Product: Netwrix Auditor (formerly Netwrix Change Reporter)
Product Homepage: click here
Back in 2010, I did a review of Netwrix’s Change Reporter for WindowSecurity.com, and I came away impressed with its relative ease of use and functionality. Fast forward to today, when configuration auditing is even more important than before, and Netwrix is still very much in the game with an updated product that does more while being easier to implement. I ran into a few stumbling blocks along the way, but thanks to the excellent documentation, it was easy to figure out what the problem was and resolve it – without resorting to tech support.
In my 2010 review, I focused primarily on the features that report changes to Active Directory/Group Policy and file servers. Those feature sets are still here, along with the ability to audit change in VMWare, Microsoft Exchange, SQL Server, NetApp Filer, SharePoint and EMC VNX/VNXe/Celerra devices. There are a couple of added features that I want to pay specific attention to in this new review: the improvements to auditing of Windows Server and the user session activity auditing.
Understanding the problem
We’ve come a long way in the last three years, and most organizations understand that the old way, in which the network “just grew that way,” no longer work in an era where IT is under ever-increasing scrutiny both from stricter internal oversight and from governmental and industry regulators. Compliance issues take up more and more administrative time, now that we not only have to make sure our networks are secure, we also have to be able to prove that level of security through documentation.
Data is good, but in order to be useful, a change auditing system has to go beyond the raw data and give you a way to turn that information into action. That starts with the ability to filter the data to detect trends and patterns.
Understanding the product
If you’re new to Netwrix, you may feel a little confused at first as you sort through the terminology. The product name is Netwrix Auditor and it provides configuration auditing for a variety of platforms including Active Directory, Group Policy, Exchange, and so forth. The full list of supported platforms is specified below
- Active Directory
- AD Object Restore*
- EMC VNX/VNXe/Celerra*
- File Server
- Group Policy
- NetApp Filer*
- SQL Server
- VWware Environments
- Event Log*
- User Activity*
- Windows Server*
- SharePoint 2007 *
- Non-owner Mailbox Access *
In comparison to the Change Reporter that I reviewed in 2010, there are seven new audited systems on the installation screen (those that are marked with an asterisk in the list above).
When you’ve installed the product, you’ll have a comprehensive configuration auditing solution that provides a detailed audit trail that can serve multiple purposes for compliance, security and troubleshooting functions. Netwrix Auditor follows the framework that’s familiar to reporters from journalism school: It attempts to answer the questions “Who, when, what and where” – in this case, in regard to changes made to components, settings and resources.
That information is saved to a historical record that can be analyzed at any time, and the specific objects to be managed are configurable so that you won’t be overwhelmed with data you don’t need. You have control over the parameters for data collection and reporting.
Installing the product
As with any software product, the first step in installing Netwrix Auditor is to ensure that the system requirement prerequisites are met. That means a minimum 32 bit 2 GHz Intel or AMD processor (64 bit 3 GHz quad-core recommended) with at least 512 MB of RAM (2-4 GB is more realistic) and plenty of free drive space for the audit archive along with the software components themselves (the recommendation is two drives totaling 50 GB of free space).
You can run the console on a computer running Windows XP SP3 or above with the .NET Framework 3.5 and MMC 3.0 or above installed. For Exchange Server auditing, you need PowerShell 2.0 or above, to run Group Policy auditing, you need the GPMC (Group Policy Management Console) and if you use SQL Server to store audit data, you need IIS 5.1 or above). You can find more information on system requirements in the Quick Start Guide that’s downloadable from the Netwrix web site.
You can download a trial version of the software that’s good for 20 days, from the page linked above. If you want to try it out but don’t have a test lab environment where you can set it up, you can instead do an online “test drive” on Netwrix’s hosted servers. You will, of course, need to accept the license agreement when you install the trial version. The first obstacle you may hit is the requirement to install the .NET Framework 3.5. Note that if you’re installing the management console on Windows Server, you install .NET Framework 3.5 as a feature through Server Manager.
When you install Netwrix Auditor on Windows Server 2012, you’ll be able to access it through a tile on the Start screen, the All Apps menu, or a search, as shown in Figure 2.
Using the management console
The management console’s top level screen shows the audited systems and the link to a wizard that makes it easy to create new managed objects, as shown in Figure 3.
A managed object is just a computer or group of computers (called a Computer Collection) that you want to monitor for changes. You can put managed objects into folders if you want to group multiple managed objects for easier navigation. To use Netwrix Auditor, you’ll need to create at least one managed object, as shown in Figure 4.
Windows Server auditing with Netwrix Auditor
I looked first at Windows Server configuration auditing capabilities, since it was the new feature in which I was most interested. The installation process itself is simple and fast. However you have to complete some pretty complex steps when you create a managed object. These include:
- Specifying a default data processing account.
- Setting the privileges on that account to include local admin rights on the Netwrix Auditor – Windows Server computer and all the computers being monitored.
- Setting the role (database owner) for accessing the SQL database with audit data with the account.
- Configuring email settings for delivering the Change summary and reports.
- Giving the computer collection a name.
- Enable the Netwrix Auditor – Windows Server for the managed object.
As with the version I reviewed before, getting the Netwrix product configured is more challenging than actually using it. That’s because of the dependencies and prerequisites. Don’t expect it to be a quick process. If you don’t have a SQL Server that’s accessible by the Netwrix Auditor, you’ll have to install and configure that. SQL Server isn’t included with the product installation package. You can, however, install SQL Server Express automatically using the Reports Configuration wizard, as you can see in Figure 5.
You can also install SQL manually, in which case you’ll probably need to consult this separate document titled Installing Microsoft SQL Server and Configuring Reporting Services.
Once you get SQL configured successfully, you’re halfway home.
Continuing with the configuration of Windows Server auditing, you can enable Network Traffic Compression if you have a slow connection or a multi-site network, to speed performance. This runs an agent on each of the target computers. Then you can have Netwrix Auditor automatically check and adjust the audit settings (or you can do it manually). If you choose the automatic adjustment, audit permissions will be set in the registry, local audit policies will be modified and event log size and retention settings will be adjusted. One “gotcha” is that local audit policies on domain controllers must be configured manually.
Netwrix Auditor will audit the system components, registry settings and file and permission changes as shown in Figure 7. These include:
- General computer settings
- Add/remove programs
- Scheduled tasks
- Local users and groups
- DNS configuration
- DNS resource records
- OS security
- Security settings
- Windows Firewall
- Remote Desktop
- File sharing settings
- USB devices
- Important services
- Startup and autorun
- All other settings
You also need to add computers and other items to your computer collection and you may want to add other computers later, after the initial configuration. To do this at any time, you just expand the Managed Objects node in the left pane of the Netwrix console and click on the name of the computer collection, then click the Add button as shown in Figure 8.
In this case, we want to audit Windows servers, so this is the item type that we’ll add to the collection. You can can individual computers, computers in an Active Directory container or an IP address range. You can even import a text file containing a list of computers. To add an individual computer, you can use the NETBIOS or fully qualified domain name or the IP address. You can also browse the network (see Figure 9).
It’s also easy to modify the product settings at any time. Just expand the computer collection item in the left pane of the Netwrix Management Console and click Windows Server Change Reporter. Here you can enable/disable the module, add email recipients for the Change Summary, enable/disable network compression, select system components to monitor or generate a Change Summary for a selected server, as shown in Figure 10.
How it works
Now that you finally have everything configured, here’s what the Netwrix Auditor actually does: It creates a snapshot of each of the computers you’ve added as items in your computer collection. By default, data collection happens at 3:00 a.m. every day so as not to interfere with other tasks. Then the first Change Summary is prepared and sent to the email address(es) you specified.
Here’s another “gotcha”: you have to be sure and configure the server(s) you’re monitoring to allow auditing. If you didn’t select to do this automatically, see the Installation and Configuration Guide for instructions on how to configure them manually. Also note that data collection has to run twice before you can generate a Change Summary.
To change the time the data collection time, in the left pane you need to expand the Settings node and click Data Collection, as shown in Figure 11.
The Change Summary provides information about what types of changes occurred, who (account name) made the changes, the time the changes were made, server on which the changes were made, object type that was changed and the path to the object.
Netwrix Auditor can generate different types of reports (based on MS SQL Server Reporting Services (SSRS). Predefined reports geared toward specific compliance needs are included (HIPAA, SOX, GLBA, etc.) and you can order custom templates, too.
There are many different report settings that can be configured. You can view reports in the Netwrix Management console or via a web browser. You’ll find the URL in the Settings | Reports section of the Netwrix Management Console. By default, only domain admins can view the reports but you can allow other specified users to do so, as well. You can filter reports by time frame, what changed, who changed it, where it was changed or object type.
You can schedule reports to be generated and delivered automatically on a daily, weekly or monthly basis by configuring report subscriptions.
You can see the available reports by expanding the Windows Server Change Reporter node in the left pane of the Netwrix Management Console and clicking Reports, as shown in Figure 12.
I like the overview chart, which gives you an “at a glance” visual summary of changes to your servers that have taken place over the previous week (shown in Figure 13).
The Change Managementfolder is helpful in that it lets you assign status and reasons for changes so you can effectively keep notes on the changes and keep track of your investigations into the changes. This is in the Change Review History section.
Something else to be aware of is the retention period that’s set for the audit data. You specify this in number of months, in the Settings | Audit Archive node, as shown in Figure 14. The default is 24 months and even if you set it to 0, data will be kept for a minimum of two days (two sessions).
All in all, I found the Windows Server auditing with Netwrix Auditor to be very easy once you get the product installed and configured. I rarely had to look at the documentation, since the console is logically arranged and easy to navigate. It does what it says it will do, and while it provides for a lot of flexibility and power with many different configuration options, the choices don’t overwhelm you as is the case with some software of this type.
User Session Activity auditing with Netwrix Auditor
This is another new feature that particularly interested me, because it functions like a surveillance camera over the network. It records on-screen user activity so you can actually see what takes place, rather than just reading about it. You can even monitor RDP sessions and Citrix sessions. I really like that it lets you go directly to a specific activity or timestamp and view the screen capture, with the product detecting the start and stop points for activities and organizing them so they’re easy to find.
You can track a specific user or application, too – so you get just want you want and don’t waste disk space or search time on unnecessary video (although you can’t do this with Windows 8 modern apps or command line utilities). You can also configure the video quality and the retention time for the recordings. All of this is managed through the Netwrix Management Console, as shown in Figure 15.
This is a great supplement to the reports that you get from Netwrix Auditor and invaluable for monitoring applications that don’t produce log files. If you didn’t install it as part of the initial installation of Netwrix Auditor, you can add it through the Netwrix Management Console’s top node. A new database will be created for user session activity auditing and by default, an Activity Summary will be sent every hour to the email address(es) you specify, containing a list of video sessions recorded during that hour. An especially nice touch is that you can integrate the video recordings into the change reports generated for audited systems, such as the Windows Server.
I only had time to play with the user session activity auditing for a short time but I think it has fantastic potential to greatly enhance the auditing process.
When I reviewed the Netwrix Change Reporter in 2010, I vacillated between whether to ultimately give it a silver or gold award. This time, I had no such dilemma. Setup has been made easier, the interface seems more intuitive and I’m really impressed with the improvements in user friendliness and the new functionalities that have been added since then. The configuration auditing of the Windows Server is a welcome addition, but the User Session Activity auditing and its integration with the entire product is the crowning touch that got me excited about this product.
A major weakness with software products today is the lack of clear and comprehensive documentation. Netwrix Auditor doesn’t suffer from that problem. There is a wealth of information in the guides and the setup and administration instructions are straight-forward. Better, they cover the special situations and problems you’re likely to encounter so you can head them off at the pass or, if you didn’t read them before, easily pinpoint what’s going on and resolve it.
Netwrix Auditor has matured into a very comprehensive change monitoring and management solution and this time around, I have no hesitation about giving it the WindowSecurity.com Gold Award with the highest 5.0 out of 5.0 rating.
WindowSecurity.com Rating: 5/5
More information about Netwrix Auditor