Product: NETsec Enterprise Permissions Reporter 3.5
Product Homepage: click here
Free Trial: click here
If you are an administrator in an Active Directory environment then I'm sure you want to know what's happening in your environment. That means being able to audit changes to things like NTFS permissions on shared folders and files, membership in security groups, and permissions on objects in Active Directory. If you only have the in-box tools on the Windows Server platform, you're limited to either monitoring these things manually or writing custom scripts to gather the information you need. What would help is an auditing solution that can automatically generate reports when such changes occur so you can easily track them to know what's happening in your environment.
If you think this isn't important, consider the fact that about half of the requests received by the helpdesk staff at most large organizations involve some problem associated with permissions. "I'm supposed to review the budget but I can't access the share" is an example of a typical call received by helpdesk almost each and every day. How does one resolve such matters? The problem could be due to the user's account not having been added to the appropriate security group in Active Directory. Or it might be because of insufficient NTFS permissions having been assigned to a folder or file. Or maybe there's a problem with the permissions on some Active Directory object. Regardless of the cause, you'll need a good auditing tool that provides easy-to-understand reports if you want to be able to quickly track down and resolve the problem.
NETsec Enterprise Permission Reporter (EPR) addresses exactly these needs and more. EPR lets you generate reports for file system permissions, security group memberships, and Active Directory permissions. EPR reports can be generated either manually as they are needed, or automatically when specific changes occur in your environment. Reports can also be scheduled for creation on a recurring basis, sorted and filtered to display only the information needed, and exported as CSV files so they can be imported into Microsoft Excel for analysis.
Installation and Configuration
I performed my evaluation of version 3.5 of EPR by installing it on an administrator workstation running Windows 7 x64 Enterprise in my Active Directory test environment, which had recently been upgraded to Windows Server 2012 forest functional level. EPR can generate and store reports either in a file system folder or using a Microsoft SQL Server database, but because the user manual recommended using the file system approach when testing and evaluating the product, I decided to go that route instead of installing SQL Server or SQL Server Express. I should note that the file system approach has a significant performance impact when generating reports, and it also lacks the sorting and filtering capability made possible by SQL Server.
Installation went smooth without any problems. The .NET Framework 4.0 is a prerequisite for installing EPR, and if you try to install the product without it you'll be notified accordingly when you run Setup:
Figure 1: Install the .NET Framework 4.0 before installing EPR.
The .NET Framework 4.0 can be obtained from the Microsoft Download Center at this link and is required if you are installing EPR on any version of Windows earlier than Windows 8 or Windows Server 2012 (those versions of Windows already include .NET Framework 4.5).
Once Setup finished, I configured a service account for the EPRScheduleService as described in the user manual, and at this point I was ready to begin testing the product. Figure 2 shows the EPR management console with nodes for the three types of reports on the left and various configuration settings available on the tabs on the right.
Figure 2: The EPR management console.
Generating File System Reports
I decided to begin my testing by generating some file system reports. To do this, I selected the File System Report Definitions node and clicked Create Report Profile:
Figure 3: Creating a file system report profile.
This launched the New Report Profile wizard, and I specified Marketing as the name of the report profile and selected the Marketing share on SRV-A as the folder whose permissions I wanted to analyze. As Figure 5 shows, I chose to audit permissions up to 5 subfolders deep and to audit files as well as folders:
Figure 4: Auditing NTFS permissions on a file share.
It's worth noting here that the Marketing share shown above is actually hosted on a volume that was provisioned from an iSCSI storage array on my network, and EPR had no difficulty auditing the file system permissions for this type of storage scenario.
Once the wizard was finished, I selected the Configuration node under Marketing and clicked Run to generate a report based on the profile I created:
Figure 5: Manually generating an NTFS permissions report.
EPR provides several pre-filtered views of reports. For example, by selecting the Functional Application Manager node under the newly generated report, I can see the permissions end users have on the files and folders in the Marketing share:
Figure 6: Viewing NTFS permissions on files and folders in the Marketing share.
EPR can also generate reports that show the changes that have occurred between two reporting times. These are called delta reports, and to test this feature I began by copying some additional files to the Marketing share and giving two more users Carol O'Donald and Bob Smith access to the share. I then generated a second file system report.
I then selected the File System Delta Definitions node shown previously in Figure 5 and clicked Create Delta Profile to launch the New Delta Profile wizard, and in the wizard I selected the two point-in-time reports that I wanted to compare:
Figure 7: Creating a delta report from two point-in-time reports.
As Figure 8 shows, the resulting delta report clearly shows that both Carol and Bob now have Modify access to the share, and also that a number of PNG files have been added to the share:
Figure 8: Viewing the delta report.
Generating Group Membership Reports
I then decided to try using EPR to track membership changes to security groups. At the beginning of this test Carol, Bob, and another user named Alan George all belong to the Seattle Marketing security group. I began by selecting the Membership Watch Report Definitions node and clicking Create Report Profile:
Figure 9: Creating a report profile for group membership changes.
I selected the Seattle Marketing group using the search feature of the New Report Profile wizard:
Figure 10: Selecting a security group to watch.
I then configured EPR to check for membership changes in this group every minute:
Figure 11: Specify a time interval for monitoring group membership changes.
After configuring the report profile, I added Saul David as a member of the Seattle Marketing group and also removed Carol from the group. A short time later EPR automatically generated a report showing what happened:
Figure 12: Changes in group membership are reported by EPR.
The user interface didn't allow me to show/hide or rearrange columns in the right-hand pane. As a result, when I wanted to see if entries had been added or removed from a report, I had to scroll the right-hand pane all the way to the last column to see this. However, I suspect that if I had used SQL Server instead of CSV files for storing reports then I could make use of additional sorting and filtering capabilities for EPR.
Generating Active Directory Reports
I concluded my evaluation by trying to generate some reports on Active Directory objects. To do this, I began by selecting the Active Directory Report Definitions node and clicking Create Report Profile to launch the New Report Profile wizard again. I then used the wizard to search Active Directory for any organizational units containing the word "Seattle":
Figure 13: Searching for OUs in Seattle.
I finished the wizard and generated a report that all the listed directory objects in the three OUs and the permissions assigned to them:
Figure 14: Reporting Active Directory permissions.
You can of course also generate delta reports for Active Directory permissions and also schedule the generation of these reports.
I found version 3.5 to be easy to use yet powerful enough to meet my needs for auditing and reporting on file system permissions, group membership changes, and Active Directory object permissions. The user manual is easy to follow and includes numerous screenshots that get you quickly up to speed, and the product met or exceeded my expectations. As a result, my rating for this product is 5 out of a possible 5, which earns it WindowsNetworking.com Gold Award.
You can read more about the features of EPR 3.5 and can download an evaluation copy by visiting the NETsec website at http://www.netsec.de/en/products/epr/.
The user manual can be downloaded in PDF form from http://www.netsec.de/en/documents/permission-reporter/.
To request a quote for deploying EPR in your environment, go to http://www.netsec.de/en/pricing/permission-reporter/.
WindowsNetworking.com Rating 5/5