Product: NetWrix Change Reporter Suite
Product Homepage: click here
Change management has become an essential part of managing IT system security. Changes to system configuration – even when the changes are authorized – can result in unintended consequences such as exposure of the systems and network to malicious code or attack. Being able to track changes is also essential to troubleshooting problems that may have been caused by those changes. And of course, it is vital that you be made aware, as quickly as possible, of any unauthorized changes that might indicate a network intrusion or a malware infestation.
It is for this reason that change auditing software plays an important role in network administrators’ cadre of security tools. There is a plethora of such solutions on the market, and choosing one can be a daunting task. NetWrix specializes in management and compliance products, and I recently took their Change Reporter Suite for a test drive. It is a very comprehensive set of tools that covers a wide range of change categories including; Active Directory, File Server, Group Policy, VMware, Microsoft Exchange, and SQL Server. All of these categories allow you to keep track of who performed such changes as creating new users, delegating management rights, changing file permissions, accessing sensitive files or deleting files, changing mailbox permissions, changing table structure in a database, configuring new software installation policy, and much more.
In my recent hands-on trial, I focused on two modules: Active Directory/Group Policy Reporter and File Server Reporter. Not every network uses VMware as their virtualization solution, Exchange for their email or Microsoft SQL Server for their databases, but both small business and enterprise networks of any complexity that run Windows will deploy a domain controller and file server. And since Active Directory and Group Policy comprise the basis for centralized control in a Windows domain, these were the logical choices.
Download, Installation and Configuration
You can install the Change Reporter Suite software on any computer in the domain that is running Windows XP SP2 or above. The domain controllers should be running Windows Server 2000, 2003 or 2008 and can be running in any domain and forest functional mode. The machine on which you install it also needs to have the .NET Framework v. 2.0 or above, Windows Installer v. 3.1 or above, the Microsoft Management Console v. 3.0 (for full-featured mode; not required otherwise) and the latest version of the Microsoft Group Policy Management Console. Note that for advanced reporting, you will need SQL Server 2005 or 2008 with Reporting Services, or you can automatically install and configure SQL Server Express from within the New Management Object wizard.
The Suite is downloaded as one Setup Package that comes as a zipped folder of 23.5 MB. After extraction and unpacking, you get the choice to install the entire suite or individual suite components, as shown in Figure 1 below.
Figure 1: NetWrix Change Reporter Suite installation options
If you choose to install the entire suite, you will be prompted to configure the individual components during setup. Installation is very fast; it took less than a minute on my Windows Server 2008 machine.
Once it has been installed, a new item will appear in the Start menu labeled “Configurator (Full Featured Mode)” as shown in Figure 2.
Figure 2: To open the NetWrix Management Console, click Configurator
This opens the NetWrix Management Console, shown in Figure 3.
Figure 3: The NetWrix Management Console
Note that the Quick Start Guide says the console will open automatically after installation, but this did not occur when I installed it; I had open it from the Start menu.
Next, I configured the console for Active Directory by clicking “Create New Managed Object in the right pane and selecting “Domain,” as shown in Figure 4.
Figure 4: Creating a new managed object
If you have more than one domain, you will need to enter the Fully Qualified Domain Name of the domain you want to manage. Then you need to enter the credentials for a domain admin account and specify the SMTP server parameters. This process is covered in the Quick Start Guide, so I will not go through it in detail. You can download the QSG here.
When you have the SMTP server information set up properly, you should receive a test message at your specified email address, as shown in Figure 5.
Figure 5: A test message will configure that you’ve configured the SMTP settings properly
One small annoyance: after specifying recipients for the audit reports, I got a message saying the default domain and configuration audit settings may prevent the “who changed” field from being reported correctly, as shown in Figure 6. It refers you to the Troubleshooting section of the product documentation. It would have been nice if this dialog box told you how the settings need to be changed to fix this, or even better, if there were a button to click that would change these settings for you (with any caveats regarding the effects of such changes). However, this is not a major issue, thanks to the audit configuration wizard, which is described below.
Figure 6: Dialog box refers you to the Troubleshooting section of the product documentation
Another such annoyance occurs when you note that the only product documentation provided for the Suite on the web site is the Quick Start Guide, and, as you can see in Figure 7, it does not appear to have a “Troubleshooting” section.
Figure 7: Where is the Troubleshooting section referred to in the dialog box?
Otherwise, creation of the management object is straightforward and the report generation is automatically scheduled to be sent to your specified email address at 3:00 a.m. each night, as shown in Figure 8.
Figure 8: Configuration is saved successfully and report generation is scheduled for 3:00 a.m. by default
After you configure the management object, the dialog box will pop up telling you that you can use the evaluation version for 20 days, and providing for entry of the license information if you have one.
Now your new management object shows up in the Management Console, and you also have the option to add and remove features, as shown in Figure 9.
Figure 9: Your newly created management object appears in the Management Console
Notice in the left pane that you have nodes for both Active Directory Change Reporter and Group Policy Change Reporter. I expanded the AD node so you could see the types of reports that are listed.
To create another management object, simply click back on Managed Objects in the left pane and you will notice that you have two options now:
- Create a new managed object
- Create a new folder for grouping managed objects
If you want to configure a group of managed servers, you can select “Computer Collection” as the object type and then add computer names and/or SQL Server instances. Do not put the same computer into more than one collection. It is not particularly clear from the Quick Start Guide, but this is the way you add the File Server Change Reporter – just select that when you get to the “Enable Features” page of the dialog box, as shown in Figure 10.
Figure 10: To add the File Server Change Reporter, you need to create a Computer Collection managed object
There are additional features that can be downloaded at no cost from the NetWrix web site, in this case, the Event Log Manager. The download is a 6.5MB .msi file and the installation is quick and easy. It gives you the option of a basic configurator that offers a simple interface for uncomplicated setups or a full featured configurator if you want to run a fully integrated management tool with built-in reporting and support for multiple domains.
Now let us look at the Advanced Reporting Configuration Wizard, shown in Figure 11. You can run this to install and configure SQL Server Express if you do not have a SQL Server, or you can configure your existing SQL Server instance, as shown in Figure 11.
Figure 11: You can run the Advanced Reporting Configuration Wizard to install SQL Server Express
SQL Server Express is a 256 MB download, so it may take a while. Also note that if you are installing SQL Server Express on Windows Server 2008 R2, you will get a message that says “this program has known compatibility issues,” as shown in Figure 12. You will have to apply SQL Server 2005 SP3 before you can run it on this version of Windows.SP3 is a 325 MB download that you can find here.
Figure 12: If you try to automatically install SQL Server Express on Windows Server 2008 R2, you’ll get a compatibility warning
If you install SQL Server Express, you will need to configure it to allow remote connections, which involves enabling remote connections, enabling the SQL Server Browser service and creating an exception in the Windows Firewall. You will find instructions on how to do all this in the following KB article 914277.
Now that you finally have everything installed, you can configure the audit settings for your domain, using the NetWrix Audit Configuration Wizard. You will need to have the proper rights (i.e., domain admin rights to the domain or enterprise admin rights to the entire forest if you are configuring settings for a forest root domain). After selecting the domain, the next step is to specify an admin account to use for data collection and then detect the current audit policy settings on the domain, as shown in Figure 13.
Figure 13: Detect current audit policy settings for the domain
A report will be displayed, showing the current audit policy settings. Then here’s a feature that I really like: You can simply click the Adjust button to make any necessary changes to the settings. When done, a dialog box will tell you that “Audit policy changes were applied successfully, as shown in Figure 14.
Figure 14: Success! If only everything were as easy as adjusting the audit policy settings
On the next page, you can detect the current object-level audit settings, view the report, and adjust the settings in the same way. You go through the same procedure (detect, view report and adjust) a third time, for the event log retention settings. When all the settings have been properly adjusted, you will be rewarded with the dialog box in Figure 15.
Figure 15: All audit policy settings have been successfully adjusted
Each of the NetWrix modules appears separately in the Windows Start menu, and each has links to the Configurators (the Basic Mode Configurator is unique to each module, and the Full Featured selection starts the Enterprise Management Console) as well as other wizards, report viewers and applicable components, as shown in Figure 16.
Figure 16: Each of the four Change Reporter Suite modules appears in the Start menu, with several components
Note that NetWrix releases new versions of the various modules, and you will be notified by a pop-up box when you open a particular module if there is an update available, as shown in Figure 17, making it easy to keep the software up to date.
Figure 17: NetWrix makes it easy to keep each module up to date
Using the Active Directory Change Reporter
The Active Directory Change Reporter allows you to audit “who” and “when” information about any modifications made to Active Directory objects. To do this, object-level AD auditing must be configured for all AD objects. To audit access to Active Directory, you need to turn on auditing of the Success categories for both the Directory Service Access and Audit Account Management policies in the Default Domain. The AD Change Reporter Help (which you’ll find in the Start menu) includes instructions for doing all this, in the “Configuring AD Auditing” section.
I really like the emailed reports, which are color coded so you can quickly tell at a glance what actions have been taken, as shown in Figure 18. This is the AD Change Report. You’ll get a separate email with the Group Policy Change Report, even though these two are part of the same module.
Figure 18: The emailed reports are color coded for quick analysis
If you want to roll back any of the reported changes to Active Directory, you can use the AD Object Restore wizard (which is one of the components in the AD Change Reporter item on the Start menu). The wizard allows you to roll back either from stored rollback points or directly from Active Directory tombstone, and you can restore the entire Active Directory or just selected objects or attributes. You select a rollback date and the restoration option (rollback point or AD tombstone).
The Change Reporter collects snapshots regularly to create rollback points, but you might need to use the AD tombstone method if you do not have snapshots (this could occur when you want to roll back to a point before the date of installation of the Change Reporter software.
Change analysis may take a while, depending on the size of the Active Directory. When it is done, you can review the changes that were made since the snapshot date/time, as shown in Figure 19.
Figure 19: The AD object restore wizard makes it easy to undo unwanted changes
Just check the boxes for the changes that you want to roll back. You will be given the details as to exactly what the rollback will do; in this case, the added user account will be removed. Just click Next and the rollback is done, as shown in Figure 20.
Figure 20: It really is that easy; one click and the change is undone
Under the Advanced Tools section in the Start menu item, you will find the Database Importer, which you can use to import the snapshots to a SQL server database. Then you can use Microsoft SQL Server Reporting Services to perform advanced analysis. This is only necessary if a problem occurs that prevents the data from being imported according to schedule.
Also in Advanced Tools, you will find the Report Viewer, which makes it easy to generate a report on selected sessions, as shown in Figure 21.
Figure 21: Use the Report Viewer in Advanced Tools to generate a report on selected sessions
You will be prompted for a location to save the report, in HTML format. The report will then open in the web browser. To change the regular report generation schedule, open the NetWrix management console and expand the Settings node in the left pane, then click Schedule. Here you can create multiple schedules and add or delete new schedule times, as shown in Figure 22.
Figure 22: You can change the report generation schedule, including creating multiple schedules
Using the File Server Change Reporter
With so many organizations falling under regulatory compliance requirements today, controlling access to the data on your network may not be optional. However, even if your company is not subject to government or industry mandates, it is smart business to monitor access to documents and other files. The File Server Change Reporter module audits changes made to files, folders, shares and permissions on the file server, with “who” and “when” information for every change.
The Basic Configurator for the File Server Change Reporter is shown in Figure 23.
Figure 23: The Basic Configurator is for quick configuration of a simple file server setup
The Basic Configurator is good for making quick configuration changes for a simple file server setup. Use the Full-Featured Mode with the managed object wizard, as described earlier, to enable the File Server Change Reporter and add or remove managed computers and features.
Note of a couple of “gotchas”:
- Network share auditing is deactivated by default. To turn it on, you will need to modify the auditing entries for all managed folders that are configured as network shares.
- You will need to be granted the Manage Auditing and Security Log privilege to be able to obtain the default File Server audit settings.
The report will show you whether access was successful, the resource type (for example, a share or folder), time accessed, what account was used to access the object and the server and resource path accessed, as shown in Figure 24. If changes were made, the report will show you what was changed (for example, permissions) and show both the previous and new values. For example, it would tell you that Joe Admin granted permissions to Jane Jones to Folder A, and that previously Joe Admin, John Smith and Pete Harris had permissions to the folder.
Figure 24: File Server Change Reporter shows which resources were accessed, when and by whom
In addition to the Active Directory/Group Policy and File Server modules that I tested, the NetWrix Change Reporter Suite also includes auditing of changes to Exchange (which is included in the Active Directory module along with Group Policy change auditing), change auditing of your VMware infrastructure, and change auditing of SQL Server.
Email is, for many businesses, one of their most mission-critical applications and the reliability (or lack thereof) of your email solution can affect the bottom line. Unauthorized changes to Exchange servers, mailboxes and information stores can be devastating to the operation of the business. The Exchange Change Reporter helps you keep track of creation, deletion and modification of objects, who made the changes and when they were made.
Likewise, in today’s business environment, many organizations depend heavily on their virtual infrastructures, and changes there can result in failures and outages of important virtual machines. A common phenomenon is “VM sprawl,” in which the virtual infrastructure grows in an uncontrolled manner. VMware Change Reporter can help prevent both of these situations, as well as preparing reports for compliance auditors. Every change that’s made to ESX servers, folders, clusters, resource pools, the VMs themselves and their hardware can be tracked, along with the “who” and “when” information.
Finally, SQL Server databases contain critical (and often sensitive or confidential) information, which may be subject to regulatory compliance requirements. Because SQL is such a complex system, it can be especially difficult to track changes. The SQL Server Change Reporter simplifies the process for you, providing reports on changes made to the server instances, databases, users, schema, and other objects.
After spending a lot of time getting to know the NetWrix Change Reporter Suite and particularly the AD/GP and File Server components, I can attest that it does what it claims to do: makes it easy for you to keep up with any modifications made to the important assets on your network so that the consequences of those changes will not take you by surprise. It took a while to get everything set up properly – but I was able to do it without resorting to tech support. And frankly, most of the setup hassle involved getting SQL Server Express configured. This is a step that most large companies would not have to worry about, since they will have existing SQL servers they can use for the database, but I wanted to experience the process “from scratch” in my test environment.
I really like the reports, which give you the information you need without overwhelming you with additional, extraneous data. In addition to the emailed reports, you can view web-based reports generated by the Microsoft SQL Reporting Services (you must configure advanced reporting to do so). The web interface allows you to filter the view, and you can save a report as a file in PDF or XLS format. If you installed the Report Manager feature in SQL Server, you can create custom reports with the Report Builder. I also like the simplicity with which you can undo the detected changes. After all, knowing what’s changed doesn’t do us much good unless there is also a quick and easy way to roll back those changes, and the NetWrix solution gives you that, with “no fuss, no muss.” With the entire suite, you are covered for changes to just about all of your most valuable network servers and resources, but the component-based model also allows you to deploy change auditing where and as you wish. It’s a good, solid product that delivers on its promises, and although one might wish the Help files were a little more helpful, the interface is intuitive enough so that you rarely need them.
Because of the minor problems discussed above, I struggled over whether to give this product the silver or gold award. In the end, I decided it deserves the gold – because even though the Quick Start Guide and Help files were not quite as comprehensive as they could be, the product itself is intuitive enough that I was able to figure out the questions that did arise. The only problem that required web research was configuring SQL Server Express properly, and I don’t believe it would be fair to hold NetWrix responsible for that, as it’s a Microsoft product. The really outstanding features; such as the wizards that make required changes to the server’s settings for you and the simplicity of rolling back detected changes, overshadowed those minor drawbacks to such an extent that I can confidently give the Change Reporter Suite the Gold Award.
WindowSecurity.com Rating: 5/5
More information about NetWrix Change Reporter Suite