

Today´s organizations, faced with stricter internal security policies and multiple regulatory compliance requirements, continue to struggle in their efforts to make Active Directory auditing simpler and more adept at fulfilling their needs. Native Windows auditing mechanisms don´t meet the demands of modern businesses, and administrators are often left in the dark about significant and potentially harmful Active Directory changes. Learn how to easily improve native Active Directory auditing without making dramatic changes to your IT infrastructure in this eye-opening white paper written by renowned industry expert, Don Jones.

Technology
1 of 10
Download to read offline
Better Active Directory Auditing… Less Overhead, More Power Don Jones for NetWrix Corporation www.netwrix.com Netwrix Corporation, 12 N. State Route 17, Suite 104, Paramus, NJ 07652, USA www.netwrix.com New York: (201) 490-8840 Tampa: (813) 774-6472 twitter.com/netwrix youtube.com/netwrix Los Angeles: (949) 407-5125 Boston: (617) 674-2157 netwrix.com/linkedin netwrix.com/googleplus London: +44 (0) 203 318 0261 Toll-free: (888) 638-9749 facebook.com/netwrix spiceworks.com/netwrix
NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power Table of Contents 1. Defining your Auditing Needs 2. Windows Auditing Shortcomings 3. The Solution of the Problem 4. Thinking Beyond Basic Security Auditing 5. Enhanced Native Logging 6. NetWrix Active Directory Change Reporter 7. Freeware Products 8. About NetWrix Corporation 2
NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power Defining Your Auditing Needs Today’s organizations – faced with stricter internal security policies as well as stringent legislative and industry requirements – continue to struggle to make Windows server auditing simpler, more reliable, and better able to meet their business requirements. It’s no wonder that organizations have such difficulties: Windows’ native auditing and logging mechanisms were originally and primarily designed to support troubleshooting efforts, not to meet the security auditing needs of modern businesses. The auditing problem in Windows starts with Active Directory. Active Directory sits at the center of your security strategy: It provides user authentication, and forms the basis upon which access authorization is based. Pretty much everything that happens in Active Directory needs to be audited. But the auditing needs go beyond mere security: Active Directory is mission-critical, and downtime simply isn’t acceptable. Auditing Active Directory for change control purposes, as well as for troubleshooting, is as paramount as capturing information purely related to security. Organizations dealing with compliance regulations like HIPAA, PCI DSS, SOX, FISMA, GLB, and more also have to audit how users use their authorizations. In other words, those organizations need to carefully audit access to selected files, Exchange Server mailboxes, SQL Server databases, and much more – as well as configuration and security changes to those products. Being “compliant” means more than just having the right security in place – it means being able to prove that the right security is in place and has been in place – something that can only be done with audit reports. Windows Auditing Shortcomings Native Windows auditing capabilities lack a few important features that are crucial to companies dealing with compliance and other stringent security requirements. Chief amongst these shortcomings are: The native audit logs are not centralized. This essentially makes the logs useless as an enterprise-wide audit trail. The native logs are not tamper-proof or tamper-resistant; administrators are able to easily cover their tracks by clearing the logs, and the logs can even be cleared accidentally. The native event log viewer application provides only primitive filtering and searching capabilities that are nowhere near the level needed for security and audit reporting. 3
NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power The native logs don’t always contain information from the other products you run on Windows, such as SQL Server, VMware, and so forth. The native event logging system, to be frank, produces an abundance of information, yet it provides few ways to filter that information, to correlate related events, and so on. It’s a glut of data that is extremely difficult to use when trying to create a report of “who did what,” for example. In newer versions of Windows, Microsoft has made some improvements to the logging infrastructure. For example, Windows Server 2008 introduced the ability to log changed attribute values for Active Directory changes, allowing administrators to see what settings were changed and what the new values were. While this is helpful for both troubleshooting and security logging, the new capability doesn’t extend fully across all If you’re relying solely on the of the events captured in the log, nor does it include the Windows event logs, you’re attribute values as they were before the change – meaning missing tons of critical changes that you’re still resorting to backup files to discover “how in your environment – you’re things were.” flying blind. Another weakness of the native audit logs is that they simply don’t provide everything. If you’re relying on native event logs alone, then you’re missing an incredible amount of information about the changes going on in your environment. You won’t know what settings were changed within a Group Policy object, for example. You’ll be missing details on Active Directory schema changes. You won’t capture nonowner mailbox access in Exchange Server. You’re flying blind – and there’s no way you can expect to achieve and maintain compliance without being able to audit and report on the key changes and events. Does your company use Exchange Server? If so, the native event logs are probably capturing very little of the auditing information you actually need, including systemlevel configuration changes, Outlook Web Access settings in Internet information Services, and more. What changes are captured in the native event logs are typically full of cryptic, low-level data that is difficult to use for auditing purposes. The unfortunate fact is that most experienced professionals agree that the native Windows event logs, by themselves, are useless for modern security auditing requirements, and especially useless by themselves for any compliance scenario. Two Solutions to the Problem Obviously, if native auditing alone doesn’t meet your needs, you have to do something else, and there are two basic approaches. 3 4
NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power The Intrusive Agent Approach The first possible approach is to forgo the native auditing completely. This usually entails installing a software application – referred to as an agent – on every single one of your servers. That agent collects auditing data in its own way, bypassing the native logging systems, and forwards its audit events to a centralized server. That central server takes care of your reporting, event storage, and so on. Something to keep in mind is that the agent will typically be task-specific, capable of auditing Active Directory or SQL Server or something else; if you have servers filling multiple roles, you may be deploying – and maintaining – multiple agents per server. There are some downsides to the agent-based approach. First, you’re taking on a much bigger long-term maintenance commitment, because agents are software, and software has to be patched and kept up-to-date. Agents can also reduce your infrastructure’s stability, because agents are software and software can contain bugs. Few businesses are excited about the possibility of having Agents can decrease server critical servers like domain controllers and Exchange stability and reliability, prolong Server computers unexpectedly crashing because of a maintenance activity, and buggy piece of management software. delay the application of critical Agents can also complicate overall server maintenance. Microsoft patches. When Microsoft “Patch Tuesday” rolls around, will every single patch be compatible with your agent software – or will installing a patch suddenly break everything? The unfortunate fact is that most agents work by “hacking” the operating system in some way, and the hacks needed for the agent to work can be changed at any time by a Microsoft patch, hotfix or service pack. By committing to the agent-based approach, you’re committing to having to pilot test every single patch and update Microsoft issues – or waiting for the agents’ software vendor to test each patch before you can deploy it. In the case of critical Microsoft patches, the necessary lag time created by having agents on your servers may not be practical. All of these extra caveats are one reason that the agent-based approach is sometimes referred to as an invasive or intrusive approach – harsh words, but ones that can accurately describe the situation. Another downside to the intrusive agent approach is that solutions built I this fashion typically ignore the native event logs, and may even encourage you to disable native event logging. That means you’re losing valuable information, and you’re only able to work with the information that the auditing solution provides. That’s a shame, because although they’re not perfect, the native event logs do provide a lot of valuable information. 3 5
NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power The Agent-Free Approach The second approach is to keep the native logging in place – and to simply enhance it. This can typically be accomplished without installing anything on your servers, meaning you can deploy a solution that uses this approach much more quickly, and with much less impact in your environment. The solution simply contacts each of your servers, retrieves their event log entries as they are created, and stores copies of them in a centralized database. Again, that central database is where the magic happens: It can offer event searching and filtering, reporting, and so on. Such a solution could also remotely – again, without the use of an agent – capture information above and beyond what Windows itself would normally log, providing extended auditing capabilities for security, troubleshooting, and even change control. There are some distinct advantages to the second, agent-less approach: The native logs don’t always contain information from the other products you run on Windows, such as SQL Server, VMware, and so forth. Operating without an agent also makes for easier An agentless approach offers long-term maintenance: When software updates come faster deployment, practically out for your auditing solution, you’ll only have to zero server impact, and all the update the central server – you won’t be re-deploying auditing capabilities you need. updated agents to all of your servers. Operating without an agent also eliminates the potential for third-party software instabilities, conflicts, and so on. Microsoft will never be able to “point the finger” at a third-party agent on your domain controllers when there isn’t an agent, and your domain controllers will remain more “pure” and stable. By gathering all of the event information into a single location, the auditing solution could easily support a broad range of products, such as Exchange Server, SQL Server, and more – all without having to deploy additional agents to every server. You still get all of the valuable, technical information contained in the native event logs – you just get more information than the native event logs provide. Again, the idea is to not simply abandon the native event logging system, because that system does capture a great deal of useful data – and does so in a way that is completely understood, and which is obviously supported by Microsoft. The idea, rather, is to extend that native logging system to shore up its weak points and provide the business capabilities you require. A key component of the approach is the automated collection and centralization of event log information: By moving those events into a separate database, you can create a tamper-proof or tamper-evident store that is not subject to clearing by administrators trying to cover their tracks. This key element of a centralized auditing solution is what sets the stage for it to become a means of achieving security compliance. 6
NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power Thinking Beyond Basic Security Auditing In today’s world, it is not enough to simply capture events that indicate someone was added to a security group, or events that log a user’s access to a file. Those are merely starting points; what you really need is a robust auditing architecture that has modern capabilities, including: Full auditing of all Active Directory events and activity. Full auditing of Group Policy objects (GPOs), which provide a critical component of your overall security strategy. This auditing should include details on what settings have been changed inside a modified GPO, including “before and after” data on the changes that were made. Exchange Server auditing – including access to mailboxes by users other than the mailbox owner, system-level configuration changes, and more – all with plain-English information rather than technical gibberish. “Who, What, When, and Where” information for every configuration change made in the IT infrastructure – critical both for troubleshooting and change control as well as for security compliance In addition, any auditing solution worth looking at must include pre-defined reports that help address the most common compliance needs, and should allow you to create custom reports to help support your own internal security policies and IT management processes. An ideal solution will build these reports in SQL Server Reporting Services, which offers Web-based reporting, subscription-based reports, and much more – making it easier to get information into the right hands. But a good auditing solution should do much more than just capture events and produce reports. A good solution can also be a valuable change management and change recovery tool. For example, if your auditing solution can capture “before and after” information on Active Directory configuration changes, then you might expect it to offer the ability to undo, or roll back, selected changes – ideally without having to take a domain controller offline for an authoritative restore operation. Enhanced Native Logging There’s little question that most companies will need to either supplement or replace the native Windows event logging capabilities; Windows simply doesn’t support the feature set that companies need to meet modern security compliance requirements. Replacing the native event logging system with an agent-based approach is a highimpact, intrusive operation. You will solve most of the problems associated with the native auditing system, but at the cost 7
NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power of a lengthier, more complex deployment, higher ongoing maintenance overhead, and unknown impact on your servers’ performance and stability. In the end, many businesses will prefer auditing solutions that enhance and extend what’s already in Windows. You’re creating less impact on your servers and less intrusion into your environment; the auditing solution remains more standalone and compartmentalized. Long-term maintenance is easier, and you’re working with Windows they way it was designed to work. You’re still solving the problems of the native auditing system and gaining the capabilities you need to achieve and maintain compliance, but you’re doing so with less overall risk and effort. NetWrix Active Directory Change Reporter: A Non-Intrusive Way to Enhance Windows’ Native Auditing NetWrix Active Directory Change Reporter is designed to work with Windows native event logging system, enhancing it to provide more powerful capabilities and to fill its gaps. The product uses an agent-free approach, offering non-intrusive, fast deployments that don’t complicate your server installs or maintenance. The Active Directory Change Reporter includes all the things the native event logs don’t, including Active Directory schema changes, setting-level GPO changes, nonowner mailbox access in Exchange Server, and much more. The product captures the who, what, when, and why for every change in your environment, and enables you to produce custom reports through SQL Server Reporting Services. It comes packed with pre-defined reports for compliance and management needs, and captures before-and-after information for your infrastructure’s critical changes. NetWrix Active Directory Change Reporter doesn’t propose that you “rip and replace” the native event logging system – it simply fills in the gaps in Windows’ native event logs, capturing more and more detailed information and storing it in a secure database. Best of all, the product can be easily deployed by any experienced Windows administrator, without the need for expensive consulting services or lengthy deployments. And if you are looking for extended auditing for your entire IT infrastructure, NetWrix provides the integrated NetWrix Change Reporter Suite solution that includes ADCR and other similar modules for Windows server, VMware vSphere, file storage appliances (such as NetApp and EMC), Microsoft® SQL Server, SharePoint, network devices and several other platforms. Gain more insight, achieve and maintain compliance, speed troubleshooting and problem resolution, and ensure the security of your IT infrastructure – easily and quickly, and without installing a single bit of code on your precious production servers. That’s NetWrix Change Reporter Suite. 8
NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power Freeware Products Tens of thousands of IT professionals use freeware editions of NetWrix products daily, including Active Directory Change Reporter and many more. All products can be downloaded at no charge on the NetWrix website. About NetWrix Corporation NetWrix Corporation’s core competency is in unifying change and configuration auditing of critical systems across the entire IT infrastructure. With the broadest platform coverage available in the industry, innovative technology and strategic roadmap aiming to support different platforms, devices and applications, NetWrix offers award-winning auditing solutions and superior customer service at affordable prices. Founded in 2006, NetWrix has evolved as #1 for Change Auditing as evidenced by thousands of satisfied customers worldwide. The company is headquartered in Paramus, NJ, and has regional offices in Los Angeles, Boston, Tampa and the UK. NetWrix is #33 among the fastest growing software companies in America according to Inc. 500 list published by Inc. Magazine in 2012. 9
NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power NetWrix Corporation www.netwrix.com © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners. 10

Recommended

Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsImperva
 
More databases. More hackers.
More databases. More hackers.More databases. More hackers.
More databases. More hackers.Imperva
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.Imperva
 
Haas diagnosis 2012
Haas diagnosis 2012Haas diagnosis 2012
Haas diagnosis 2012mitoaction
 
First european research for web information extraction and analysis for sup...
First european research for web information extraction and analysis for sup...First european research for web information extraction and analysis for sup...
First european research for web information extraction and analysis for sup...Tomas Pariente Lobo
 
Rpt bi form 2 2011
Rpt bi form 2 2011Rpt bi form 2 2011
Rpt bi form 2 2011palanitewan pandytewan
 
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonlinequ0cthangprovip95
 
1 presentation
1 presentation1 presentation
1 presentationhylinh
 

Recommended

Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsImperva
 
More databases. More hackers.
More databases. More hackers.More databases. More hackers.
More databases. More hackers.Imperva
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.Imperva
 
Haas diagnosis 2012
Haas diagnosis 2012Haas diagnosis 2012
Haas diagnosis 2012mitoaction
 
First european research for web information extraction and analysis for sup...
First european research for web information extraction and analysis for sup...First european research for web information extraction and analysis for sup...
First european research for web information extraction and analysis for sup...Tomas Pariente Lobo
 
Rpt bi form 2 2011
Rpt bi form 2 2011Rpt bi form 2 2011
Rpt bi form 2 2011palanitewan pandytewan
 
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonlinequ0cthangprovip95
 
1 presentation
1 presentation1 presentation
1 presentationhylinh
 
Rocks...
Rocks...Rocks...
Rocks...Jevish Sydamah
 
Sarojkumar
Sarojkumar Sarojkumar
Sarojkumar Saroj Kumar Rout
 
Kabir 2012 5.bak
Kabir 2012 5.bakKabir 2012 5.bak
Kabir 2012 5.bakValeriu Cismas
 
Ihoteak eta gure apainketa
Ihoteak eta gure apainketaIhoteak eta gure apainketa
Ihoteak eta gure apainketaELIZALDE
 
Маркетинг с "нулевым бюджетом" #mustdoit
Маркетинг с "нулевым бюджетом" #mustdoitМаркетинг с "нулевым бюджетом" #mustdoit
Маркетинг с "нулевым бюджетом" #mustdoitDavid Oreshok
 
SANPROD PLUS Ostrołęka
SANPROD PLUS OstrołękaSANPROD PLUS Ostrołęka
SANPROD PLUS OstrołękasalonyVi
 
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark James
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark JamesAppalachian Power WV ED Forum - AEP ED Program of Work - Mark James
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark JamesAEP Economic & Business Development
 
Mps
MpsMps
Mpsgrosi
 
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonlinequ0cthangprovip95
 
¿qué hacemos?
¿qué hacemos?¿qué hacemos?
¿qué hacemos?alvalos
 
3a x-0204
3a x-02043a x-0204
3a x-0204moriotf
 
AEP Qualified Data Center Site Program
AEP Qualified Data Center Site Program AEP Qualified Data Center Site Program
AEP Qualified Data Center Site Program AEP Economic & Business Development
 
Market Update4 2012
Market Update4 2012Market Update4 2012
Market Update4 2012Summitfunding
 
SITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLA
SITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLASITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLA
SITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLApuigberenguer
 
ROMEX Płońsk
ROMEX PłońskROMEX Płońsk
ROMEX PłońsksalonyVi
 
Return on strategy
Return on strategyReturn on strategy
Return on strategyHans Gillior
 
Resource2
Resource2Resource2
Resource2grosi
 
Anikea presentation1
Anikea presentation1Anikea presentation1
Anikea presentation1CollegeStartup
 
File system auditing who accessed what files and where
File system auditing who accessed what files and whereFile system auditing who accessed what files and where
File system auditing who accessed what files and whereNetwrix Corporation
 
Top 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureTop 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureNetwrix Corporation
 
Top 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsTop 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsNetwrix Corporation
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryNetwrix Corporation
 

More Related Content

Viewers also liked

Ihoteak eta gure apainketa
Ihoteak eta gure apainketaIhoteak eta gure apainketa
Ihoteak eta gure apainketaELIZALDE
 
Маркетинг с "нулевым бюджетом" #mustdoit
Маркетинг с "нулевым бюджетом" #mustdoitМаркетинг с "нулевым бюджетом" #mustdoit
Маркетинг с "нулевым бюджетом" #mustdoitDavid Oreshok
 
SANPROD PLUS Ostrołęka
SANPROD PLUS OstrołękaSANPROD PLUS Ostrołęka
SANPROD PLUS OstrołękasalonyVi
 
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark James
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark JamesAppalachian Power WV ED Forum - AEP ED Program of Work - Mark James
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark JamesAEP Economic & Business Development
 
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonlinequ0cthangprovip95
 
¿qué hacemos?
¿qué hacemos?¿qué hacemos?
¿qué hacemos?alvalos
 
3a x-0204
3a x-02043a x-0204
3a x-0204moriotf
 
SITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLA
SITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLASITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLA
SITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLApuigberenguer
 
ROMEX Płońsk
ROMEX PłońskROMEX Płońsk
ROMEX PłońsksalonyVi
 
Return on strategy
Return on strategyReturn on strategy
Return on strategyHans Gillior
 
Resource2
Resource2Resource2
Resource2grosi
 

Viewers also liked (18)

Rocks...
Rocks...Rocks...
Rocks...
 
Sarojkumar
Sarojkumar Sarojkumar
Sarojkumar
 
Kabir 2012 5.bak
Kabir 2012 5.bakKabir 2012 5.bak
Kabir 2012 5.bak
 
Ihoteak eta gure apainketa
Ihoteak eta gure apainketaIhoteak eta gure apainketa
Ihoteak eta gure apainketa
 
Маркетинг с "нулевым бюджетом" #mustdoit
Маркетинг с "нулевым бюджетом" #mustdoitМаркетинг с "нулевым бюджетом" #mustdoit
Маркетинг с "нулевым бюджетом" #mustdoit
 
SANPROD PLUS Ostrołęka
SANPROD PLUS OstrołękaSANPROD PLUS Ostrołęka
SANPROD PLUS Ostrołęka
 
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark James
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark JamesAppalachian Power WV ED Forum - AEP ED Program of Work - Mark James
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark James
 
Mps
MpsMps
Mps
 
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
102 bi quyet_tm_dien_tu - www.beenvn.com - tu_sachonline
 
¿qué hacemos?
¿qué hacemos?¿qué hacemos?
¿qué hacemos?
 
3a x-0204
3a x-02043a x-0204
3a x-0204
 
AEP Qualified Data Center Site Program
AEP Qualified Data Center Site Program AEP Qualified Data Center Site Program
AEP Qualified Data Center Site Program
 
Market Update4 2012
Market Update4 2012Market Update4 2012
Market Update4 2012
 
SITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLA
SITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLASITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLA
SITUACIÓ SOCIOLINGÜÍSTICA DE L'ESCOLA
 
ROMEX Płońsk
ROMEX PłońskROMEX Płońsk
ROMEX Płońsk
 
Return on strategy
Return on strategyReturn on strategy
Return on strategy
 
Resource2
Resource2Resource2
Resource2
 
Anikea presentation1
Anikea presentation1Anikea presentation1
Anikea presentation1
 

More from Netwrix Corporation

File system auditing who accessed what files and where
File system auditing who accessed what files and whereFile system auditing who accessed what files and where
File system auditing who accessed what files and whereNetwrix Corporation
 
Top 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureTop 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureNetwrix Corporation
 
Top 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsTop 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsNetwrix Corporation
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryNetwrix Corporation
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetwrix Corporation
 
Auditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal RegulationsAuditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal RegulationsNetwrix Corporation
 
Auditing Solution Enables Coaching of Staff and Pleases Auditors
Auditing Solution Enables Coaching of Staff and Pleases AuditorsAuditing Solution Enables Coaching of Staff and Pleases Auditors
Auditing Solution Enables Coaching of Staff and Pleases AuditorsNetwrix Corporation
 
Automated De-provisioning of Inactive Users Accounts
Automated De-provisioning of Inactive Users AccountsAutomated De-provisioning of Inactive Users Accounts
Automated De-provisioning of Inactive Users AccountsNetwrix Corporation
 
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceUSB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceNetwrix Corporation
 
How the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server AuditingHow the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server AuditingNetwrix Corporation
 
Ensuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable MediaEnsuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable MediaNetwrix Corporation
 
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Netwrix Corporation
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseNetwrix Corporation
 
Extending Change Auditing to Exchange Server
Extending Change Auditing to Exchange ServerExtending Change Auditing to Exchange Server
Extending Change Auditing to Exchange ServerNetwrix Corporation
 
Staying Abreast of Group Policy Changes
Staying Abreast of Group Policy ChangesStaying Abreast of Group Policy Changes
Staying Abreast of Group Policy ChangesNetwrix Corporation
 
The Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementThe Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementNetwrix Corporation
 
Exchange Auditing in the Enterprise
Exchange Auditing in the EnterpriseExchange Auditing in the Enterprise
Exchange Auditing in the EnterpriseNetwrix Corporation
 

More from Netwrix Corporation (20)

File system auditing who accessed what files and where
File system auditing who accessed what files and whereFile system auditing who accessed what files and where
File system auditing who accessed what files and where
 
Top 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureTop 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructure
 
Top 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsTop 5 identity management challenges and solutions
Top 5 identity management challenges and solutions
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directory
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don Jones
 
Auditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal RegulationsAuditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal Regulations
 
Auditing Solution Enables Coaching of Staff and Pleases Auditors
Auditing Solution Enables Coaching of Staff and Pleases AuditorsAuditing Solution Enables Coaching of Staff and Pleases Auditors
Auditing Solution Enables Coaching of Staff and Pleases Auditors
 
Automated De-provisioning of Inactive Users Accounts
Automated De-provisioning of Inactive Users AccountsAutomated De-provisioning of Inactive Users Accounts
Automated De-provisioning of Inactive Users Accounts
 
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceUSB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
 
How the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server AuditingHow the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server Auditing
 
Ensuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable MediaEnsuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable Media
 
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the Enterprise
 
Extending Change Auditing to Exchange Server
Extending Change Auditing to Exchange ServerExtending Change Auditing to Exchange Server
Extending Change Auditing to Exchange Server
 
Staying Abreast of Group Policy Changes
Staying Abreast of Group Policy ChangesStaying Abreast of Group Policy Changes
Staying Abreast of Group Policy Changes
 
The Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementThe Business Case for Account Lockout Management
The Business Case for Account Lockout Management
 
Exchange Auditing in the Enterprise
Exchange Auditing in the EnterpriseExchange Auditing in the Enterprise
Exchange Auditing in the Enterprise
 
File Auditing in the Enterprise
File Auditing in the EnterpriseFile Auditing in the Enterprise
File Auditing in the Enterprise
 
File auditing on NetApp Filer
File auditing on NetApp Filer File auditing on NetApp Filer
File auditing on NetApp Filer
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Better Active Directory auditing - Less overhead more power by Don Jones

  • 1. Better Active Directory Auditing… Less Overhead, More Power Don Jones for NetWrix Corporation www.netwrix.com Netwrix Corporation, 12 N. State Route 17, Suite 104, Paramus, NJ 07652, USA www.netwrix.com New York: (201) 490-8840 Tampa: (813) 774-6472 twitter.com/netwrix youtube.com/netwrix Los Angeles: (949) 407-5125 Boston: (617) 674-2157 netwrix.com/linkedin netwrix.com/googleplus London: +44 (0) 203 318 0261 Toll-free: (888) 638-9749 facebook.com/netwrix spiceworks.com/netwrix
  • 2. NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power Table of Contents 1. Defining your Auditing Needs 2. Windows Auditing Shortcomings 3. The Solution of the Problem 4. Thinking Beyond Basic Security Auditing 5. Enhanced Native Logging 6. NetWrix Active Directory Change Reporter 7. Freeware Products 8. About NetWrix Corporation 2
  • 3. NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power Defining Your Auditing Needs Today’s organizations – faced with stricter internal security policies as well as stringent legislative and industry requirements – continue to struggle to make Windows server auditing simpler, more reliable, and better able to meet their business requirements. It’s no wonder that organizations have such difficulties: Windows’ native auditing and logging mechanisms were originally and primarily designed to support troubleshooting efforts, not to meet the security auditing needs of modern businesses. The auditing problem in Windows starts with Active Directory. Active Directory sits at the center of your security strategy: It provides user authentication, and forms the basis upon which access authorization is based. Pretty much everything that happens in Active Directory needs to be audited. But the auditing needs go beyond mere security: Active Directory is mission-critical, and downtime simply isn’t acceptable. Auditing Active Directory for change control purposes, as well as for troubleshooting, is as paramount as capturing information purely related to security. Organizations dealing with compliance regulations like HIPAA, PCI DSS, SOX, FISMA, GLB, and more also have to audit how users use their authorizations. In other words, those organizations need to carefully audit access to selected files, Exchange Server mailboxes, SQL Server databases, and much more – as well as configuration and security changes to those products. Being “compliant” means more than just having the right security in place – it means being able to prove that the right security is in place and has been in place – something that can only be done with audit reports. Windows Auditing Shortcomings Native Windows auditing capabilities lack a few important features that are crucial to companies dealing with compliance and other stringent security requirements. Chief amongst these shortcomings are: The native audit logs are not centralized. This essentially makes the logs useless as an enterprise-wide audit trail. The native logs are not tamper-proof or tamper-resistant; administrators are able to easily cover their tracks by clearing the logs, and the logs can even be cleared accidentally. The native event log viewer application provides only primitive filtering and searching capabilities that are nowhere near the level needed for security and audit reporting. 3
  • 4. NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power The native logs don’t always contain information from the other products you run on Windows, such as SQL Server, VMware, and so forth. The native event logging system, to be frank, produces an abundance of information, yet it provides few ways to filter that information, to correlate related events, and so on. It’s a glut of data that is extremely difficult to use when trying to create a report of “who did what,” for example. In newer versions of Windows, Microsoft has made some improvements to the logging infrastructure. For example, Windows Server 2008 introduced the ability to log changed attribute values for Active Directory changes, allowing administrators to see what settings were changed and what the new values were. While this is helpful for both troubleshooting and security logging, the new capability doesn’t extend fully across all If you’re relying solely on the of the events captured in the log, nor does it include the Windows event logs, you’re attribute values as they were before the change – meaning missing tons of critical changes that you’re still resorting to backup files to discover “how in your environment – you’re things were.” flying blind. Another weakness of the native audit logs is that they simply don’t provide everything. If you’re relying on native event logs alone, then you’re missing an incredible amount of information about the changes going on in your environment. You won’t know what settings were changed within a Group Policy object, for example. You’ll be missing details on Active Directory schema changes. You won’t capture nonowner mailbox access in Exchange Server. You’re flying blind – and there’s no way you can expect to achieve and maintain compliance without being able to audit and report on the key changes and events. Does your company use Exchange Server? If so, the native event logs are probably capturing very little of the auditing information you actually need, including systemlevel configuration changes, Outlook Web Access settings in Internet information Services, and more. What changes are captured in the native event logs are typically full of cryptic, low-level data that is difficult to use for auditing purposes. The unfortunate fact is that most experienced professionals agree that the native Windows event logs, by themselves, are useless for modern security auditing requirements, and especially useless by themselves for any compliance scenario. Two Solutions to the Problem Obviously, if native auditing alone doesn’t meet your needs, you have to do something else, and there are two basic approaches. 3 4
  • 5. NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power The Intrusive Agent Approach The first possible approach is to forgo the native auditing completely. This usually entails installing a software application – referred to as an agent – on every single one of your servers. That agent collects auditing data in its own way, bypassing the native logging systems, and forwards its audit events to a centralized server. That central server takes care of your reporting, event storage, and so on. Something to keep in mind is that the agent will typically be task-specific, capable of auditing Active Directory or SQL Server or something else; if you have servers filling multiple roles, you may be deploying – and maintaining – multiple agents per server. There are some downsides to the agent-based approach. First, you’re taking on a much bigger long-term maintenance commitment, because agents are software, and software has to be patched and kept up-to-date. Agents can also reduce your infrastructure’s stability, because agents are software and software can contain bugs. Few businesses are excited about the possibility of having Agents can decrease server critical servers like domain controllers and Exchange stability and reliability, prolong Server computers unexpectedly crashing because of a maintenance activity, and buggy piece of management software. delay the application of critical Agents can also complicate overall server maintenance. Microsoft patches. When Microsoft “Patch Tuesday” rolls around, will every single patch be compatible with your agent software – or will installing a patch suddenly break everything? The unfortunate fact is that most agents work by “hacking” the operating system in some way, and the hacks needed for the agent to work can be changed at any time by a Microsoft patch, hotfix or service pack. By committing to the agent-based approach, you’re committing to having to pilot test every single patch and update Microsoft issues – or waiting for the agents’ software vendor to test each patch before you can deploy it. In the case of critical Microsoft patches, the necessary lag time created by having agents on your servers may not be practical. All of these extra caveats are one reason that the agent-based approach is sometimes referred to as an invasive or intrusive approach – harsh words, but ones that can accurately describe the situation. Another downside to the intrusive agent approach is that solutions built I this fashion typically ignore the native event logs, and may even encourage you to disable native event logging. That means you’re losing valuable information, and you’re only able to work with the information that the auditing solution provides. That’s a shame, because although they’re not perfect, the native event logs do provide a lot of valuable information. 3 5
  • 6. NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power The Agent-Free Approach The second approach is to keep the native logging in place – and to simply enhance it. This can typically be accomplished without installing anything on your servers, meaning you can deploy a solution that uses this approach much more quickly, and with much less impact in your environment. The solution simply contacts each of your servers, retrieves their event log entries as they are created, and stores copies of them in a centralized database. Again, that central database is where the magic happens: It can offer event searching and filtering, reporting, and so on. Such a solution could also remotely – again, without the use of an agent – capture information above and beyond what Windows itself would normally log, providing extended auditing capabilities for security, troubleshooting, and even change control. There are some distinct advantages to the second, agent-less approach: The native logs don’t always contain information from the other products you run on Windows, such as SQL Server, VMware, and so forth. Operating without an agent also makes for easier An agentless approach offers long-term maintenance: When software updates come faster deployment, practically out for your auditing solution, you’ll only have to zero server impact, and all the update the central server – you won’t be re-deploying auditing capabilities you need. updated agents to all of your servers. Operating without an agent also eliminates the potential for third-party software instabilities, conflicts, and so on. Microsoft will never be able to “point the finger” at a third-party agent on your domain controllers when there isn’t an agent, and your domain controllers will remain more “pure” and stable. By gathering all of the event information into a single location, the auditing solution could easily support a broad range of products, such as Exchange Server, SQL Server, and more – all without having to deploy additional agents to every server. You still get all of the valuable, technical information contained in the native event logs – you just get more information than the native event logs provide. Again, the idea is to not simply abandon the native event logging system, because that system does capture a great deal of useful data – and does so in a way that is completely understood, and which is obviously supported by Microsoft. The idea, rather, is to extend that native logging system to shore up its weak points and provide the business capabilities you require. A key component of the approach is the automated collection and centralization of event log information: By moving those events into a separate database, you can create a tamper-proof or tamper-evident store that is not subject to clearing by administrators trying to cover their tracks. This key element of a centralized auditing solution is what sets the stage for it to become a means of achieving security compliance. 6
  • 7. NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power Thinking Beyond Basic Security Auditing In today’s world, it is not enough to simply capture events that indicate someone was added to a security group, or events that log a user’s access to a file. Those are merely starting points; what you really need is a robust auditing architecture that has modern capabilities, including: Full auditing of all Active Directory events and activity. Full auditing of Group Policy objects (GPOs), which provide a critical component of your overall security strategy. This auditing should include details on what settings have been changed inside a modified GPO, including “before and after” data on the changes that were made. Exchange Server auditing – including access to mailboxes by users other than the mailbox owner, system-level configuration changes, and more – all with plain-English information rather than technical gibberish. “Who, What, When, and Where” information for every configuration change made in the IT infrastructure – critical both for troubleshooting and change control as well as for security compliance In addition, any auditing solution worth looking at must include pre-defined reports that help address the most common compliance needs, and should allow you to create custom reports to help support your own internal security policies and IT management processes. An ideal solution will build these reports in SQL Server Reporting Services, which offers Web-based reporting, subscription-based reports, and much more – making it easier to get information into the right hands. But a good auditing solution should do much more than just capture events and produce reports. A good solution can also be a valuable change management and change recovery tool. For example, if your auditing solution can capture “before and after” information on Active Directory configuration changes, then you might expect it to offer the ability to undo, or roll back, selected changes – ideally without having to take a domain controller offline for an authoritative restore operation. Enhanced Native Logging There’s little question that most companies will need to either supplement or replace the native Windows event logging capabilities; Windows simply doesn’t support the feature set that companies need to meet modern security compliance requirements. Replacing the native event logging system with an agent-based approach is a highimpact, intrusive operation. You will solve most of the problems associated with the native auditing system, but at the cost 7
  • 8. NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power of a lengthier, more complex deployment, higher ongoing maintenance overhead, and unknown impact on your servers’ performance and stability. In the end, many businesses will prefer auditing solutions that enhance and extend what’s already in Windows. You’re creating less impact on your servers and less intrusion into your environment; the auditing solution remains more standalone and compartmentalized. Long-term maintenance is easier, and you’re working with Windows they way it was designed to work. You’re still solving the problems of the native auditing system and gaining the capabilities you need to achieve and maintain compliance, but you’re doing so with less overall risk and effort. NetWrix Active Directory Change Reporter: A Non-Intrusive Way to Enhance Windows’ Native Auditing NetWrix Active Directory Change Reporter is designed to work with Windows native event logging system, enhancing it to provide more powerful capabilities and to fill its gaps. The product uses an agent-free approach, offering non-intrusive, fast deployments that don’t complicate your server installs or maintenance. The Active Directory Change Reporter includes all the things the native event logs don’t, including Active Directory schema changes, setting-level GPO changes, nonowner mailbox access in Exchange Server, and much more. The product captures the who, what, when, and why for every change in your environment, and enables you to produce custom reports through SQL Server Reporting Services. It comes packed with pre-defined reports for compliance and management needs, and captures before-and-after information for your infrastructure’s critical changes. NetWrix Active Directory Change Reporter doesn’t propose that you “rip and replace” the native event logging system – it simply fills in the gaps in Windows’ native event logs, capturing more and more detailed information and storing it in a secure database. Best of all, the product can be easily deployed by any experienced Windows administrator, without the need for expensive consulting services or lengthy deployments. And if you are looking for extended auditing for your entire IT infrastructure, NetWrix provides the integrated NetWrix Change Reporter Suite solution that includes ADCR and other similar modules for Windows server, VMware vSphere, file storage appliances (such as NetApp and EMC), Microsoft® SQL Server, SharePoint, network devices and several other platforms. Gain more insight, achieve and maintain compliance, speed troubleshooting and problem resolution, and ensure the security of your IT infrastructure – easily and quickly, and without installing a single bit of code on your precious production servers. That’s NetWrix Change Reporter Suite. 8
  • 9. NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power Freeware Products Tens of thousands of IT professionals use freeware editions of NetWrix products daily, including Active Directory Change Reporter and many more. All products can be downloaded at no charge on the NetWrix website. About NetWrix Corporation NetWrix Corporation’s core competency is in unifying change and configuration auditing of critical systems across the entire IT infrastructure. With the broadest platform coverage available in the industry, innovative technology and strategic roadmap aiming to support different platforms, devices and applications, NetWrix offers award-winning auditing solutions and superior customer service at affordable prices. Founded in 2006, NetWrix has evolved as #1 for Change Auditing as evidenced by thousands of satisfied customers worldwide. The company is headquartered in Paramus, NJ, and has regional offices in Los Angeles, Boston, Tampa and the UK. NetWrix is #33 among the fastest growing software companies in America according to Inc. 500 list published by Inc. Magazine in 2012. 9
  • 10. NetWrix: #1 for Change Auditing and Compliance Better Active Directory Auditing… Less Overhead, More Power NetWrix Corporation www.netwrix.com © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners. 10