Product: Centrify DirectAudit for Windows
Product Homepage: click here
Free Trial: click here
The IT infrastructures of today’s enterprises are often complex environments that involve both Windows and UNIX/Linux systems. In addition, pressures to contain costs often lead enterprises to hire contract workers, outsourcing/offshoring key operations, and moving to cloud computing. Such trends add an element of risk because it can mean IT has less knowledge of who is accessing systems and what they are doing on them. And the key risk vector for corporate networks is no longer from outside your network, it’s from the inside. For example, a report from US-CERT estimated that 86% of internal incidents to corporate networks are perpetrated by technology workers who have privileged access to those networks. Risk management thus becomes a key issue for today’s large enterprises. Unfortunately, ensuring that corporate security policies and IT controls are being properly enforced in a large and heterogeneous environment can be challenging.
On top of all this comes the additional issue of compliance. Regulations like Sarbanes-Oxley, HIPPA and others impose an increasingly complex regulatory burden that requires enterprises to be able to demonstrate the effectiveness of their security policies and controls. Built-in tools like the Windows Event logs and UNIX/Linux syslog files just don’t provide enough detail in this regard and can they be time-consuming (and therefore costly) to analyze in order to extract a meaningful audit trail from them.
What is really needed in such situations is a simple and reliable way for IT to record and view the actions, events and commands of users who access business-critical systems. And this is exactly where Centrify’s DirectAudit comes in as it allows you to capture and collect user activity on monitored systems, search the recorded data for information of interest, and replay it so you can see exactly what the user is doing and infer what motives lie behind their actions. DirectAudit also helps you achieve compliance with regulations by letting you store and archive the collected data to create a historical audit trail which you can analyze when the need arises.
How it Works
DirectAudit leverages your existing Active Directory infrastructure with a distributed agent architecture to records user activity on managed systems in real time. The DirectAudit Agent running on a monitored system captures all user activity on the system and forwards it to Collectors, which are intermediate services that index and compress the recorded user activity. The Collectors log the information to Audit Stores, which are databases hosted on SQL Servers. The DirectAudit Agents, Collectors and Audit Stores are all managed by a central Audit Server.
The entire architecture is highly scalable in several ways, for example:
- Agents can log their collected data to more than one Collector to provide redundancy, and if all Collectors are down the Agents can spool the data until a Collector is back online.
- Multiple Collectors can log their data to multiple Audit Stores, and each Audit Store can host multiple databases.
DirectAudit includes two standard MMC consoles:
- DirectAudit Administrator Console – Used to configure and manage the Agents, Collectors and Audit Stores and to assign different audit roles to users and groups.
- DirectAudit Auditor Console – Allows auditors to view, search and replay user activity from collected information logged to Audit Stores and to generate reports for compliance purposes. As we’ll see in the walkthrough below, the specific kinds of tasks an auditor can perform depend upon the audit role they have been assigned by the DirectAudit administrator.
Evaluating the Product
For my testing of this product I downloaded the evaluation version of DirectAudit from Centrify’s website. The evaluation version installs all components (Agent, Collector, Audit Store and Audit Server) on a single domain-joined system and uses SQL Server Express to store the collected user activity. The installation was smooth and easy to perform with the help of the accompanying Evaluation Guide. I installed the product on a Windows 7 SP1 workstation in a Windows Server 2008 R2 domain and imagined I was the Security Compliance Manager for our organization.
Opening the DirectAudit Auditor Console and selecting the Today node in the left pane enabled me to view all collected user activity for the current day. Right-clicking on a user allowed me to update the review status for that user’s activity, for example by selecting To Be Reviewed if I decided I should later review what that user has been doing today:
Figure 1: Flagging a user’s activity for later review.
Selecting the Sessions to Be Reviewed node allowed me to access the logged activity for users who I had flagged for review. Right-clicking on a user then enabled me to either replay the user’s activity or, as shown next, to view an indexed list of the user’s actions on the audited system:
Figure 2: Viewing an indexed list of a user’s actions on an audited system.
The Indexed Event List window let me scroll through a list of what the user has been doing today on the monitored system. I noticed immediately that the user accessed the Local Security Policy snap-in on the system, which seemed a bit suspicious to me:
Figure 3: Why has this user accessed the local Security Policy snap-in on this system?
Deciding I needed to investigate this further, I clicked the Replay button with this event selected (you can also double-click on an event to replay it). This opened a window that displayed the actual desktop of that user beginning at the time when the user opened the Local Security Policy snap-in. Clicking the Play control at the bottom left of this window allowed me to play back the user’s session from this point in real time (or optionally at faster speeds more suitable for quick inspection purposes). I stopped the playback of the recorded session at the point where the user was trying to configure a policy opened from this snap-in and used the magnifier tool to inspect what the user was doing in more detail:
Figure 4: The user seems to be trying to change the password policy on the system.
A nice feature I noted at this point is the search fields in the left pane in the above window. For example, by typing “local security policy” into the field below the column header Title, I can quickly filter only those instances of the user accessing this particular tool.
Once small thing I noticed at this point was that the mouse pointer in the magnified replay pane was slightly misplaced in the recorded session. I remember clicking directly on the up/down arrow controls in this policy, but in the figure above the pointer is slightly off from (up and to the right of) the control being clicked. I also tried exporting the recorded session to a .wmv file so I could open it full-screen in Windows Media Player and noticed the same slight flaw in the recording. I consider this only a minor flaw however as it may simply be a limitation resulting from the compression scheme used to keep the amount of logged data manageable.
I also found that when I tried to export a recorded session to a .wmv file the entire session got exported even if I only had selected a few contiguous events in the left pane of the player window. Since the export process seemed to take a long time, it would be nice if the product could be updated so you could export only a portion of the session. And it would be nice to be able to select some events in the left pane of the player window, right-click, and select Export As WMV to create a .wmv file showing the user activity for only the events you have selected. Maybe Centrify could include this functionality as an update to their product in the future.
Returning to the Auditor Console revealed another helpful search feature in the product: right-clicking on the node for the system and selecting Quick Query lets me quickly search for recorded activity of specific users:
Figure 5: Performing a quick query from the Auditor Console.
For example, typing “CONTOSO administrator” in the Quick Query box lets me access the recorded activity for the user [email protected]:
Figure 6: What has the CONTOSO Administrator been up to?
Right-clicking on the quick query I just created lets me export the results of this query as a report in several formats:
Figure 7: Generating a report from a quick query.
You can also create more complex custom queries if needed by right-clicking on the All Shared Queries node and selecting New Query, which opens the following dialog:
Figure 8: Creating a custom query.
DirectAudit provides you with great flexibility in the types of custom queries you can create. For example, you can add the Review criteria to your query, which lets you limit your search to queries that have a specific review status like PendingForAction or KeepForever:
Figure 9: Adding a criteria to a custom query.
Another nice feature of the Administrator Console is that it allows you to quickly establish a Remote Desktop session with the remote system if needed, for example if you determine that the user has changed the configuration of the system and you need to undo this:
Figure 10: You can easily connect to monitored systems using Remote Desktop.
Let’s briefly take a look at the Administrator Console as well. Besides managing the configuration of all the client and server components of your DirectAudit infrastructure, the Administrator Console also lets you create new audit roles and assign them to users and groups in your environment. The default Master Auditor role has full access to all recorded sessions of user activity logged to all Audit Stores in your environment. Let’s try adding a new audit role and see what happens:
Figure 11: Adding a new audit role.
As you can see below, one of the things the Audit Role Wizard does is allow you to grant or deny the following privileges to the audit role you are adding:
- All Privileges – Has full access to sessions
- Read – Can read sessions
- Update Status – Can update the review status of sessions
- Replay – Can replay sessions
Figure 12: You can assign different privileges to an audit role.
The wizard also lets you filter the new audit role according to the criteria shown previously for creating custom queries. For example, you could create a new audit role that allows the designated user to only read sessions whose review status is To Be Reviewed, and so on.
After spending some time trying out DirectAudit, I can honestly say that the product really impressed me with its powerful capabilities, scalability, and ease of use. My only suggestion would be to update the exporting functionality of the Auditor Console so one can export only selected events instead of entire sessions. Centrify does have a terrific track record as a vendor with over 3500 enterprise customers including more than 40% of the Fortune 50 businesses, so buying into their offering assures you’ll have a long-term solution to help support your organization’s auditing and compliance needs. DirectAudit is also the only FIPS 140-2 validated Active Directory-centric Identity and Access Management (IAM) solution currently available in the marketplace, and this mean’s it’s a suitable auditing and compliance tool for US federal government departments and regulated industries like the financial and health-care sectors. As a result, I give this product a rating of 4.5 out of 5 and would unhesitatingly recommend it to customers.
DirectAudit for Windows is available either separately or as integrated component of Centrify Suite 2012 Enterprise Edition. For more information on DirectAudit, see http://www.centrify.com/directaudit/ where you can also download the evaluation version of the product.
WindowsNetworking.com Rating 4.5/5
Get more information about Centrify DirectAudit for Windows