Product Review: Netwrix Auditor

Product: Netwrix Auditor

Product Homepage: click here

Free Trial Download: click here

Introduction

Netwrix is a US software company that specializes in auditing solutions for IT systems and applications. Its flagship product is Netwrix Auditor, previously known as Change Reporter Suite. Netwrix Auditor collects data on changes made to an IT infrastructure, such as Exchange, Active Directory, EMC storage, SharePoint, SQL, VMware and more. It generates reports showing the before and after values for who changed what, when and where in a human-readable format, with the possibility of long-term data archiving.

In this review, we will focus our attention on using Netwrix Auditor v6.0 to audit Microsoft Exchange Server.

Requirements

Both hardware and software requirements for Netwrix Auditor are simple and reasonable. As a minimum, an Intel or AMD 2GHz processor with 2GB of RAM is sufficient for small environments. As to disk space, it will depend on the number of changes and the audit archive retention settings.

In terms of software: Windows 7 or above (Windows Server as well as expected), .NET Framework 3.5 SP1, Windows PowerShell and SQL Server for archiving and reporting services (SQL Server 2008, 2008 R2 or 2012 – all Express Edition with Advanced Services, Standard or Enterprise Edition are supported).

Although Netwrix Auditor supports Exchange 2003 all the way up to Exchange 2013, its Mailbox Access Auditing functionality that we will see later is not yet available on Exchange 2013.

Installation

Note:
This is not an installation or configuration guide, so some steps are skipped for brevity.

Installing Netwrix Auditor is a very straightforward process:

1. Start by downloading Netwrix Auditor 6.0;
2. Run the installation package and the following window will be displayed:

Figure 1

3. Click Install and follow the instructions of the setup wizard;
4. When prompted, accept the license agreement and click Next:

Figure 2

5. Specify the installation folder and click Install:

Figure 3

6. Once installation is complete, click Yes:

Figure 4

7. The Netwrix Auditor console will open:

Figure 5

Configuration

For most audited systems, Netwrix offers both agent-based and agentless data collection methods. The use of agents is recommended for distributed deployments or multi-site networks due to their ability to reduce network traffic as data is transferred in a compressed format.

Netwrix Auditor relies on native logs for collecting audit data. Therefore, successful change auditing requires a certain configuration of the native audit settings in the audited environment and on the computer where Netwrix Auditor resides in order to ensure audit data integrity. The good news is that all this configuration can be done automatically.

To start auditing our Exchange environment, we must create a Managed Object – a container within the Netwrix Auditor console that stores information on the audited IT Infrastructure, the Data Processing Account used for data collection, auditing scope, report delivery settings, etc. In our case, to create a Managed Object for Exchange, the easiest way is:

1. Select Exchange Servers from the main Netwrix Auditor console window:

Figure 6

2. Select a Domain as a Managed Object type in the Create New Managed Object wizard:

Figure 7

3. On the Specify Default Data Processing Account step, click Specify Account… and enter an account that is local admin on the Netwrix Auditor server and that belongs to the Exchange Organization Management or the Records Management RBAC groups:

Figure 8

4. On the Specify Email Settings step, specify the e-mail settings that will be used to send out audit reports (use the Verify button to ensure Netwrix is actually able to send e-mails):

Figure 9

5. Click Next;
6. On the Specify Domain Name step, specify the target domain name in the FQDN format:

Figure 10

7. On the Configure Reports Settings step, select Enable Reports (otherwise audit data will not be written to an SQL database and archiving of audit data will be limited):

Figure 11

8. Click Next;
9. On the Configure Audit in Target Environment step, I am choosing to let Netwrix automatically configure my target Exchange environment. This method is recommended for evaluation purposes in test environments as in production environments these settings might conflict with what is stipulated by the current auditing settings:

Figure 12

10. On the Specify Exchange Servers Change Summary Recipients step, click Add to specify the recipients to whom Change Summaries should be sent to:

Figure 13

11. Click Next;
12. On the last step, review the Managed Object settings and click Finish to exit the wizard. The newly created Managed Object will appear under the Managed Objects node.

Figure 14

Mailbox Access Auditing

Now that we have a Managed Object created for Exchange auditing, navigate to this Managed Object in the Netwrix Auditor console, select Exchange Servers system in the left pane, and click Track Access… next to Non-owner Mailbox Access Auditing in the right pane:

Figure 15

In the dialog that opens, configure the settings for non-owner mailbox access auditing according to your policies. In here we can configure a variety of options, such as:

• Use agents to collect detailed audit data – if this option is not selected, only summary reports (see below) will be available;
• Summary report – select this report type to receive summary reports. These reports contain information on who accessed what mailbox and when;
• Detailed report – these reports contain information on who accessed what mailbox and when, and what actions were performed on the accessed mailboxes’ contents;
• Notify users – select this check-box if you want to notify users about non-owner access to their mailboxes;
• Notify only selected users – select this check-box and click Specify Users to specify a list of users who will receive notifications on non-owner access to their mailboxes. This might be useful for important mailboxes such as admins or VIPs for example.

When finished, click Apply:

Figure 16

Now that everything is configured, let us have a look at what reports we can use to better audit our Exchange environment.

Reports

Netwrix Auditor provides a wide variety of predefined reports for each audited system. Before we dive into these, let us have a quick look at the data collection workflow:

1. When a new Managed Object is created, Netwrix starts collecting audit data from the monitored system’s native event logs;
2. If during a data collection a change or an event is detected that triggers an alert, an e-mail notification is sent to the specified recipients. However, this real-time alert functionality is currently only supported by Active Directory auditing and Event Log Management, not Exchange auditing;
3. Netwrix writes collected audit data to a local file-based storage – Audit Archive. The schedule will depend on the audited system – for some systems this is done once a day, while for others it is done in real-time;
4. If the Reports functionality is enabled and configured, audit data is then imported from the Audit Archive to an SQL database;
5. Netwrix Auditor generates a Change Summary report listing all changes/events/recorded user sessions that occurred since the last Change Summary delivery:

Figure 17

A thing to note with all the reports we will look at, is that all of them are customizable. We can, for example, specify the time range we want to list changes for, sort by each column, filter, or even create a Subscription so that the report gets automatically generated at a specified schedule:

Figure 18

In Netwrix Auditor, the following types of reports are available:

Dashboards

Dashboards provide a high-level overview of activity trends by date, user, server or system, and allow us to drill through to detailed reports for further analysis. The Enterprise Overview dashboard, for example, aggregates the information on changes from all audited systems and provides a centralized overview. System-specific dashboards reflect all changes across all Managed Objects where audit of this target system is enabled, such as Exchange for example.

Figure 19

Enterprise Overview reports

Enterprise-Wide reports aggregate data from all Managed Objects. Common reports list changes that occurred across all audited systems, while system-specific reports aggregate data from all Managed Objects where audit of this system is enabled. Enterprise-Wide reports can be found under the Enterprise-Wide Reports node:

Figure 20

If we navigate to the Exchange Server node, we will see the same reports but just for our Exchange environment:

Figure 21

Overview reports

Overview reports are chart reports that provide a high-level overview of changes to the audited environment within a selected time period. These consist of four charts, showing the activity trends by object type, user, date and server. Overview reports can be found under the Reports node for the selected audited system:

Figure 22

These, like many other reports, also provide drill-through functionality, meaning that by clicking on a chart segment, we will be redirected to a detailed table report with the corresponding filtering and grouping of data. For example, if we click on Exchange Outlook Web Access Mailbox Policy, we can see exactly what changes were made to the OWA policy:

Figure 23

Change reports

Change reports are system-specific reports that aggregate audit data for an individual Managed Object, such as Exchange or Active Directory. These show detailed data on changes and provide grouping, sorting and filtering capabilities. Change reports can be found under the Reports node for the selected audited system. As we can see from the following screenshot, there are over 30 reports just for Exchange, separated by categories such as Address Lists, Mailboxes, etc.:

Figure 24

There are simply too many reports to show in this review… As a few examples, opening the Changes to MS Exchange Stores report we can see every change made to databases:

Figure 25

Change to Mailbox Permissions is an example of a really useful report from which we can easily see who gave permissions to whom for a particular mailbox:

Figure 26

Reports with Originating Workstation

There are a number of reports that, in addition to the standard who, when, where and when fields, also provide the name of the computer where the user was logged on when he/she made the change. Below is such an example where we can see that the user Administrator mounted the DB01 database from SERVER1:

Figure 27

Change Review History

Change Management is a critical process for many organizations. Netwrix Auditor facilitates the change auditing process by providing change monitoring and reporting capabilities. Additionally, we can review and assign a review status and reason for each change made to the audited systems.

Change Review History reports are found in the Change Management folder under the Reports node for the selected audited system. They list all changes to the monitored environment that are assigned the New status:

Figure 28

If a change seems unauthorized, or requires further analysis, we can click the Click to update status link, set its status to In Review and provide a reason:

Figure 29

Which will update its description and status:

Figure 30

Once the change has been approved, or rolled back, we can set its status to Resolved.

Changes with Video

The User Activity Video Recording feature tracks users’ activity on the audited computers and saves video records, providing us with reports that include links to a video recording showing how each change was made:

Figure 31

When we click the video link, a video player will open and playback of the recorded user session will start, showing us how each particular change was made:

Figure 32

Obviously, video recording typically requires considerable amount of disk space. The good news is that we can adjust the video quality, limit the recording based on time or size, specify which applications and/or users we want to monitor, etc.:

Figure 33

State-in-time reports

The state-in-time reports functionality allows generating reports on the configuration state of the audited system at a specific moment of time, in addition to change reports, based on the configuration snapshots captured daily. However, this functionality is currently only available while auditing Active Directory or Group Policy.

SQL Server Reporting Services

As I have mentioned a few times, Netwrix Auditor can use a SQL database to generate reports and archive historical data. As such, most reports can also be accessed through the SQL Reporting website:

Figure 34

Figure 35

Non-Mailbox Owner Access

The other great functionality of Netwrix Auditor is auditing mailbox access. When running Exchange 2010 or 2013, this is based on the Exchange Mailbox Audit Logging feature (please refer to the Auditing Mailbox Access MSExchange.org article) and, therefore, requires administrators to preconfigure which mailboxes to collect audit information for and for what actions. However, basic mailbox access auditing is also provided when using Exchange 2003 or 2007.

As we saw previously, this feature collects information by default at 3:00AM everyday (configurable). To manually generate a report, all we have to do is run the following scheduled task:

Figure 36

Once it finishes, a CSV report will be sent to the configured recipients:

Figure 37

This report will list all actions that were taken on a user’s mailbox by someone (varying accordingly to what has been configured to be audited):

Figure 38

On a closer look, we can see, for example, a user opening and then deleting an e-mail with the subject Complaint:

Figure 39

Through Netwrix Auditor, we can exclude users or mailboxes that we do not want to monitor with the Mailbox Access Auditing feature, thus limiting the report to the mailboxes we are more interested in.

Currently mailbox auditing does not provide a functionality to create real-time alerts, which would be useful to alert when someone (tries to) accesses a VIP mailbox for example. However, it is possible to configure real-time alerts to be triggered by non-owner mailbox access events such as opening a message folder, opening/modifying/deleting a message, etc. Although this generates a basic e-mail alert with only what action was performed, it serves as a trigger for further investigation:

Figure 40

Issues & Improvements

I did not experience any issues throughout my tests with this product and, to be honest, there is only one big thing I would really like to see in a future version of Netwrix Auditor. In my opinion, the mailbox auditing reports should be available through the main console. I understand the unique nature of these reports and how hard it can be to work with them. But if a CSV can be generated with all the changes, I am sure these can be incorporated into a “traditional” report that admins can search, filter and sort like all other reports.

Final Thoughts

Netwrix Auditor is a great product that provides, in one place and in a readable format, all the auditing reports any Exchange administrator can want, something currently lacking out there. Its customizable capacities together with its reporting power, make this a great product for any type of organization where auditing is a must, from SMBs to Enterprises.

MSExchange.org Rating 4.5/5

Learn more about Netwrix Auditor or download a free trial.