Transcription
NETWRIX AUDITOR: ACTIVEDIRECTORYADMINISTRATOR’S GUIDEProduct Version: 5.0August 2013Copyright 2013 Netwrix Corporation. All Rights Reserved.
Netwrix Auditor: Active Directory Administrator’s GuideLegal NoticeThe information in this publication is furnished for information use only, and does not constitute acommitment from Netwrix Corporation of any features or functions discussed. Netwrix Corporationassumes no responsibility or liability for the accuracy of the information presented, which is subjectto change without notice.Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrixproduct or service names and slogans are registered trademarks or trademarks of NetwrixCorporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks andregistered trademarks are property of their respective owners.DisclaimersThis document may contain information regarding the use and installation of non-Netwrix products.Please note that this information is provided as a courtesy to assist you. While Netwrix tries toensure that this information accurately reflects the information provided by the supplier, please referto the materials provided with any non-Netwrix product and contact the supplier for confirmation.Netwrix Corporation assumes no responsibility or liability for incorrect or incomplete informationprovided about non-Netwrix products. 2013 Netwrix Corporation.All rights reserved.Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 2 of 99
Netwrix Auditor: Active Directory Administrator’s GuideTable of Contents1. INTRODUCTION . 51.1. Overview . 51.2. How This Guide is Organized . 52. PRODUCT OVERVIEW . 72.1. Key Features and Benefits . 72.2. Product Workflow . 82.3. Product Editions . 103. NETWRIX AUDITOR CONSOLE OVERVIEW . 114. MANAGED OBJECT. 124.1. Creating Managed Object . 124.2. Modifying Managed Object Settings . 235. DATA COLLECTION . 275.1. Data Collection Workflow . 275.2. Change Summary . 275.2.1. .Modifying Change Summary Delivery Schedule . 285.2.2. .Generating Change Summary on Demand . 295.2.3. .Viewing Change Summary for a Specified Date Range . 295.3. Sessions . 305.3.1. .Viewing Change Summary for Sessions. 316. REPORTS . 336.1. Reports Overview . 336.2. Configuring Reports . 346.2.1. .Specifying SQL Server Settings . 346.2.2. .Uploading Report Templates to the Report Server . 376.2.3. .Importing Audit Data to SQL Database . 376.2.4. .Configuring Audit Database Retention Policy . 396.2.5. .Assigning Permissions to View Reports . 406.3. Viewing Reports . 416.3.1. .Viewing Reports in The Netwrix Auditor console . 416.3.2. .Viewing Reports in a Web Browser . 446.4. Configuring Report Subscriptions . 456.4.1. .Creating a Subscription . 466.4.2. .Modifying a Subscription . 496.4.3. .Forcing On-Demand Report Delivery . 50Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 3 of 99
Netwrix Auditor: Active Directory Administrator’s Guide6.5. Overview Report . 506.6. Change Management . 526.7. State-in-Time Assessment Reports. 556.7.1. .Viewing State-in-Time Reports . 566.7.2. .Importing Historical Snapshots. 576.8. Reports with Extended Audit Data . 586.8.1. .Reports With Originating Workstation . 586.8.2. .Reports With Data Filtering by Groups. 607. REAL-TIME ALERTS . 627.1. Creating Alerts . 637.1.1. .Configuring Real-Time Alerts . 637.1.2. .Identifying Correct Attributes . 688. ACTIVE DIRECTORY OBJECT RESTORE. 718.1. Reverting Unwanted Changes . 719. CONFIGURING GLOBAL SETTINGS . 769.1. Configuring Reports Settings . 779.2. Configuring Email Notifications Settings . 789.3. Configuring Audit Archive Settings . 799.4. Configuring Data Collection Setting . 809.5. Configuring License Settings . 829.6. Configuring Netwrix Console Audit . 8210. ADDITIONAL CONFIGURATION . 8610.1. Enabling Monitoring of AD Partitions . 8610.2. Enabling Integration with Third-Party SIEM Solutions. 8710.3. Excluding/Including Data Types from/in Reports . 89A APPENDIX: MONITORED OBJECT TYPES AND ATTRIBUTES . 92B APPENDIX: SQL DATABASE RETENTION SCRIPT . 93C APPENDIX: NETWRIX AUDITOR – ACTIVE DIRECTORY REGISTRY KEYS . 96D APPENDIX: RELATED DOCUMENTATION . 99Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 4 of 99
Netwrix Auditor: Active Directory Administrator’s Guide1. INTRODUCTION1.1. OverviewThis guide contains an overview of the Netwrix Auditor: Active Directory functionality andfeatures, and detailed step-by-step instructions on how to configure and use the product. Forinstructions on how to install the product and configure the target AD domain for monitoring,refer to Netwrix Auditor Installation and Configuration Guide.1.2. How This Guide is OrganizedThis section explains how this guide is organized and provides a brief overview of eachchapter. Chapter 1 Introduction: the current chapter. It explains the purpose of thisdocument and explains its structure. Chapter 2 Product Overview provides an overview of the Netwrix Auditor – ActiveDirectory functionality, lists its main features and benefits, and explains theproduct workflow. It also contains information on the product editions and a sideby-side comparison of their features. Chapter 3 Netwrix Auditor Console Overview provides a description of the NetwrixAuditor console, which is an integrated interface for configuring audit of all targetsystems. Chapter 4 Managed Object explains how to configure a Managed Object, i.e. anActive Directory domain that you want to monitor for changes. It also explains howto modify Managed Object settings. Chapter 5 Data Collection explains the Netwrix Auditor data collection workflowand contains detailed information on the Change Summary options and Sessions. Chapter 6 Reports provides an overview of the Reports feature, lists all availablereport types, explains how to configure and view reports and contains reportexamples. It also contains step-by-step instructions on how to configuresubscriptions to Reports. Chapter 7 Real-Time Alerts provides an overview of the Real-Time Alerts feature,and explains how to configure alerts in Netwrix Auditor. It also contains a detailedalgorithm for selecting a correct attribute to define alert filters. Chapter 8 Active Directory Object Restore explains how to revert unwantedchanges to AD objects using the Active Directory Object Restore wizard integratedwith Netwrix Auditor: Active Directory. Chapter 9 Configuring Global Settings explains how to configure or modify thesettings that are applied to all Managed Objects and all audited systems. Chapter 10 Additional Configuration provides a description of the productadditional configuration options, such as enabling monitoring of the Configurationand Schema partitions, enabling integration with SIEM solutions and excluding datatypes from data collection and product reports. A Appendix: Monitored Object Types and Attributes provides links to a list of allActive Directory object classes and attributes monitored by Netwrix ActiveDirectory Change Reporter. B Appendix: SQL Database Retention Script contains a SQL script used to configurethe SQL database retention policy.Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 5 of 99
Netwrix Auditor: Active Directory Administrator’s Guide C Appendix: Netwrix Auditor – Active Directory Registry Keys contains a descriptionof the product registry keys that can be used for additional configuration. D Appendix: Related Documentation contains a list of all documents published tosupport Netwrix Active Directory Change Reporter.Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 6 of 99
Netwrix Auditor: Active Directory Administrator’s Guide2. PRODUCT OVERVIEWMicrosoft Active Directory auditing has become a mission-critical activity in businessnetworks. Unauthorized changes and errors in Active Directory configuration can put yourorganization at risk introducing security breaches and compliance issues. Native ActiveDirectory auditing is often inadequate when it comes to supporting such business needs astroubleshooting, security auditing, change tracking, and reporting, many of which are drivenby the necessity for organizations to comply with external industry and legislativerequirements. For detailed comparison of the native auditing tools and Netwrix productsrefer to Summary: Limitations of Native Active Directory Auditing Tools.Netwrix Auditor fills this functional gap by tracking all additions, deletions, and modificationsmade to Active Directory users, groups, computers, OUs, group memberships, permissions,domain trusts, AD sites, FSMO roles, AD schema, Group Policy and Exchange objects, settingsand permissions.The product collects data on changes made to the audited Active Directory domain, andgenerates reports showing the before and after values for WHO changed WHAT, WHEN andWHERE in a human-readable format without the overhead of resolving complicated nativeidentifiers.In addition to change tracking, each day the product creates a point-in-time snapshot of thetarget Active Directory domain’s configuration state. This information can be used in Statein-Time Reports to analyze different aspects of your system’s current configuration, or itsconfiguration on any selected date in the past.Netwrix offers long-term data archiving that uses a two-tiered system: Audit Archive, a local file-based storage SQL Server databaseNetwrix offers both agent-based and agentless data collection methods. The use of agents isrecommended for distributed deployments or multi-site networks due to their ability tocompress network traffic.Netwrix Auditor employs AuditAssurance , a patent-pending technology that does not havethe disadvantages of native auditing or SIEM (security Information and Event Management)solutions that rely on a single source of audit data. The AuditAssurance technologyconsolidates audit data from multiple independent sources (event logs, configurationsnapshots, change history records, etc.), and, therefore, can detect a change even if one orseveral sources of information do not contain all of the required data (e.g. because it wasdeleted, overwritten, etc.). The AuditAssurance technology always ensures you get acomplete and concise picture of what changes take place in your monitored environment.Note:This guide only covers the configuration and usage of Netwrix Auditor forActive Directory audit. For information on how to audit other target systems, referto the corresponding documentation available for download from the NetwrixAuditor website page.2.1. Key Features and BenefitsNetwrix Auditor allows automated auditing and reporting on changes to the monitored ActiveDirectory environment. It enables you to do the following: Monitor day-to-day administrative activities: the product captures detailedinformation on all changes made to the monitored Active Directory environment,including the information on WHO changed WHAT, WHEN and WHERE. Auditreports and real-time email notifications facilitate review of daily activities.Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 7 of 99
Netwrix Auditor: Active Directory Administrator’s Guide Sustain compliance by using in-depth change information. Audit data can bearchived and stored for more than 7 years to be used for reports generation. Streamline change control: the integrated Active Directory Object Restore toolstreamlines the restore of any undesired or potentially harmful changes to yourActive Directory environment. Integrate with SIEM systems: the product can be integrated with multiple SIEMsystems, including RSA enVision , ArcSight Logger , Novell Sentinel , NetIQ Security Manager , IBM Tivoli Security Information and Event Manager andmore. The product can also be configured to feed data to Microsoft System CenterOperations Manager, thus providing organizations that use SCOM with fullyautomated Active Directory auditing and helping protect these investments.The main Netwrix Auditor features are: Reports with the previous and current values for every object- and attribute-levelchange. Reports are based on SQL Server Reporting Services (SSRS) with over 70predefined report templates and support for custom reports. Real-time alerts: email notifications triggered by certain events and sentimmediately after they have been detected. Report subscriptions allow scheduled report generation and delivery to thespecified recipients. You can apply different report filters and select report outputformat. State-in-Time Reports: reports on the current or historical configuration state ofyour Active Directory environment. Rollback of changes: the product supports rollback of unwanted changes, down toindividual attribute-level changes. Long-term data storage: allows for recreating the full audit trail of changes madeto the monitored Active Directory environment and provides historical reportingfor any specified period of time. Organizations can analyze any policy violationswhich occurred in the past, and maintain ongoing compliance with internal andexternal regulations. Group Policy and Exchange change auditing: the Group Policy and Exchangeauditing features allow tracking all changes to Group Policy Objects, securitypolicy violations, changes to permissions and more. For instructions on how to setup Netwrix Auditor to audit Group Policy and Exchange Server changes, refer toNetwrix Auditor: Group Policy Administrator’s Guide and Netwrix Auditor:Exchange Servers Administrator’s Guide respectively.2.2. Product WorkflowA typical Netwrix Auditor: Active Directory data collection and reporting workflow is asfollows:1.An administrator configures Managed Objects and sets the parameters for automateddata collection and reporting.2.Netwrix Auditor monitors the target AD domains and collects audit data on changesand AD point-in-time configuration snapshots. Audit data is written to a local filebased storage, referred to as the Audit Archive.3.If an event is detected that triggers an alert, an email notification is sentimmediately to the specified recipients.Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 8 of 99
Netwrix Auditor: Active Directory Administrator’s Guide4.If the Reports functionality is enabled and configured, data is imported from theAudit Archive to a dedicated SQL database. Reports based on audit data can beviewed via the Netwrix Auditor console, or in a web browser.5.The product emails Change Summaries to the specified recipients daily at 3:00 AM bydefault.Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 9 of 99
Netwrix Auditor: Active Directory Administrator’s Guide2.3. Product EditionsNetwrix Auditor for Active Directory audit is available in two editions: Freeware andEnterprise. The Freeware Edition can be used by companies or individuals for an unlimitedperiod of time. The Enterprise Edition can be evaluated free of charge for 20 days.The table below outlines the differences between the two editions:Table 1:Netwrix Auditor: Active Directory EditionsFeatureFreeware EditionEnterprise EditionWHO, WHEN and WHERE fields for everychangeNoYesThe before and after values for every changeNoYesSSRS-based Reports, with filtering, groupingand sorting, and dozens of predefined reporttemplatesNoYesCustom reportsNoYesCreate manually ororder from NetwrixPredefined reports for SOX, HIPAA, GLBA, andFISMA complianceNoYesReal-Time AlertsNoYesReport SubscriptionsNoYesState-in-Time Reports on AD configurationNoYesIntegration with Microsoft System CenterOperations Manager Pack (SCOM) (via NetwrixSCOM Management Pack for Active DirectoryChange Reporter)NoYesNoData is only stored for 4daysYesAny period of timeDaily Change Summary email reflecting thechanges made in the last 24 hoursYesYesA single installation handles multiple ManagedObjects, each with its own individual settingsNoYesIntegrated interface for different targetsystem’s audit, which provides centralizedconfiguration and settings managementNoYesReports can be viewed directly from theNetwrix Auditor ConsoleNoYesLong-term archiving of audit dataTechnical SupportLicensingSupport ForumKnowledge BaseFull range of options:Phone, email,submission of supporttickets, Support Forum,Knowledge BaseFree of chargeCopyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPer serverRequest a quotePage 10 of 99
Netwrix Auditor: Active Directory Administrator’s Guide3. NETWRIX AUDITOR CONSOLE OVERVIEWThe Netwrix Auditor console is an MMC snap-in that allows configuring Managed Objects andtheir settings, and the reporting options.The Netwrix Auditor console enables you to do the following: Manage the settings of all Netwrix change auditing products via an integratedinterface Create and configure Managed Objects Enable and configure SSRS-based Reports View Reports Configure long-term archiving Configure Subscriptions to Reports Handle numerous Managed Objects with a single installation Configure your Managed Objects settings in a batchTo start the Netwrix Auditor Console, navigate to Start All Programs Netwrix and clickNetwrix Auditor. The console window will be displayed:Figure 1:Netwrix Auditor ConsoleCopyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 11 of 99
Netwrix Auditor: Active Directory Administrator’s Guide4. MANAGED OBJECTNetwrix Auditor – Active Directory, a Managed Object is an Active Directory domain that ismonitored for changes and point-in-time configuration.This chapter provides detailed step-by-step instructions on how to: Create and configure a Managed Object Modify Managed Object settings4.1. Creating Managed ObjectTo create and configure a Managed Object, do the following:Procedure 1.1.To create and configure a Managed ObjectIn the Netwrix Auditor console, select the Managed Objects node in the left pane.The Managed Objects page will be displayed:Figure 2:2.Managed Objects PageClick Create New Managed Object in the right pane. Alternatively, right-click theManaged Objects node and select New Managed Object from the popup menu tostart the New Managed Object wizard.Note:For your convenience, you can group Managed Objects into folders. Tocreate a folder, right-click the Managed Objects node, select New Folder, andspecify the folder name. Then create a new Managed Object inside this folder. Youcannot move existing Managed Objects into folders once they have been created.3.On the Select Managed Object Type step, select Domain as the Managed Object typeand click Next.Note:If you have configured Netwrix Auditor to audit other target systems before,the list of Managed Object types may contain several options.Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 12 of 99
Netwrix Auditor: Active Directory Administrator’s GuideFigure 3:4.New Managed Object: Select Managed Object TypeOn the Specify Default Data Processing Account step, click the Specify Accountbutton.Note:If you have configured Netwrix Auditor to audit other target systems before,and specified the default Data Processing Account and the email settings on theirconfiguration, the Specify Default Data Processing Account and Configure EmailSettings steps of the wizard will be omitted.In the dialog that opens, enter the default Data Processing Account (in thedomain name\account name format) that will be used by Netwrix Active DirectoryChange Reporter for data collection. This account must have at least the followingrights: Local administrator on the computer where Netwrix Active Directory ChangeReporter is installed. Domain administrator in the monitored domain. Alternatively, it must havethe “Manage auditing and security log” right enabled. If this account is going to be used to access the SQL database with audit data,it must also belong to the target database owner (dbo) role.For a full list of rights and permissions required for the Data Processing Account, andinstructions on how to configure them, refer to Chapter 5. Configuring Rights andPermissions of Netwrix Auditor Installation and Configuration Guide.Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 13 of 99
Netwrix Auditor: Active Directory Administrator’s GuideFigure 4:New Managed Object: Specify Default Data Processing AccountClick OK to continue and then Next.Note:If later you need to modify the default Data Processing Account, you can dothis either for an individual Managed Object (for instructions, refer to Procedure 3To modify the Data Processing Account), or for all Managed Objects in a batch (forinstructions, refer to Section 9.4 Configuring Data Collection Setting).5.On the Specify Email Settings step, specify the email settings that will be used forChange Summary and Reports delivery:Figure 5:New Managed Object: Specify Email SettingsCopyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 14 of 99
Netwrix Auditor: Active Directory Administrator’s GuideThe following parameters must be specified:Table 2:Email Settings ParametersParameterDescriptionSMTP server nameEnter your SMTP server name.PortSpecify your SMTP server port number.Sender addressEnter the address that will appear in the ‘From’ field inReports and Change Summaries.To check the email address, click Verify. The system willsend a test message to the specified address and willinform you if any problems are detected.SMTP authenticationSelect this check box if your mail server requires the SMTPauthentication.User nameEnter a user name for the SMTP authentication.PasswordEnter a password for the SMTP authentication.Confirm passwordConfirm the password.Use Secure Sockets Layerencrypted connection (SSL)Select this checkbox if your SMTP server requires SSL to beenabled.Use Implicit SSL connectionmodeSelect this checkbox if the implicit SSL mode is used,which means that an SSL connection is established beforeany meaningful data is sent.Note:If later you need to modify the email settings, you can do this in Settings Email Notifications (for instructions, refer to Procedure 29 To configure the emailnotifications settings).6.On the Specify Domain Name step, specify the target domain name in the FQDNformat:Figure 6:New Managed Object: Specify Domain NameCopyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 15 of 99
Netwrix Auditor: Active Directory Administrator’s GuideIf you want to use a specific account to access data from this domain (other than theone you specified as the default Data Processing Account earlier in this procedure),select the Custom option and enter the credentials. This account must be granted thesame permissions and access rights as the default Data Processing Account. Click Nextto continue.7.On the Select Target Systems step, make sure that Active Directory is selected underTarget Systems:Figure 7:8.New Managed Object: Select Target SystemsOn the Configure Reports Settings step, select the Enable Reports checkbox if youwant to use the SSRS-based Reports:Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 16 of 99
Netwrix Auditor: Active Directory Administrator’s GuideFigure 8:New Managed Object: Configure Reports SettingsNote:If you do not enable the Reports feature, audit data will not be written to aSQL database. If you wish to skip Reports configuration now, you can always enableand configure them later (for details, refer to Section 6.2 Configuring Reports ofthis guide).Select one of the following options: Automatically install and configure a new instance of SQL Server ExpressEdition to automatically install and configure SQL Server 2008/2012 Express withAdvanced Services. Once you have selected this option and clicked Next, theReports Configuration wizard will start. Follow the instructions of the wizard toinstall and configure SQL Server 2008/2012 Express. For information on which SQLServer version is installed on which OS version, refer to the following Netwrix KBarticle: Which SQL Server versions can be installed automatically via the NetwrixAuditor console? Use an existing SQL Server instance with SQL Server Reporting Services to usean already installed SQL Server instance, or to install and configure it manuallybefore proceeding with the product configuration. For detailed instructions onhow to install Microsoft SQL Server 2005/2008 R2/2012 Express with AdvancedServices and configure the Reporting Services, refer to the following NetwrixTechnical Article: Installing Microsoft SQL Server and Configuring the ReportingServices.Note:It is recommended to consider the maximum database size in different SQLServer versions, and make your choice based on the size of the environment youare going to monitor, the number of users and other factors. Note that themaximum database size in SQL Server Express editions may be insufficient.If you have selected the second option, specify the following parameters:Copyright 2013 Netwrix Corporation. All Rights ReservedSuggestions or comments about this document? www.netwrix.com/feedbackPage 17 of 99
Netwrix Auditor: Active Directory Administrator’s GuideTable 3:ParameterReports ParametersDescriptionSQL Server instanceSpecify the name of the SQL Server instance name where adatabase of collected audit data will be created.User nameSpecify a user name for the SQL Server authentication.NOTE: This user must belong to the target databaseowners (dbo) role. For instructions on how to assign thisrole to a user, refer to Chapter 5. Configuring Rights andPermissions of Netwrix Auditor Installation andConfiguration Guide.PasswordEnter a password for the SQL Server authentication.Windows AuthenticationSelect this option if you want to use the Data ProcessingAccount specified earlier in this procedure to be used toaccess the SQL database.Report Server URLSpecify the Report Server URLNOTE: It is recommended to press the Verify button toensure that the resour
Active Directory object classes and attributes monitored by Netwrix Active Directory Change Reporter. B Appendix: SQL Database Retention Script contains a SQL script used to configure the SQL database retention policy. . Netwrix Auditor: Active Directory Administrator's Guide Page 7 of 99 Suggestions or comments about this document .
![[MS-ADFSOD]: Active Directory Federation Services (AD FS .](/img/1/5bms-adfsod-5d.jpg)
