Product: Netwrix Auditor
Product Homepage: click here
Free Trial Download: click here
Netwrix is a US software company that specializes in auditing solutions for IT systems and applications. Its flagship product is Netwrix Auditor, previously known as Change Reporter Suite. Netwrix Auditor collects data on changes made to an IT infrastructure, such as Exchange, Active Directory, EMC storage, SharePoint, SQL, VMware and more. It generates reports showing the before and after values for who changed what, when and where in a human-readable format, with the possibility of long-term data archiving.
In this review, we will focus our attention on using Netwrix Auditor v6.0 to audit Microsoft Exchange Server.
Both hardware and software requirements for Netwrix Auditor are simple and reasonable. As a minimum, an Intel or AMD 2GHz processor with 2GB of RAM is sufficient for small environments. As to disk space, it will depend on the number of changes and the audit archive retention settings.
In terms of software: Windows 7 or above (Windows Server as well as expected), .NET Framework 3.5 SP1, Windows PowerShell and SQL Server for archiving and reporting services (SQL Server 2008, 2008 R2 or 2012 - all Express Edition with Advanced Services, Standard or Enterprise Edition are supported).
Although Netwrix Auditor supports Exchange 2003 all the way up to Exchange 2013, its Mailbox Access Auditing functionality that we will see later is not yet available on Exchange 2013.
This is not an installation or configuration guide, so some steps are skipped for brevity.
Installing Netwrix Auditor is a very straightforward process:
- Start by downloading Netwrix Auditor 6.0;
- Run the installation package and the following window will be displayed:
- Click Install and follow the instructions of the setup wizard;
- When prompted, accept the license agreement and click Next:
- Specify the installation folder and click Install:
- Once installation is complete, click Yes:
- The Netwrix Auditor console will open:
For most audited systems, Netwrix offers both agent-based and agentless data collection methods. The use of agents is recommended for distributed deployments or multi-site networks due to their ability to reduce network traffic as data is transferred in a compressed format.
Netwrix Auditor relies on native logs for collecting audit data. Therefore, successful change auditing requires a certain configuration of the native audit settings in the audited environment and on the computer where Netwrix Auditor resides in order to ensure audit data integrity. The good news is that all this configuration can be done automatically.
To start auditing our Exchange environment, we must create a Managed Object - a container within the Netwrix Auditor console that stores information on the audited IT Infrastructure, the Data Processing Account used for data collection, auditing scope, report delivery settings, etc. In our case, to create a Managed Object for Exchange, the easiest way is:
- Select Exchange Servers from the main Netwrix Auditor console window:
- Select a Domain as a Managed Object type in the Create New Managed Object wizard:
- On the Specify Default Data Processing Account step, click Specify Account... and enter an account that is local admin on the Netwrix Auditor server and that belongs to the Exchange Organization Management or the Records Management RBAC groups:
- On the Specify Email Settings step, specify the e-mail settings that will be used to send out audit reports (use the Verify button to ensure Netwrix is actually able to send e-mails):
- Click Next;
- On the Specify Domain Name step, specify the target domain name in the FQDN format:
- On the Configure Reports Settings step, select Enable Reports (otherwise audit data will not be written to an SQL database and archiving of audit data will be limited):
- Click Next;
- On the Configure Audit in Target Environment step, I am choosing to let Netwrix automatically configure my target Exchange environment. This method is recommended for evaluation purposes in test environments as in production environments these settings might conflict with what is stipulated by the current auditing settings:
- On the Specify Exchange Servers Change Summary Recipients step, click Add to specify the recipients to whom Change Summaries should be sent to:
- Click Next;
- On the last step, review the Managed Object settings and click Finish to exit the wizard. The newly created Managed Object will appear under the Managed Objects node.
Mailbox Access Auditing
Now that we have a Managed Object created for Exchange auditing, navigate to this Managed Object in the Netwrix Auditor console, select Exchange Servers system in the left pane, and click Track Access... next to Non-owner Mailbox Access Auditing in the right pane:
In the dialog that opens, configure the settings for non-owner mailbox access auditing according to your policies. In here we can configure a variety of options, such as:
- Use agents to collect detailed audit data - if this option is not selected, only summary reports (see below) will be available;
- Summary report - select this report type to receive summary reports. These reports contain information on who accessed what mailbox and when;
- Detailed report - these reports contain information on who accessed what mailbox and when, and what actions were performed on the accessed mailboxes’ contents;
- Notify users - select this check-box if you want to notify users about non-owner access to their mailboxes;
- Notify only selected users - select this check-box and click Specify Users to specify a list of users who will receive notifications on non-owner access to their mailboxes. This might be useful for important mailboxes such as admins or VIPs for example.
When finished, click Apply:
Now that everything is configured, let us have a look at what reports we can use to better audit our Exchange environment.
Netwrix Auditor provides a wide variety of predefined reports for each audited system. Before we dive into these, let us have a quick look at the data collection workflow:
- When a new Managed Object is created, Netwrix starts collecting audit data from the monitored system’s native event logs;
- If during a data collection a change or an event is detected that triggers an alert, an e-mail notification is sent to the specified recipients. However, this real-time alert functionality is currently only supported by Active Directory auditing and Event Log Management, not Exchange auditing;
- Netwrix writes collected audit data to a local file-based storage - Audit Archive. The schedule will depend on the audited system – for some systems this is done once a day, while for others it is done in real-time;
- If the Reports functionality is enabled and configured, audit data is then imported from the Audit Archive to an SQL database;
- Netwrix Auditor generates a Change Summary report listing all changes/events/recorded user sessions that occurred since the last Change Summary delivery:
A thing to note with all the reports we will look at, is that all of them are customizable. We can, for example, specify the time range we want to list changes for, sort by each column, filter, or even create a Subscription so that the report gets automatically generated at a specified schedule:
In Netwrix Auditor, the following types of reports are available:
Dashboards provide a high-level overview of activity trends by date, user, server or system, and allow us to drill through to detailed reports for further analysis. The Enterprise Overview dashboard, for example, aggregates the information on changes from all audited systems and provides a centralized overview. System-specific dashboards reflect all changes across all Managed Objects where audit of this target system is enabled, such as Exchange for example.
Enterprise Overview reports
Enterprise-Wide reports aggregate data from all Managed Objects. Common reports list changes that occurred across all audited systems, while system-specific reports aggregate data from all Managed Objects where audit of this system is enabled. Enterprise-Wide reports can be found under the Enterprise-Wide Reports node:
If we navigate to the Exchange Server node, we will see the same reports but just for our Exchange environment:
Overview reports are chart reports that provide a high-level overview of changes to the audited environment within a selected time period. These consist of four charts, showing the activity trends by object type, user, date and server. Overview reports can be found under the Reports node for the selected audited system:
These, like many other reports, also provide drill-through functionality, meaning that by clicking on a chart segment, we will be redirected to a detailed table report with the corresponding filtering and grouping of data. For example, if we click on Exchange Outlook Web Access Mailbox Policy, we can see exactly what changes were made to the OWA policy:
Change reports are system-specific reports that aggregate audit data for an individual Managed Object, such as Exchange or Active Directory. These show detailed data on changes and provide grouping, sorting and filtering capabilities. Change reports can be found under the Reports node for the selected audited system. As we can see from the following screenshot, there are over 30 reports just for Exchange, separated by categories such as Address Lists, Mailboxes, etc.:
There are simply too many reports to show in this review... As a few examples, opening the Changes to MS Exchange Stores report we can see every change made to databases:
Change to Mailbox Permissions is an example of a really useful report from which we can easily see who gave permissions to whom for a particular mailbox:
Reports with Originating Workstation
There are a number of reports that, in addition to the standard who, when, where and when fields, also provide the name of the computer where the user was logged on when he/she made the change. Below is such an example where we can see that the user Administrator mounted the DB01 database from SERVER1:
Change Review History
Change Management is a critical process for many organizations. Netwrix Auditor facilitates the change auditing process by providing change monitoring and reporting capabilities. Additionally, we can review and assign a review status and reason for each change made to the audited systems.
Change Review History reports are found in the Change Management folder under the Reports node for the selected audited system. They list all changes to the monitored environment that are assigned the New status:
If a change seems unauthorized, or requires further analysis, we can click the Click to update status link, set its status to In Review and provide a reason:
Which will update its description and status:
Once the change has been approved, or rolled back, we can set its status to Resolved.
Changes with Video
The User Activity Video Recording feature tracks users’ activity on the audited computers and saves video records, providing us with reports that include links to a video recording showing how each change was made:
When we click the video link, a video player will open and playback of the recorded user session will start, showing us how each particular change was made:
Obviously, video recording typically requires considerable amount of disk space. The good news is that we can adjust the video quality, limit the recording based on time or size, specify which applications and/or users we want to monitor, etc.:
The state-in-time reports functionality allows generating reports on the configuration state of the audited system at a specific moment of time, in addition to change reports, based on the configuration snapshots captured daily. However, this functionality is currently only available while auditing Active Directory or Group Policy.
SQL Server Reporting Services
As I have mentioned a few times, Netwrix Auditor can use a SQL database to generate reports and archive historical data. As such, most reports can also be accessed through the SQL Reporting website:
Non-Mailbox Owner Access
The other great functionality of Netwrix Auditor is auditing mailbox access. When running Exchange 2010 or 2013, this is based on the Exchange Mailbox Audit Logging feature (please refer to the Auditing Mailbox Access MSExchange.org article) and, therefore, requires administrators to preconfigure which mailboxes to collect audit information for and for what actions. However, basic mailbox access auditing is also provided when using Exchange 2003 or 2007.
As we saw previously, this feature collects information by default at 3:00AM everyday (configurable). To manually generate a report, all we have to do is run the following scheduled task:
Once it finishes, a CSV report will be sent to the configured recipients:
This report will list all actions that were taken on a user’s mailbox by someone (varying accordingly to what has been configured to be audited):
On a closer look, we can see, for example, a user opening and then deleting an e-mail with the subject Complaint:
Through Netwrix Auditor, we can exclude users or mailboxes that we do not want to monitor with the Mailbox Access Auditing feature, thus limiting the report to the mailboxes we are more interested in.
Currently mailbox auditing does not provide a functionality to create real-time alerts, which would be useful to alert when someone (tries to) accesses a VIP mailbox for example. However, it is possible to configure real-time alerts to be triggered by non-owner mailbox access events such as opening a message folder, opening/modifying/deleting a message, etc. Although this generates a basic e-mail alert with only what action was performed, it serves as a trigger for further investigation:
Issues & Improvements
I did not experience any issues throughout my tests with this product and, to be honest, there is only one big thing I would really like to see in a future version of Netwrix Auditor. In my opinion, the mailbox auditing reports should be available through the main console. I understand the unique nature of these reports and how hard it can be to work with them. But if a CSV can be generated with all the changes, I am sure these can be incorporated into a “traditional” report that admins can search, filter and sort like all other reports.
Netwrix Auditor is a great product that provides, in one place and in a readable format, all the auditing reports any Exchange administrator can want, something currently lacking out there. Its customizable capacities together with its reporting power, make this a great product for any type of organization where auditing is a must, from SMBs to Enterprises.
MSExchange.org Rating 4.5/5