Обзор и практическое применение Dell Change Auditor

Change Auditor

Vlad Samoylenko | BAKOTECH GROUP| [email protected]

Dell - Restricted - Confidential2

Modules covered in this presentation

• Change Auditor for Active Directory

• Change Auditor for AD Queries

• Change Auditor for Exchange

• Change Auditor for SharePoint

• Change Auditor for Windows File Servers

• Change Auditor for NetApp

• Change Auditor for EMC

• Change Auditor for SQL Server


The Challenges

Microsoft Active Directory, Exchange, SharePoint, Windows File Servers, VMware, NetApp, EMC and SQL Server are part of your mission-critical infrastructure

• Event logging and change reporting are required to satisfy auditor requests and prove compliance

• No comprehensive view of all changes and event logs, they scattered in various locations and formats

• Searching for a specific event is time consuming and frustrating

• Native event details contain limited information which is difficult to decipher without application expertise

• No protection exists to prevent sensitive objects from being deleted or logs from rolling over. Administrators aren’t usually made aware of problems until it is too late causing potential compliance violations and system downtime

• Reporting is a time consuming process

• Event context is lost when viewing any single event across the Microsoft eco-system


Enables enterprise-wide change management from an intuitive client. Sort, group, filter and graph on the fly.

Ensures a secure and compliant infrastructure by tracking changes in real time, while logging the origin as well as before and after values.

Strengthens internal controls through object protection and insight into both authorized and unauthorized changes.

The Solution: Change Auditor

• Real-time, consolidated change auditing for:AD, AD Queries, Exchange, SharePoint, SQL, Windows file servers, VMware, NetApp, EMC, Lync, User logon Activity, SonicWALL NGFW devices, cloud storage auditing, Registry, Services, Local Users & Groups


What is Change Auditor?Change Auditor provides complete, real-time change auditing, in-depth forensics and comprehensive reporting on all key configuration, user and administrator changes for Active Directory, ADLDS, AD Queries, Exchange, SharePoint, Lync, VMware, NetApp, Windows File Servers, EMC, and SQL Server. Change Auditor also tracks detailed user activity for web storage and services, logon and authentication activity and other key services across enterprises.

Who made the change?

When the change was made?

Why the change was made? (Comment)

Where the change was made from?

What object was changed (before and after)?

Smart Alerts

Workstation where the request originated?


Change Auditor - Key Features• In-depth auditing for:

• Active Directory & ADLDS

• Exchange

• SharePoint

• Windows File Servers

• EMC

• NetApp

• Microsoft Lync

• Detailed who, what, when, where, why and workstation, plus original and current values for all changes – presented in simple terms

• Event Context – provides change information in relationship to other things happening in your environment

• Optionally log events to a Windows event log

• Protect against undesirable changes to AD objects, mailboxes, Windows files and folders

• Restore unwanted changes to AD with a single click

• User Logon Activity

• SonicWALL NGFW devices

• Cloud storage providers

• SQL Server

• VMware vCenter /ESX Hosts

• AD queries against Active Directory (Applications and scripts)

• Registry, Local Users & Groups, and Services


Change Auditor 6.6Architectural diagram

InTrust

Change Auditor for Active Directory



AtAGlance

EasyRead

EventFilter

Context&Restore


Change Auditor for Active Directory: GPO Settings


Change Auditor for Active Directory: Locked Out



ObjectProtect



Role-Based Access

Change Auditor For Exchange


The Challenges of Managing Exchange

• Impossible to natively track changes to Exchange Store settings

• Event log and audit data that is distributed throughout the enterprise

• Volume of audit data is difficult to archive

• Audit data is takes time to analyze, trend, report on and distribute

• Native auditing does not provide detailed information on:– Non-owner mailbox access and specific activity related to this access

– Changes to permissions at the client level

– Changes to permissions to the Configuration Store

• Native auditing does not provide detailed change tracking of permission changes made to a mailbox within AD


• No visibility into administrator or user activity in the cloud

• Remote logs must be subscribed and downloaded

• No alerting based on activity

• Events are only in Excel 2010 format

• Requires programming skills to turn on and collect audit data

Managing Exchange Online / Office 365


What to consider if your going to audit Exchange

• Access to Key Mailboxes– Executives, Board members, HR, …

– Ignore Non-Owner auditing messages from Departmental Mailboxes

• Changes to membership to Key Distribution Lists– Senior Leadership Team – discuss company strategies

• Changes to administrative security groups

• Exchange Server configuration changes


Change Auditor for Exchange

Role-Based

Access

MailboxProtect



ConfigTracker





Change Auditor for Windows File ServersChange Auditor for NetAppChange Auditor for EMC


Managing Files and Access can be difficult

• Providing timely information to help compliance/security teams meet requirements around file/object access is critical:

– What are users doing with their access?

– When potential violations occur to permission changes?

– When ownership changes take place?

• Critical documents may be at risk without reporting/alerting on permission and ownership changes.

• File/Folder access auditing has always been a big hole in regards to compliance and security initiatives.

• The collecting and reporting on file access audit data is difficult and takes many man hours.

• Archiving and consolidating event logs takes up a large amount of network bandwidth and disk space.

• Native file access auditing degrades server performance.

• Permission changes made to files and folders is difficult to capture and interpret.


With Change Auditor for Windows File Servers, NetApp & EMC you can…

• Centralize File System and NAS auditing into a single task– Normalized events across differing file infrastructure

– Simplify and centralize alerting & configuration

• Reduce cost & complexity and meet security objectives– Easily determine what permission changed

– Easily determine what action was performed

• Improve IT Operational Management and Efficiency– Critical system resources are saved & security is improved

• Block users from destructive and dangerous actions– Prevent deletion and changes to permissions

– Windows File System only


Change Auditor for Windows File Servers, NetApp & EMC


Change Auditor for Windows File Servers



ShareAudit

Real-Time Alert

RapidReport



ShareAudit

Change Auditor for SQL Server



• Organizations face increased demands to improve security to meet regulatory requirements surrounding sensitive and financial data.

• Reduce the risks of operational outages from accidental or malicious actions by privileged users.

• Report on DBA and other privileged users activity on your SQL Servers across the enterprise and answer questions such as:

– How do you monitor access to confidential information?

– How do you log SQL Server security events such as startups, shutdowns, and logins and do you review exceptional events?

– How do you report on direct access to production data that is outside of normal application controls?

– How do you monitor database configuration and parameter setting changes?


Change Auditor for SQL Server (2)

• Automates the process of collecting data about both privileged and non-privileged access.

• Centralizes the collected events

• Normalizes SQL and other Windows events into a single platform in simple to understand terms

• Allows privileged users to perform their important and required job duties by unobtrusively monitoring and auditing behaviors

• Allows you to answer your auditors’ and regulators’ questions about how you manage activity of users on SQL Servers across the enterprise


Change Auditor for SQL Server Auditing Templates

• Enable SQL Server auditing by adding a SQL Auditing template to an agent configuration.

– Which can then be assigned to a Change Auditor agent (SQL Server)

• Change Auditor ships with a pre-defined SQL Auditing template– Best Practice SQL Auditing Template


Common SQL Configuration Examples

Only audit events for databases named “Accounting”:

Audit any activity that is not from this service account:

Audit any activity that is not from my application server:


Change Auditor for SQL Server Supports: SQL 2005, 2008+R2, & 2012




Change Auditor for SQL Server:Captures the Actual Query Used


Native SQL Auditing


SQL Server Audit Events in the Best Practices Template

• Add DB User

• Add Login

• Add Login to server role

• Add Member to DB role

• Add Role

• Change Database Owner

• Change Member in DB Role

• Create database

• Delete database

• Delete DB user

• Delete Login

• Delete Login from Server role

• Delete member from DB role

• Delete Role

• Grant database access to DB user

• Revoke database access from DB user

In Total Almost 400 SQL events can be captured

Change Auditor for SharePoint



• Audit SharePoint 2010 & 2013– Includes Foundation Servers

– Doc libraries, Lists, Permissions, etc.

• Powerful tool when combined with CA UI grouping/sorting/filtering– See historical changes to sites and documents

– Track users activity on a site by site basis

• Track changes to farm/site configuration– Audits changes to Central administration

– Additions of Sites and Site Libraries



Change Auditor Reporting


Reporting Capabilities in Change Auditor


Built-in Searches for Historical Reporting


Recommended Best Practice Reporting


Regulatory Compliance Reporting

InTrust


Make sense of your IT data with on-the-fly investigations

• InTrust: consolidate, store, search and analyze massive amounts of IT data in one place with real-time insights into user activity for security, compliance and operational visibility.

– Reduce the complexity of searching, analyzing and maintaining critical IT data scattered across information silos

– Speed security investigations and compliance audits with complete real-time visibility of your privileged users and machine data in one searchable place

– troubleshoot widespread issues should an incident occur

– Save on storage costs and adhere to compliance event log requirements (HIPAA, SOX, PCI, FISMA, etc.) with a highly compressed and indexed online long-term event log repository


InTrust as a big data solution with IT Search

“Make sense of your IT data”

• IT Search lets your organization make sense of the “big IT data” including log events, changes, file permissions, users entitlements and more to streamline regulatory compliance, conduct security incident investigations and improve day to day operations


Search all IT assets in one place


Exploit relationships between events and state based data


See what resources users had accessed


See where users have access


See how access was obtained


Other Enhancements

Task The old way The new way

Gathering of Windows logs

Schedule based, have to wait hours until data becomes available

Real-time, data is available seconds after it is generated

Support of network devices (syslog data)

Separate set up, unnecessary Windows event log overhead, poor performance

Built into the main InTrust components, no overhead, great performance

Running reports Slow import to the SQL database, clunky SSRS infrastructure, hard to create custom reports

Reports directly from the repository, RV as the reporting client, every search easily converts into a report

Integration with CA and ER

Clunky and limited integration through QKP

Unified and fast access to data from multiple products through web based search engine

Integration with SIEM Schedule based querying of the audit DB

Real-time forwarding of all logs that are collected

Incidents investigation Slow, static and raw analysis of events from the audit DB

Fast, customizable and free form searches against the indexed repository with rich results visualization

Change Auditor Integration

Change Auditor and InTrust


InTrust

(Short Term Storage)

Reports

(Knowledge Portal)

InTrust - Scheduled

(Long Term Storage)

Exchange

Active

Directory/

LDAP

Windows

File Server

Change Auditor

Real TimeChange Auditor

Client)

SQL Server

EMC

NetApp

Change Auditor Long Term Storage & InTrust Architecture

40Xcompression ratio


•

•

To learn more about Change Auditor

• http://www.software.dell.com/products/change-auditor

• Write an e-mail to [email protected]

http://www.software.dell.com/products/change-auditor

mailto:[email protected]

Technology

Обзор и практическое применение Dell Change Auditor