Tools to track down security threats and prove regulatory compliance
The reality is simple: If you suspect that your network has been compromised, the built-in tools provided by Microsoft aren’t going to be much help. Trying to find the culprit using Event Viewer is like looking for a needle in a haystack. You need a tool that can lay out the data in a clear and concise manner—you need a good Active Directory (AD) auditing tool. I’ll show you six products that will bring a smile to your face and put your mind at ease.
My environment for testing each product consisted of a Windows Server 2008 AD domain hosted on a VMware ESXi host. When needed, I added a separate server running Microsoft SQL Server 2008 or SQL Server 2008 Express to the domain. The products were installed on a domain controller (DC), SQL Server machine, or VMware virtual appliance. To create the organizational unit (OU) structure and add users to each domain, I ran a simple script that used the Dsadd command-line tool. Detailed side-by-side comparisons of each product can be viewed in the online product comparison table.
Blackbird Group’s Blackbird Auditor for Active Directory
Blackbird Group has a complete management suite for AD that consists of six modules, one of which is Blackbird Auditor for Active Directory. Each module can be purchased separately or together as a suite. All the modules are managed from the same management console. Unlike the other products in this review, Blackbird Auditor is licensed per employee, not by AD user, potentially saving you licensing costs.
Blackbird Auditor should be installed on a dedicated server. It requires Microsoft .NET Framework 3.5 and a SQL Server 2005 or later back end, which can be hosted on the dedicated server. However, SQL Server 2008 Express can be used for small environments (up to 2 DCs and a maximum of 2,500 users). For this review, I chose to use SQL Server 2008 Express.
After taking care of the prerequisites, you first install the Blackbird Management Suite Server software on the dedicated server. Licensing is handled with a .license file. The installation wizard walks you through setting up the Blackbird Service, directory connector, and back-end database. It also takes care of configuring the Windows Server firewall exceptions.
Next, you install the console using the Blackbird Management Suite Console software. It can be installed on the dedicated server or on a Windows XP or later workstation.
After the base application and console have been installed, one or more modules need to be installed. For this review, I installed only Blackbird Auditor.
Finally, you need to install an agent (what the company calls a handler) on each DC in your domain. This is done from the Management Suite Console by right-clicking the AD node and choosing Deploy data handler. The agent can be installed one DC at a time or on multiple DCs in a single operation.
Blackbird Auditor’s main console is wrapped in a Microsoft Management Console (MMC). From the console, you can easily view any of the built-in reports that will show you the activity in your domain, including changes made to computers, Group Policy Objects (GPOs), groups, OUs, and users. If your company is audited regularly, you’ll appreciate the prebuilt Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI), and Sarbanes-Oxley (SOX) Act compliance reports.
If the built-in reports don’t show what you’re looking for, you can create your own. First, you create a new “Audit View” by answering a few who, what, where, and when type questions. Then, you schedule the audit. You can have the report emailed to you in .pdf or .xml format.
Reports are great for after-the-fact information, but there are certain events you need to know about right away. Blackbird Auditor can notify you when changes (create, modify, delete, move, and rename operations) are made to certain accounts or object types or when they occur on specific workstations or DCs.
Blackbird Auditor is tightly integrated with the MMC Active Directory Users and Computers snap-in. Installing the Blackbird RSAT Extensions adds several options to the snap-in. The Show audit trail, Show account activity, and Show group membership changes options are added to user objects. For example, right-clicking a user object and choosing Show audit trail displays the changes made to objects and who made the changes, as Figure 1 shows. The Show audit trail option is also added to group and OU objects.
Figure 1: Displaying an audit trail in Blackbird Auditor for Active Directory
Blackbird Auditor is a simple yet powerful tool. When combined with one or more of the other Blackbird modules, it puts the tools needed to manage AD at administrators’ fingertips.
Blackbird Auditor for Active Directory
ManageEngine’s ADAudit Plus
Unlike the other products in this review, ADAudit Plus from ManageEngine (a division of Zoho) doesn’t require a SQL Server or SQL Server Express database. Instead, a MySQL database is configured for you during installation.