Review: Change and configuration auditing with Netwrix Auditor 7.0

Netwrix Auditor is a powerful change and configuration auditing platform that leverages the data collected from all parts of the company network to provide detailed information on everything that is going on inside.

Installation

Installing Netwrix Auditor is a pretty straightforward procedure. You should install it on a workstation (more info on this below) and you will need administrator privileges to do it. The solution stores the collected data in a two–tiered audit archive that includes a file–based local long–term archive and a short-term SQL-based audit database. For the latter, you’ll obviously need a database server, so you can either type in the credentials of an already running server, or Netwrix Auditor will install and set up Microsoft SQL Server Express on your behalf. The whole installation, without the potential SQL server install, will be over in a minute or two.

The documentation suggests that Netwrix Auditor should be installed on a workstation rather than on a domain controller. This is probably because the software requires a SQL server and the Express version cannot be deployed from inside the Netwrix Auditor installation. Also, according to Microsoft, it is not recommended to install SQL Server on a domain controller because of specific security restrictions when running it in this configuration. Another thing is that, given the resource demands of a domain controller, SQL Server performance may also be degraded.

A successful installation on your system will generate two executables for you to use – Netwrix Auditor Client and Netwrix Auditor Administration Console. For most of the systems you will audit, Netwrix provides both agent-based and agentless data collection methods. Installing agents is recommended when auditing SharePoint farms (SharePoint_Shell_Access role needs to be assigned and the agent needs to be manually installed) and when tracking user activity (done automatically without any intervention from the Administrator Console). The Netwrix Auditor client can also be deployed on multiple computers through Group Policy.

(Pre)configuration of audited systems

Before getting into the details on how to initiate audit procedures, it is very important to preconfigure all the systems that will be monitored by the Netwrix solution. The documentation that comes with the product specifies all the aspects you need to think about to prepare your environment for Netwrix Auditor workflows. Seasoned administrators will be on top of these things, but reading through the “Configure IT Infrastructure for Audit” part of the installation manual is nevertheless recommended.

I had some issues with (relatively) newer workstations and servers where Microsoft .Net Framework 4+ was installed. Getting some of the data from these machines didn’t work and the root cause was detected when I read through the Netwrix Auditor System Health log inside the local Event viewer. The error shown was that Microsoft .NET framework 2.0 is required. As it turns out, Microsoft .NET 4.5 is not totally backward compatible with 2.0, meaning that some libraries are missing in action. The solution to this, which was the only minor bump in the road I had with Netwrix Auditor, was to enable Microsoft .NET 3.5 on the Microsoft Windows Server 2012 systems in question, as it contains all the needed dependencies.

Note: Netwrix Auditor System Health is a good tool for checking whether there are any errors in the connection between the Netwrix Auditor workstation and the audited environment.

Administrator Console

This is the part where the actual configuration starts. Netwrix Auditor uses a set of configurable Managed Objects to specify where the data will be collected. By default, the administrator can choose one of the following applications to create a Managed Object:

The actual objects that can be used by these specific built-in applications can be: Domain, Computer Collection, Organizational Unit, SharePoint Farm and VMware Virtual Center. Of course, specific audited system apps use just the appropriate object. It is usually just one, for instance for Active Directory you have the Domain as the managed object and for Inactive Users Tracking you can choose either a Domain or Organizational Unit. Every application presented here has its own context and therefore different levels of configuration options.

The interface of the Netwrix Auditor Administrator Console is your typical two-panel window where the list of objects and settings is on the left and the data or further details open on the right. The layout is very clean, with the focus on efficiency. All of the newly created managed objects are available under the Managed Objects listing and you can create folders and group them using the structure that suits you the best.

Besides building the audit objectives, the admin console provides a number of settings related to the general usage of the software. Here you can set up email notifications, location and retention settings, schedule data collection cycles and manage existing ones. There is also support for a couple of Syslog based platforms. When it comes to scheduling, the default option is to set up a task once per day, but you can also set up multiple ones.

Searching through the data

The more systems and targets you define in the Administrator Console, the more data you will have in your retainers. Collecting massive amounts of data from your networks can prove to be very valuable. Netwrix Auditor’s search capabilities are immense, the system is very fast and provides a long list of search parameters. Besides the most basic ones like searching for a word or a set of characters, you can always choose to use one of the predefined search modules, which include:

1. Who – targeting a specific account
2. Action – choose one of the actions including what was added, removed, modified or read
3. What – searching for a specific object
4. When – aiming for a date range
5. Where – match just selected host, domain, etc.

While it seems you cannot use regular expressions in these predefined modules, there is an advanced section where the administrator can set up specific filters with six different operators (“contain”, “equal”, “starts with” + their opposites). These filters are a must when going deeper into mangling the data.

The results of a successful search query are laid out in rows and columns and are very easy to read through. Every result can be expanded to present a more detailed look. What I really like is that the values of specific objects from the search results, such as Action, When or let’s say Where, can be reused to create new search queries. This comes quite handy when you come across something that sounds suspicious or interesting enough to make you dig deeper.

Custom search queries can be saved and if you do that, they will appear on the main screen of the application. If you save a large number of searches, the screen starts to look a bit cluttered, so it would be nice if one of the next versions enables some way of organizing the saved searches.

If you need detailed monitoring of user activity, you will be happy to know that aside from the textual logging of every move your users make, Netwrix Auditor also deploys a video recorder as well. Files can be accessed directly from the Reports section, or you can find them in the right folders inside the Program Data directory. By the default settings, the video quality is really good. FYI, a 23 minute long file of a Windows 8 user’s actions on his workstation was compressed into a 1.35 MB avi video file. The resolution in this case was 1024×768 and it was recorded in black and white. I am not into video editing, but taking into consideration the length and resolution of the video, the size of the file seems reasonably small.

Reporting and compliance

Big data and a powerful search engine should always be accompanied by detailed reporting capabilities. While browsing through the templates, I stopped counting, but I presume there were a couple of hundred of different reports you can run on your data. Templates are categorized into topics, where you can expand the icons to access more subsets (example: Active Directory > Active Directory State-in-time > User accounts group memberships).

In case your organization is audited and you need to prove that specific processes and controls are/were in place, just select one of the compliance reporting datasets which include PCI DSS 3.0, HIPAA, SOX, FISMA/NIST800-53 and ISO/IEC 27001.

Access to the audit data can be given to specific teams as the Netwrix Auditor client can be installed on multiple computers. It just needs to be configured to connect to the main workstation with the appropriate credentials.

Besides providing the users with different methods of exporting the reports (PDF, Excel, Word and Atom data feed), there is a possibility of creating subscriptions for specific reports. Every generated report features a “Subscribe” button, where the information can be customized and associated with the selected recipients. Delivery over email can be in PDF, Excel, Word and CSV data files and the minimum timeframe between sent reports is 24 hours.

Documentation

As you can see so far, Netwrix Auditor is a robust solution that has a very broad coverage of audited systems. To function properly, each audited target needs to be configured to support data collection. The documentation provided by Netwrix is impressive and spreads over 430 pages in four different PDF documents. These include the installation and configuration guide, administrator guide, user guide and release notes.

The advice presented in the installation and configuration guide will be pivotal for successfully setting up every possible detail related to particular conditions of tracking changes inside your corporate network. As with the other documents, it is formatted very well and provides both a thorough step-by-step manual, as well as a quick reference guide with specific details such as how to configure object-level auditing for the domain partition.

The user guide is intended for Netwrix Auditor users (not admins) that are tasked for searching and filtering of audit data, generating various reports, etc. While the release notes seem to focus just on version history, it is actually much more than that. In a transparent and very helpful manner, Netwrix provides a 20 pages long list of known issues that you could potentially come across while running Netwrix Auditor. Every known issue is assigned its own ID and contains a detailed description. The majority of issues have workaround ideas or solutions, while others point the user to specify the ID in question to the Netwrix Technical support.

Pricing

Each Netwrix Auditor application (audit system type) is sold separately. Pricing starts from $3 and is calculated per enabled Active Directory user. First year of support and maintenance is included.

Final thoughts

By combining in-depth collection methods, powerful search engine and extensive reporting functionalities, Netwrix Auditor proves to be an impressive solution for maximizing visibility of every aspect of what’s going on inside your IT infrastructure.

Don't miss