Tools to track down security threats and prove regulatory compliance
The reality is simple: If you suspect that your network has been compromised, the built-in tools provided by Microsoft aren’t going to be much help. Trying to find the culprit using Event Viewer is like looking for a needle in a haystack. You need a tool that can lay out the data in a clear and concise manner—you need a good Active Directory (AD) auditing tool. I’ll show you six products that will bring a smile to your face and put your mind at ease.
My environment for testing each product consisted of a Windows Server 2008 AD domain hosted on a VMware ESXi host. When needed, I added a separate server running Microsoft SQL Server 2008 or SQL Server 2008 Express to the domain. The products were installed on a domain controller (DC), SQL Server machine, or VMware virtual appliance. To create the organizational unit (OU) structure and add users to each domain, I ran a simple script that used the Dsadd command-line tool. Detailed side-by-side comparisons of each product can be viewed in the online product comparison table.
Blackbird Group’s Blackbird Auditor for Active Directory
Blackbird Group has a complete management suite for AD that consists of six modules, one of which is Blackbird Auditor for Active Directory. Each module can be purchased separately or together as a suite. All the modules are managed from the same management console. Unlike the other products in this review, Blackbird Auditor is licensed per employee, not by AD user, potentially saving you licensing costs.
Blackbird Auditor should be installed on a dedicated server. It requires Microsoft .NET Framework 3.5 and a SQL Server 2005 or later back end, which can be hosted on the dedicated server. However, SQL Server 2008 Express can be used for small environments (up to 2 DCs and a maximum of 2,500 users). For this review, I chose to use SQL Server 2008 Express.
After taking care of the prerequisites, you first install the Blackbird Management Suite Server software on the dedicated server. Licensing is handled with a .license file. The installation wizard walks you through setting up the Blackbird Service, directory connector, and back-end database. It also takes care of configuring the Windows Server firewall exceptions.
Next, you install the console using the Blackbird Management Suite Console software. It can be installed on the dedicated server or on a Windows XP or later workstation.
After the base application and console have been installed, one or more modules need to be installed. For this review, I installed only Blackbird Auditor.
Finally, you need to install an agent (what the company calls a handler) on each DC in your domain. This is done from the Management Suite Console by right-clicking the AD node and choosing Deploy data handler. The agent can be installed one DC at a time or on multiple DCs in a single operation.
Blackbird Auditor’s main console is wrapped in a Microsoft Management Console (MMC). From the console, you can easily view any of the built-in reports that will show you the activity in your domain, including changes made to computers, Group Policy Objects (GPOs), groups, OUs, and users. If your company is audited regularly, you’ll appreciate the prebuilt Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI), and Sarbanes-Oxley (SOX) Act compliance reports.
If the built-in reports don’t show what you’re looking for, you can create your own. First, you create a new “Audit View” by answering a few who, what, where, and when type questions. Then, you schedule the audit. You can have the report emailed to you in .pdf or .xml format.
Reports are great for after-the-fact information, but there are certain events you need to know about right away. Blackbird Auditor can notify you when changes (create, modify, delete, move, and rename operations) are made to certain accounts or object types or when they occur on specific workstations or DCs.
Blackbird Auditor is tightly integrated with the MMC Active Directory Users and Computers snap-in. Installing the Blackbird RSAT Extensions adds several options to the snap-in. The Show audit trail, Show account activity, and Show group membership changes options are added to user objects. For example, right-clicking a user object and choosing Show audit trail displays the changes made to objects and who made the changes, as Figure 1 shows. The Show audit trail option is also added to group and OU objects.
Figure 1: Displaying an audit trail in Blackbird Auditor for Active Directory
Blackbird Auditor is a simple yet powerful tool. When combined with one or more of the other Blackbird modules, it puts the tools needed to manage AD at administrators’ fingertips.
Blackbird Auditor for Active Directory
ManageEngine’s ADAudit Plus
Unlike the other products in this review, ADAudit Plus from ManageEngine (a division of Zoho) doesn’t require a SQL Server or SQL Server Express database. Instead, a MySQL database is configured for you during installation.
For this evaluation, I installed ADAudit Plus directly on the DC. However, in a production environment, you’ll want to install it on a dedicated server. Licensing is handled through an XML file.
The installation took only a few minutes, and soon I was logging onto the admin console through a web page (port 8081 by default). The setup process was easy because the console walks you through each step. You just enter the name of your domain and DC, after which you edit the Default Domain Controllers Group Policy so that events are captured correctly. It is important to note that the events are gathered in batches instead of being captured in real time.
ADAudit Plus can be run as a standalone application (where you have to remember to start the program every time the computer is restarted) or as a service. Running the program as a service removes the requirement that you manually start the application every time the server is restarted.
Once logged on, a nice dashboard gives you an overview of recent domain activity, including logon failures, number of users locked out, peak logon hours, and how many passwords have been set or changed. You can drill down into each graph in the dashboard to see more detailed information. ADAudit Plus has one of the best dashboards of the products I reviewed.
The Reports tab is where you can really get into the meat of the data, as Figure 2 shows. The 33 built-in reports are grouped into 8 specific categories: User Logon Reports, Local Logon-Logoff, User Management, Group Management, Computer Management, Domain Policy Changes, OU Management, and GPO Management. There are no built-in regulatory compliance reports.
Figure 2: Reviewing the last modification made to user objects in ADAudit Plus
To create your own report, you click New Report Profile and fill out a simple query form. For example, I was able to easily create a report on all OUs that had been created, deleted, renamed, or moved, had their permissions changed, or had child objects added. Specific OUs can be targeted in the report, or the entire domain can be reported on.
If you want to be notified when something specific happens in the domain, you can configure web alerts or email alerts. For example, you can have ADAudit alert you when a logon failure occurs, a user or group is created or deleted, a domain policy is changed, or a GPO or OU is deleted.
I found that the user guide was a bit lacking. It wasn't terrible, but this web-based guide could have walked users through setup and administration better.
For basic Security event log reporting, ADAudit Plus is a great value. It does a good job of capturing the data and presenting it in a manageable format. I did find that it lacked the ability to capture before and after data, even though Microsoft now includes this capability in the Security event log in Windows Server 2008 or later. According to ManageEngine, this feature is in development and might be released by the time you read this.
NetVision’s NVAssess comes packaged differently than the other five products in this review. You can purchase NVAssess as a virtual appliance, a turnkey solution in the form of 1U server appliance, or a managed service. NVAssess supports Windows Server 2003 AD and later. Although Windows 2000 Server AD is supported under specific conditions, it isn’t recommended. NVAssess uses a SQL Server back end. SQL Server 2008 and SQL Server 2008 Express are supported.
The virtual appliance is supported in VMware ESX or ESXi 3.5 or later. There is also a version that can run in VMware Workstation 6.5. For this review, I downloaded the 8GB virtual appliance in the form of a file named SimonNV711-ESX.ova. I used a free VMware tool named OVF Tool to properly import the SimonNV711-ESX.ova file into my ESXi server.
The rest of the setup can be performed by you or NetVision technical support. NetVision recommends that you let its support staff assist you in the initial setup, as it can greatly reduce your ramp-up time and get the application working quickly. The cost for this service varies by the size of your infrastructure, but you can expect to pay at least a few hundred dollars to more than a thousand dollars. Personally, I found the support folks to be extremely knowledgeable and personable, and they had me up and running in no time. In the overall scheme of things, a thousand dollars is not that big of a deal and it’s money well spent.
When I called tech support, the technician had me use a screen-sharing program called Team Viewer so that he could connect to my NVAssess virtual appliance. I watched as the technician manually installed the required agents onto each DC. NetVision wrote these agents to interact with AD directly (bypassing the event logs) and use Microsoft’s Background Intelligent Transfer Service (BITS) to transfer the activity data back to the SQL Server database. While the agents were installing, we had a nice discussion about using Group Policy and transform files (using the free transform creator, Orca) to automate the agent installation process. I have a feeling that you might see this method in the next version of the virtual appliance.
As the technician continued to configure the software, he explained that the purpose of the setup service is to not only make sure everything is working correctly but also assist the customer in getting the most out of the software. For example, although there are some built-in HIPAA templates, the technician was very interested in what I wanted to monitor and was more than willing to help me get the data that I (or perhaps more important, the auditors) need.
The server appliance runs Windows Server 2008 Standard Edition on 32-bit virtual hardware (2 CPUs and 4GB of memory). Although the server itself is 32-bit, the DC agents come in both 32-bit and 64-bit versions. SQL Server 2008 Express is installed, but you can upgrade it to a full version of SQL Server 2008 or point the appliance to an already existing instance.
Because NVAssess comes preconfigured in the server appliance, the setup is already done for you. Your only immediate tasks are to change the IP address to match your environment and add the server’s A record to your internal DNS infrastructure. Changing the name of the server and adding it to the domain is supported but not recommended because it can break some of the preconfigured settings in the appliance. These settings can be fixed, but it causes extra work for you.
In addition to monitoring AD, you can use NVAssess to monitor Microsoft Exchange, file servers, Network Appliance (NetApp) SANs, and even Novell eDirectory. You use two utilities for monitoring: the NetVision Administration Console, a 32-bit program that runs on the virtual or server appliance, and NvMonReport, a web-based application that can be accessed from any browser.
The NetVision Administration Console is where you choose what you want to monitor in AD. You simply drag a policy template from the Template area to the Policy area, where you define it. Policies can include and exclude attributes of AD objects that you want to monitor. For example, you can create a policy that monitors all user changes (which includes user logons) or a policy that monitors all user changes, except user logons. After you define and enable the policy, NVAssess immediately starts monitoring AD for the specified conditions.
Raw data and reports can be viewed in NvMonReport. A Report Wizard walks you through creating reports on effective rights (who has access to what), explicit rights (who has actual rights, not inherited rights), group membership, delegated control, direct user assignments (where a user, not a security group, has been granted access), and denied entries (where permissions have been explicitly denied).
If the reports aren’t exactly to your liking, the NetVision support staff can help you tweak them. I found the reports to be very granular. If you need to receive the reports via a schedule, NVAssess can send them to you in .pdf or .xls format. If you want NVAssess to act immediately when it detects nefarious activity, you can setup an Action item that runs either a Visual Basic (VB) or C# script.
Overall, I was impressed with the product. It’s extremely robust and not simply a canned, one-size-fits-all application. Although the initial cost and setup time might be a turn off to some people, those who desire a custom solution will appreciate not being boxed in. If you desire a partner that will work with you on your AD auditing solution, NetVision would be a good choice.
NetWrix’s Active Directory Change Reporter
Active Directory Change Reporter is a sister application to other Change Reporter tools offered by NetWrix. I reviewed Group Policy Change Reporter last year (“NetWrix Group Policy Change Reporter”) and immediately felt at home with the interface of Active Directory Change Reporter. It’s easy to navigate and understand.
Active Directory Change Reporter can be installed on a DC or Windows XP or later workstation as long it’s a member of the domain. I chose to install it on the same server on which I installed SQL Server. Change Reporter supports SQL Server 2005 or later. SQL Server 2005 Express is also supported, but you must have the version that includes Advanced Services.
Setting up the product is quick and easy. However, getting all the prerequisites out of the way can take some time and configuration. Because I was using Windows Server 2008 in the test lab, the automatic configuration wizards in the setup routine didn’t work. Instead, I had to follow special instructions that guide you through manually setting up SQL Server 2005 Express with Advances Services and IIS 7.0. A wizard helps you configure the license, deploy agents to DCs, adjust the audit policy settings on the DCs, enable long-term archiving, and more. It also helps you change the tombstoneLifetime property from 180 to 744 days so that deleted AD objects can be restored.
As soon as the setup was complete, I was able to quickly generate the report. As Figure 3 shows, the left side of the management console guides you through finding the report that you need. There 38 prebuilt reports, including reports on schema changes, site changes, and AD changes by date, object type, or user.
Figure 3: Browsing through the built-in reports in Active Directory Change Reporter
A unique feature of Active Directory Change Reporter is the Best Practice Reports. These reports are broken into six subcategories: AD Structure, Computer Account, Domain Controller, Group Membership, Object Security, and User Account. For example, under AD Structure, a prebuilt report titled “Organizational Units Created” can help you determine whether a rogue administrator is creating unnecessary clutter in your domain. Another report under Group Membership shows who has been added or removed from security groups or Distribution Groups (DGs). Each report helps you keep a handle on the changes being made to the domain.
If these reports don’t show you the data that you require, AD Change Reporter uses Microsoft’s SQL Server Reporting Services (SSRS) to store the data gathered from DCs. This is why you must ensure that SQL Server 2005 Express is installed with Advanced Services. With SSRS, you can quickly adjust the built-in reports and get the data you need.
A feature above and beyond basic reporting is the Restore Wizard. Using either standard AD tombstone data (AD objects that have been marked for deletion but haven’t been purged from the database yet) or NetWrix snapshots, you can easily restore individual objects without restoring the entire AD database.
As I mentioned previously, AD Change Reporter is a sister application to other NetWrix products. Combined with these other easy-to-use tools, you have a real powerhouse.
Active Directory Change Reporter
Quest Software’s ChangeAuditor for Active Directory
Quest Software’s ChangeAuditor for Active Directory is great at helping you view, manipulate, and really dig into the data that it gathers about the activity on your domain. It consists of four components:
- The ChangeAuditor Coordinator
- The ChangeAuditor Client
- ChangeAuditor Agents
- A SQL Server database
The first step is to install the Coordinator. The Coordinator gathers all the events that the Agents send and can be installed on the same machine as SQL Server or on a separate server. The installation is quick and painless.
After the Coordinator is installed, you need to install the Client on the same server as the Coordinator or on a separate management computer. The Client application is where you will spend all of your time.
Next, you need to install an Agent on each DC so that it can monitor that domain’s activity. Installing an Agent is easy. Using the ChangeAuditor application, you simply right-click the server (or servers—using the Shift key allows multiple servers to be selected), click Install or Upgrade, and enter credentials with administrative privileges. The install takes just a few minutes to complete. No further configuration of the Agents is necessary.
The Client console is simple to navigate and makes it easy to break down and dig into the raw data. Gathering details about events is clean. Before and after values show you exactly what was changed.
If you need to provide information to non-IT personnel, you'll appreciate the reports that are ready to go out of the box. All you need to do is run the reports to provide the non-IT personnel with answers to questions such as “Who has been adding OUs?” and “Who has been altering user accounts?” as Figure 4 shows. For those of you who have to worry about compliance to HIPAA, PCI, SOX, Statement on Auditing Standards (SAS) 70, and Gramm-Leach-Bliley Act (GLBA), the product’s canned searches can help you convince auditors that you really do have your ducks in a row.
Figure 4: Analyzing events by OUs in ChangeAuditor for Active Directory
Now that you have easy access to this data, what does it all mean? Quest provides a robust knowledge base that’s directly linked to security events. When you right-click an event and choose Knowledge base, a web page appears, explaining what the event means in detail.
As you gather data over the months, you might want to eventually move old records from the database to an archive. Under the Administration Tasks tab, you can easily set up a task that can archive, purge, or archive then purge records. When purging records, you can select records older than a specific date and records that meet specific criteria, such as events that contain a specific string or events from specific computers, domains, users, or groups. Database archives can be saved by calendar month, quarter, or year.
If you need to really dig into the AD data, ChangeAuditor puts the necessary tools at your fingertips. For an additional charge per Agent, you can even have ChangeAuditor monitor Exchange, file servers, SQL Server, NetApp SANs, and EMC SANs. ChangeAuditor is supported on Windows 2003 or later. It requires SQL Server 2005 or later and .NET Framework 4.0.
ChangeAuditor for Active Directory
ScriptLogic’s Active Administrator
Like the other five products, ScriptLogic’s Active Administrator requires a database to store security events. Unlike the other five products, Active Administrator is by far the most flexible in this area. It supports SQL Server 2000 and later, Microsoft Data Engine (MSDE) 2000, and the newer SQL Server Express database engines. Also unlike the other products, Active Administrator utilizes the Group Policy Management Console (GPMC), so this must be installed as well as .NET Framework 3.5.
The first step is to install the Active Administrator Server software. This only has to be installed on one server. The installation routine quickly walks you through configuring the license file, creating the database, and configuring SMTP, service account passwords, and AD backup and restore settings.
Next, auditing needs to be enabled on each DC. The easiest way to do this is with the Default Domain Controllers Policy. The Active Administrator Installation Guide walks you through the specific audit policy settings that need to be adjusted. Once the policy has been edited, you need to run the gpupdate /force command on each DC.
To collect information from the event logs, you use the Active Administrator application to deploy the Collection Agent to each DC. Finally, you install the Active Administrator Console on any machine (e.g., your administration workstation).
The first thing you notice about Active Administrator is that this application does much more than just AD auditing. It includes many tools that AD administrators need to use daily. All the features and tools that Microsoft forgot to put into the Active Directory User and Computers snap-in and GPMC are included in Active Administrator. For example, after using the delegate control feature in the Active Directory User and Computers snap-in, you quickly realize that it’s really a one-way tool. You can easily delegate permissions, but revoking them or even understanding what permissions you have granted is challenging. Active Administrator cleans up what Microsoft left behind. Revoking permissions is as easy as delegating them. If auditors ask you to demonstrate who has special permissions in AD, a report is just a click away.
Active Administrator has some impressive Group Policy management features as well. Group Policy gives you great power that can make your job easier, but that power can also cause “Resume Generating Events (RGEs).” Active Administrator’s Group Policy Rollback feature helps you quickly undo the mistake and get the network back to normal.
Another bonus feature is the password restore tool. If your domain is running Windows 2003 SP1 or later, Active Administrator can restore the password of deleted users or computers. This does require a minor change to the Unicode-PWD object’s searchFlags attribute in AD. (Note that this isn’t a schema change but rather a simple attribute change.)
To view the data that’s gathered from the DCs, you can click the Create New Report option to retrieve the last 1,000 events. You can then apply filters, such as Date/Time Range, Acting Users, and Affected Object Types. Figure 5 shows how easy it is to add filters. When you have the data you need, you click View Report to view the data. The report can be easily scheduled from this screen as well.
Figure 5: Filtering events in Active Administrator
One notably missing feature is built-in regulatory compliance reports. However, ScriptLogic offers such reports in a separate product named Enterprise Security Reporter. Like most of the other products, Active Administrator can alert you via email when a specific event occurs.
Each of the six AD auditing tools gives you features well above and beyond what Microsoft includes in Windows Server and AD. Whether you need to track down that rouge user who is constantly testing the limits of your security or prove to an auditor that your systems are in compliance, you can’t go wrong with one of them. Each one has its own strengths and weaknesses, but the one that impressed me the most was NVAssess, which is why it earns the Editor’s Choice award.