Netwrix Auditor is a visibility and governance platform that allows you to monitor changes, configurations and access in IT infrastructure of important IT infrastructure components such as Active Directory, Event logs, Exchange, Office 365, SQL Server, and others.
- Installing Netwrix Auditor
- Initial configuration
- Generating reports
- Change management
- User Behavior Analytics
- Add-on Store
- Final points
Systems administrators can generate “who, what, when, and where” change audit reports with minimal effort. Learn the basics of the Netwrix Auditor solution, including installation, use cases, and obtaining an evaluation version.
Imagine this scenario: you are an Active Directory administrator for your organization. Last weekend, news outlets in your part of the world break reports that customer data, including personal details, was leaked from your internal environment.
In this article I’d like to show you Netwrix Auditor, a flexible visibility and governance platform that makes it much easier to track access in your domain and generate easy-to-understand yet compliance regulation-friendly reports.
Installing Netwrix Auditor:You can work with Netwrix either on-premises or in the cloud. Here are the options:
- On-prem installer: The server component runs on Windows Server, and the client component runs on Windows Server or Windows Client
- Virtual appliance: Preconfigured virtual hard drive that runs on either Hyper-V or VMware
- Cloud VM: Preconfigured virtual machines that run in the Microsoft Azure, Amazon Web Services (AWS) or CenturyLink public clouds
Before you install the Netwrix Auditor applications, however, you need to make sure that your Windows Server meets the solution’s system requirements. Although Windows Server 2016 isn’t listed as a supported OS, I had no problems installing and running Netwrix on my Windows Server 2016 domain controller.
Here’s a potential gotcha: You’ll need to have a SQL Server instance (both the database engine and reporting services) available to take full advantage of Netwrix Auditor’s capabilities. You can get away with an Express Edition, by the way.
You’ll also want to make sure to install the .NET Framework 3.5 feature on your server prior to Netwrix installation.
As is the case with most client/server software, the installer allows you to choose between a client/server (full installation) or client tools-only option. You can see the dialog box in question in the next screen shot.
Initial configurationYou administer Netwrix Auditor by starting the Netwrix Auditor Administrator console, as shown in the following screenshot. This is a garden-variety Microsoft Management Console (MMC) application.
The Netwrix Auditor administrative console.
Deploying auditing with Netwrix involves the following steps:
- Validating your SQL Server database connection (performed in the AuditArchiveTM > Audit Database admin console node)
- Adding and configuring managed objects (performed in the Managed Objects node)
- Configuring your audit policies and real-time alerts
You can define audit policies across many, many servers and services. Here’s the list of included audited systems in Netwrix Auditor 8.5:
- Active Directory
- Group Policy
- Azure AD
- Exchange Online
- SharePoint Online
- Windows File Servers
- Oracle Database
- SQL Server
- Windows Server
- List of predefined real-time alerts
- Configuration for the built-in Organizational Unit Deletion alert
Second, you choose who should be notified when the alert rule is triggered, and how you want the alert delivered. You specify Simple Mail Transfer Protocol (SMTP) server settings under Settings > Email Notifications; you can also have Netwrix Auditor send Short Message Service (SMS) text messages to administrators.
Each managed object also allows you to set data collection schedules, and also set alternative network credentials if they are necessary.
Generating reportsDo you see how this process works? You enable managed objects that match the network services and assets that require auditing, and you configure e-mail or SMS messages for real-time alerts.
But what about generating reports to give to your company’s compliance officers? Well, let’s cover that use case next. Open the Netwrix Auditor client and you’ll see a nice graphical dashboard that looks much like the following screenshot.
The specific report options available in the client depend, of course, on which managed objects you’ve configured for auditing.
If you click Reports from the Netwrix Auditor client home page, you can run any of the predefined reports for managed objects of corresponding IT system as shown next. Note that you should have a license to see all the data available.
The actual report interface should look familiar if you’ve used SQL Server Reporting Services (SSRS). In the following screenshot, look at the toolbar buttons I called out: you can export auditing reports to one of several different formats:
- Physical printer
- Web services data feed (Atom)
One of this product’s biggest selling points, in my humble opinion, is its library of pre-built compliance reports. Take a look at the following screenshot:
A user can set subscription to any of the reports or dashboards and start receiving these reports via email according to a schedule he sets. Or the reports can go to a specified folder on a network instead of the email.
If you have reporting needs that go beyond the prebuilt report definitions, you can craft your own search and save this search as ‘custom report’ for later use by Interactive Search, as shown below:
Although the ability to produce nice reports for your auditors is nice, how could you use Netwrix Auditor to actually isolate and fix problems?
What’s wonderful about this tool is that you can view before/after snapshots of your managed data. For instance, you can view Group Policy data as it existed before one of your colleagues made some blocking edits to the domain policy.
Going further, you can actually roll back changes without necessarily having to dip into your backup archives. The following screenshot, courtesy of Netwrix, shows (a) an Active Directory object changes report; and (b) dialog boxes from their Active Directory Object Restore wizard.
Netwrix includes unwanted change rollback
User Behavior Analytics
With the last product update Netwrix introduced a new feature to Netwrix Auditor 8.5 that allows admins analyze user behavior and “blind spots.” This new capability enables easy detection of anomalies in user behavior that would otherwise go unnoticed, such as unusual access to sensitive or stale data, unusual spikes in failed activity, activity outside of business hours, activity around harmful files on a corporate data storage and files containing sensitive data, and more.
Another interesting feature of Netwrix Auditor 8.5 is the ability to integrate it with the leading SIEMs, including Splunk, IBM Security QRadar, AlienVault USM, Solarwinds Log & Event Manager, Intel Security and LogRhythm. The Netwrix Auditor Add-on Store is provides free add-ons built to integrate Netwrix Auditor with any IT ecosystem. Because of Netwrix Auditor supports the RESTful API the list of available add-ons is expected to grow.
Final pointsI’m a big fan of any administrative toolset that helps me to sleep peacefully at night. The fact that Netwrix Auditor saves me from scraping several servers’ worth of log data and Group Policy results is reason alone to justify its purchase. Then there’s the turnkey compliance auditing functionality.
Credit: Timothy Warner