CONFIGURING TARGET ENVIRONMENT FOR AUDIT BY NETWRIX WINDOWS SERVER CHANGE REPORTER TECHNICAL ARTICLE

Similar documents
NETWRIX WINDOWS SERVER CHANGE REPORTER

Netwrix Auditor. Tips and Tricks: How To Create Custom Active Directory Alerts. Version: /22/2014

NETWRIX INACTIVE USER TRACKER

NETWRIX PASSWORD EXPIRATION NOTIFIER

HOW TO CONFIGURE REAL-TIME ALERTS FOR NETWRIX NON-OWNER MAILBOX ACCESS REPORTER FOR EXCHANGE

NETWRIX GROUP POLICY CHANGE REPORTER

NETWRIX ACTIVE DIRECTORY CHANGE REPORTER

NETWRIX CHANGE REPORTER SUITE

Netwrix Auditor for Active Directory

Netwrix Auditor. Virtual Appliance and Cloud Deployment Guide. Version: /25/2017

NETWRIX PASSWORD EXPIRATION NOTIFIER

NETWRIX BULK PASSWORD RESET

Netwrix Auditor. Release Notes. Version: 9.6 6/15/2018

NetWrix Privileged Account Manager Version 4.1 User Guide

Netwrix Auditor for Active Directory

NetWrix VMware Change Reporter Version 3.0 Enterprise Edition Administrator s Guide

Alerts Specification. NetWrix SCOM Management Pack for Active Directory Change Reporter Technical Article

Netwrix Auditor for SQL Server

NetWrix VMware Change Reporter Version 3.0 Enterprise Edition Quick Start Guide

NetWrix Account Lockout Examiner Version 4.0 User Guide

Netwrix Auditor Add-on for Solarwinds Log & Event Manager

NetWrix Group Policy Change Reporter

Netwrix Auditor. Administration Guide. Version: /31/2017

Netwrix Auditor. Event Log Export Add-on Quick-Start Guide. Version: 8.0 6/3/2016

Configuring Ethernet Audio on Microsoft Windows Server 2012

NetWrix SharePoint Change Reporter

LepideAuditor for File Server. Installation and Configuration Guide

Exclaimer Mail Archiver

Netwrix Auditor Add-on for Privileged User Monitoring

Netwrix Auditor Add-on for Nutanix Files

Guide to Deploy the AXIGEN Outlook Connector via Active Directory

Netwrix Auditor. Release Notes. Version: /31/2017

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

4.0. Resynchronizing Public Folders, Mailboxes, and Calendars

Using SQL Reporting Services with isupport

One Identity Manager 8.0. Administration Guide for Connecting Unix-Based Target Systems

DefendX Software Control-Audit for Hitachi Installation Guide

Monitoring SQL Servers. Microsoft: SQL Server Enhanced PowerPack version 101

LepideAuditor. Installation and Configuration Guide

Active Directory Auditing Guide

Expanding an ICM SQL Database

USER GUIDE. CTERA Agent for Windows. June 2016 Version 5.5

Mailbox sharing and permissions in UNify Mac OS X

Dealing with Event Viewer

Technical Brief Exporting a List of Device MAC Addresses from Xcalibur Global Document Version 1.0

Netwrix Auditor. Installation and Configuration Guide. Version: /1/2017

User Account Cleanup. Blackboard Web Community Manager

Quest Knowledge Portal 2.9

You receive a "The User Profile Service failed the logon error message

Service Pack ET90U Feature Document

Autodesk DirectConnect 2010

Create a company Shared Contacts in Office 365

Dell Statistica. Statistica Enterprise Server Installation Instructions

Metalogix Essentials for Office Creating a Backup

x10data Application Platform v7.1 Installation Guide

Running Mekorma MICR on Windows Vista

Knowledge Portal 2.6. Installation and Configuration Guide

TROUBLESHOOTING THE BPMN MODELER. Solutions and FAQs

Online Backup Manager v7 Quick Start Guide for Synology NAS

SAP Global Track and Trace Onboarding Guide

Setting up Quest QoreStor as an RDA Backup Target for NetVault Backup. Technical White Paper

Windows Management Instrumentation Troubleshooting for Orion APM

Spotlight Management Pack for SCOM. User Guide

Installing Dynamicweb Wrap Community Edition

NTP Software File Auditor for Windows Edition

Netwrix Auditor. Release Notes. Version: 9.5 4/13/2018

One Identity Manager 8.0. Administration Guide for Connecting to a Universal Cloud Interface

Veritas Desktop and Laptop Option 9.2

Fibre Channel Adapter STOR Miniport Driver for Windows. Table of Contents

Integrate Cb Defense. EventTracker v8.x and above

SAP Financial Consolidation 10.1, starter kit for IFRS, SP7

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Active Directory Change Notifier Quick Start Guide

Veritas NetBackup for Lotus Notes Administrator's Guide

AgcCls. AgcCls Installation & User Manual. Concurrent License Server for WinIGS. Software Version April 2017

Configuring an IMAP4 or POP3 Journal Account for Microsoft Exchange Server 2003

Microsoft Outlook. How To Share A Departmental Mailbox s Calendar

NTP Software Defendex (formerly known as NTP Software File Auditor) for NetApp

Application Note Designer Studio

VERITAS StorageCentral 5.2

Event Server Configuration Manager

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

One Identity Manager 8.0. Administration Guide for Connecting to Azure Active Directory

NTP Software File Auditor for Hitachi

Security Explorer 9.1. User Guide

Avigilon Control Center 6 System Integration Guide

Installation Guide. . All right reserved. For more information about Specops Command and other Specops products, visit

One Identity Starling Two-Factor Authentication. Administration Guide

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE

Sage 300 Construction and Real Estate (formerly Sage Timberline Office)

LiteSpeed for SQL Server 6.1. Configure Log Shipping

Project management integrated into Outlook InLoox 5.x off-line operation

Configuring TLS 1.2 in EventTracker v9.0

USC Marshall School of Business Marshall Information Services. Outlook 2013 Sharing Calendars. 1.1 Delegate Access

Kernel Migrator. for SharePoint. Configuration Guide

File Library App Guide

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Using Data Replication with Merge Apply and Audit Apply in a Single Configuration

VERITAS NetBackup 6.0 for Microsoft SharePoint Portal Server 2001

Copyright SolarWinds. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled,

Transcription:

CONFIGURING TARGET ENVIRONMENT FOR AUDIT BY NETWRIX WINDOWS SERVER CHANGE REPORTER TECHNICAL ARTICLE Product Version: 4.0 June 2013.

Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment from Netwrix Corporation of any features or functions discussed. Netwrix Corporation assumes no responsibility or liability for the accuracy of the information presented, which is subject to change without notice. Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrix product or service names and slogans are registered trademarks or trademarks of Netwrix Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and registered trademarks are property of their respective owners. Disclaimers This document may contain information regarding the use and installation of non-netwrix products. Please note that this information is provided as a courtesy to assist you. While Netwrix tries to ensure that this information accurately reflects the information provided by the supplier, please refer to the materials provided with any non-netwrix product and contact the supplier for confirmation. Netwrix Corporation assumes no responsibility or liability for incorrect or incomplete information provided about non-netwrix products. 2013 Netwrix Corporation. All rights reserved. Page 2 of 16

Table of Contents 1. INTRODUCTION... 4 1.1. Overview... 4 1.2. How This Guide is Organized... 4 2. CONFIGURING WINDOWS REGISTRY AUDIT SETTINGS... 5 3. CONFIGURING LOCAL AUDIT POLICIES... 8 4. CONFIGURING EVENT LOGS SIZE AND RETENTION METHOD... 14 A APPENDIX: RELATED DOCUMENTATION... 16 Page 3 of 16

1. INTRODUCTION 1.1. Overview This technical article is intended to assist you to configure your target computers for auditing by Netwrix Windows Server Change Reporter. Successful change auditing requires a certain configuration of the audit settings on the monitored servers. Otherwise, your change reports may contain errors and incomplete audit data. For example, you can receive a report containing the System value instead of an account name in the Who changed column. Netwrix Windows Server Change Reporter can configure audit settings on target computers automatically by selecting the corresponding option on Managed Object creation. If you wish to do it manually, this article provides detailed step-by-step instructions on how to perform the necessary operations. 1.2. How This Guide is Organized This section explains how this guide is organized and provides a brief overview of each chapter. Chapter 1 Introduction is the current chapter. It explains the purpose of this document and explains its structure. Chapter 2 Configuring Windows Registry Audit Settings provides instructions on how to set Windows registry audit permissions so that the Who and When values are reported for each change. Chapter 3 Configuring Local Audit Policies explains how to configure local audit policy settings required for the product to be able to collect audit data. Chapter 4 Configuring Event Logs Size and Retention Method provides instructions on how to increase your event log size to prevent audit data loss. A Appendix: Related Documentation contains a list of all documentation published to support Netwrix Windows Server Change Reporter. Page 4 of 16

2. CONFIGURING WINDOWS REGISTRY AUDIT SETTINGS Windows Registry audit permissions must be configured so that the Who and When values are reported correctly for each change. The following audit permissions must be set to Successful for the HKEY_LOCAL_MACHINE\SOFTWARE, HKEY_LOCAL_MACHINE\SYSTEM, and HKEY_USERS\.DEFAULT nodes: Set Value Create Subkey Delete Write DAC Write Owner The procedures below provide you with the instructions on how to configure Windows Registry audit permissions, depending on your Windows OS versions: Procedure 1. To configure Windows Registry audit settings on pre-windows Server 2012 To configure Windows registry audit settings on Windows Server 2012 To configure Windows Registry audit settings on pre-windows Server 2012 1. On your target server, open Registry Editor (navigate to Start Run, enter regedit and click OK). 2. In the registry tree, expand the HKEY_LOCAL_MACHINE node, right-click SOFTWARE and select Permissions from the pop-up menu. 3. In the Permissions for SOFTWARE dialog, click the Advanced button. 4. In the Advanced Security Settings for SOFTWARE dialog, select the Auditing tab and click the Add button: Figure 1: Advanced Security Settings for SOFTWARE 5. In the dialog that opens, type Everyone and click OK. Page 5 of 16

6. In the Auditing Entry for SOFTWARE dialog that opens, select Successful for the following access types: Set Value, Create Subkey, Delete, Write DAC, and Write Owner: Figure 2: Auditing Entry for SOFTWARE 7. Click OK to save the changes. 8. Repeat steps 2 to 7 for the HKEY_LOCAL_MACHINE\SYSTEM and HKEY_USERS\.DEFAULT nodes. Procedure 2. To configure Windows registry audit settings on Windows Server 2012 1. On your target server, open Registry Editor: navigate to Start, type regedit and select regedit from the Results list. 2. In the registry tree, expand the HKEY_LOCAL_MACHINE node, right-click SOFTWARE and select Permissions from the pop-up menu. 3. In the Permissions for SOFTWARE dialog, click the Advanced button. 4. In the Advanced Security Settings for SOFTWARE dialog, select the Auditing tab and click the Add button. Page 6 of 16

Figure 3: Advanced Security Settings for SOFTWARE 5. In the dialog that opens, click the Select a principal link, enter the Everyone group in the Enter the object name to select field, and click OK. 6. Set the access type to Successful and the Applies to value to This key and subkeys. 7. Click the Show advanced permissions link and select the following access types: Set Value, Create Subkey, Delete, Write DAC, and Write Owner: Figure 4: Auditing Entry for SOFTWARE 8. Click OK and save all changes. 9. Repeat steps 2 to 8 for the HKEY_LOCAL_MACHINE\SYSTEM and HKEY_USERS\.DEFAULT nodes. Page 7 of 16

3. CONFIGURING LOCAL AUDIT POLICIES Configure local audit policies on your target servers as described in this Section, to get the Who and When values for the changes to the following monitored system components: Services Hardware and system drivers Windows registry Scheduled tasks Local users and groups The procedures below provide you with one of several possible ways to configure the audit policy, depending on your operating system version: To configure local audit policies on pre-vista Windows versions To configure local audit policies on Windows Vista and above You must be logged on as a member of the Administrators group or you must be granted the Manage auditing and security log right to perform this procedure. For instructions on how to assign the Manage auditing and security log right, refer to Netwrix Windows Server Change Reporter Installation and Configuration guide. Note: There are several different methods to configure local audit policies, and this article only describes one of them. It is recommended to consider the possible impact on your Active Directory environment and select a method that best suits your purposes. Note that if you follow the procedures below, audit settings will be applied to the whole domain. Procedure 3. To configure local audit policies on pre-vista Windows versions 1. Navigate to Start Programs Administrative Tools Group Policy Management. The Group Policy Management dialog opens: Figure 5: Group Policy Management 2. Under the Domains node, right-click the <company domain name> node and select Create a GPO in this domain and Link it here. The New GPO dialog appears. 3. Type in the name of your new GPO into the Name field, and click OK. Page 8 of 16

Figure 6: New GPO 4. Right-click the newly created GPO in the left pane of the Group Policy Management form and select the Edit option. Group Policy Management Editor opens. 5. Expand the Computer Configuration node on the left and then navigate to Policies Windows Settings Security Settings Local Policies Audit Policy. Figure 7: Group Policy Management Editor 6. Double-click Audit account management on the right, select Success in the properties dialog, and click OK: Page 9 of 16

Figure 8: Audit account management Properties Procedure 4. 7. Double-click Audit object access on the right, select Success in the properties dialog, and click OK. To configure local audit policies on Windows Vista and above 1. Navigate to Start Programs Administrative Tools Group Policy Management. The Group Policy Management dialog opens: Figure 9: Group Policy Management 2. Under the Domains node, right-click the <company domain name> node and select Create a GPO in this domain and Link it here. The New GPO dialog appears. 3. Type in the name of your new GPO into the Name field, and click OK. Page 10 of 16

Figure 10: New GPO 4. Right-click the newly created GPO in the left pane of the Group Policy Management form and select the Edit option. Group Policy Management Editor opens. 5. Expand the Computer Configuration node on the left and then navigate to Policies Windows Settings Security Settings Advanced Audit Policy Configuration Audit Policies Account Management: Figure 11: Group Policy Management Editor 6. Double-click Audit Security Group Management on the right, select Success in the properties dialog, and click OK: Page 11 of 16

Figure 12: Audit Security Group Management Properties 7. Double-click Audit User Account Management on the right, select Success in the properties dialog, and click OK. 8. Under the Audit Policies node, select Object Access: Figure 13: Group Policy Management Editor 9. Double-click Audit Handle Manipulation on the right, select Success in the properties dialog, and click OK. Page 12 of 16

10. Repeat step 9 for the Audit Other Object Access Events and Audit Registry policies. You can also refer to the Windows Server TechCenter article for additional information: Create a new Group Policy object: Group Policy. If you wish to use the local policy, you can find instructions in the following Windows Server TechCenter article: Define or modify auditing policy settings for an event category: Auditing. Page 13 of 16

4. CONFIGURING EVENT LOGS SIZE AND RETENTION METHOD Defining the event logs size is essential for change auditing. If your event log size is insufficient, overwrites may occur before data is written to Audit Archive and the SQL database, and some audit data may be lost. To prevent overwrites, you must increase the maximum size of the Application, Security, System, and Microsoft-Windows-TaskScheduler/Operational event logs. Note: There are several different methods to configure event logs size and retention method, and this article only describes one of them. If you choose to follow the procedure below, mind that it has to be performed on each of the target servers. Procedure 5. To configure the event log size and retention method 1. On the target computer, navigate to Start Programs Administrative Tools Event Viewer: Figure 14: Event Viewer 2. In the Event Viewer tree, open the Windows Logs node, right-click Application and select Properties. The Log Properties dialog opens: Page 14 of 16

Figure 15: Log Properties 3. Make sure the Enable logging check box is selected. 4. Specify the following values in the Maximum log size field: For pre-vista Windows versions: 300 MB For Windows Vista or above: 1GB 5. Make sure the Do not overwrite events (Clear logs manually) option is NOT selected. If this option is selected, change the retention method by selecting another option: Overwrite events as needed (oldest events first). Click OK to save the changes. 6. Repeat this operation for the Security and System event logs located under the Windows Logs node, and for the Microsoft-Windows-TaskScheduler/Operational event log by navigating to Applications and Services Logs Microsoft Windows TaskScheduler Operational. Page 15 of 16

A APPENDIX: RELATED DOCUMENTATION The table below lists all documents available to support Netwrix Windows Server Change Reporter: Table 1: Product Documentation Document Name Netwrix Windows Server Change Reporter Installation and Configuration Guide Netwrix Windows Server Change Reporter Administrator s Guide Netwrix Windows Server Change Reporter Release Notes Netwrix Windows Server Change Reporter Quick Start Guide Netwrix Windows Server Change Reporter User Guide Netwrix Windows Server Change Reporter Freeware Edition Quick-Start Guide Installing Microsoft SQL Server and Configuring the Reporting Services How to Subscribe to SSRS Reports Overview Provides detailed instructions on how to install NetWrix Windows Server Change Reporter, and explains how to configure the target Windows server for auditing. Provides a detailed explanation of the Netwrix Windows Server Change Reporter features and step-by-step instructions on how to configure and use the product. Contains a list of the known issues that customers may experience with NetWrix Windows Server Change Reporter 4.0, and suggests workarounds for these issues. Provides an overview of the product functionality and instructions on how to install, configure and start using the product. This guide can be used for evaluation purposes. Provides the information on different Netwrix Windows Server Change Reporter reporting capabilities, lists all available reports and explains how they can be viewed and interpreted. Provides instructions on how to install, configure and use Netwrix Windows Server Change Reporter Freeware Edition. This technical article provides instructions on how to install Microsoft SQL Server 2005/2008 R2/2012 Express and configure the Reporting Services. This technical article explains how to configure a subscription to SSRS reports using the Report Manager. Page 16 of 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback