NetWrix Active Directory Change Reporter (ADCR)

The solution NetWrix Active Directory Change Reporter is intended for audit of the Active Directory. The program makes monitoring of all changes of AD, sends notifications on the most important changes in real time and creates reports, convenient for perception. The module AD Object Restore Wizard which gives the chance to recover the changed or remote objects of the Active Directory on any timepoint is a part of NetWrix Active Directory Change Reporter.

NetWrix Active Directory Change Reporter 7.0

With a release of the 7th version of NetWrix Active Directory Change Reporter users are given new opportunities:

• Receiving by e-mail of notifications on changes of AD in real time.
• Receiving by e-mail of reports with any filters and settings.
• Snapshot Reporting is a possibility of creation of reports on the basis of these "pictures" of AD. The program allows to generate the report both on a current status of the Active Directory, and on the specified timepoint in the past.
• Integration into Microsoft System Center Operations Manager, etc.

NetWrix Active Directory Change Reporter 7.1

The improved support of Exchange Server 2010 and big AD of environments is presented in the new version and also new reports and options of storage are added. NetWrix Active Directory Change Reporter 7.1 offers following features:

• The improved support of Microsoft Exchange Server 2010
• The improved support of big AD environments
• Integration with NetWrix Non-owner Mailbox Access Reporter for Exchange
• Display of the main group of the user in static reports (Snapshot Reports)
• Support of Asian languages in filters of reports
• New reports on changes in AD
• Possibility of setup of a retention period of data of audit in SQL base

NetWrix Active Directory Change Reporter is intended for audit of the Active Directory. The product traces everything the changes made in AD and group politicians, generates the reports and notifications reflecting information on the one WHO THAT WHEN also GDE changed. The program gives the chance of setup of the diagram of sending reports. In reports adding, removals and changes of all users, groups, computers, divisions, memberships in groups, access rights, the websites Active Directory, objects and configurations group the politician, the scheme AD and all other object types are displayed. Concerning each change the value "to" and "later" for each of the changed parameters – for example, the previous name of recently renamed user or a status of access rights to OU before their change is fixed. The product allows to create status reports on service for the specific moment based on "pictures" (snapshots) of AD for current date (for example, "All members of the group of domain administrators") or specific timepoint of creation of "picture" (for example, "All members of the group of domain administrators on December 31, 2011"). NetWrix Active Directory Change Reporter 7.1 is already available to acquisition.

NetWrix Active Directory Change Reporter 7.2

The new version of the solution for audit of the Active Directory allows to control changes of two advanced Windows Server platforms 2012 and Exchange 2013 now. Updates concerned both basic free, and commercial versions of a product.

• Collection of data on changes is performed from domains based on Windows Server 2012. The organizations using the latest version of Windows Server can seize all opportunities of the solution of NetWrix for audit of the Active Directory during the work in new environments;
• The feature to perform audit of Exchange Server 2013 is added. Change control of this platform becomes same simple and convenient now, as well as on the previous versions of Exchange. Administrators can use all opportunities of Exchange 2013 and at the same time be sure that any configuration change will not pass by them. The module NetWrix Exchange Change Reporter which also received updating to version 7.2 is responsible for it;
• Updating of the module which is responsible for audit group the politician of NetWrix Group Policy Change Reporter who also supports now work on the domains Windows Server 2012 is made.

Audit of changes of the Active Directory is a process of collection of information, formation on its basis of reports, the analysis of this information, adoption of certain solutions and assessment. At the Active Directory there is a built-in opportunity to generate similar information. However such information is stored not on a centralized basis, and locally on each domain controller. Function of report generation is also unavailable in the built-in tools that turns audit of changes of the Active Directory into difficult and long process. Also there is a risk of data loss if the event log is not configured so that to cope with the volume of the generated information. Often it conducts to the fact that the empty seat on controllers of domains comes to an end. Information generated using the built-in tools can be fully analyzed by the administrator who has considerable experience with system events and messages. Interpretation of such information should lead to adoption of a certain solution (to accept this change or to reject it). This solution should not be compromise or accepted as a result of lack of necessary information at all. Combining these factors it is possible to conclude that the built-in instruments of audit in many respects are not suitable for satisfaction of requirements of the organizations, behind an exception unless small, in which only pair of servers and up to 100 users.

There are different reasons for which audit of the Active Directory is the necessary procedure:

1) Audit of changes of the Active Directory as method of risk reduction

Audit of changes allows to fix detailed information on events in IT infrastructure. With its help risk minimization is performed. In a case with the Active Directory, to users access rights to data and applications both locally, and far off are granted. Membership in groups and group politicians are configured controlling behavior at data access and to applications. And if something from this changes, then the administrator should the first be aware to provide the minimum level of risk of violation of information bezopanost and at the same time stable work of systems. Audit of changes of the Active Directory provides the detailed information which can be used at investigation. Availability of such information (presented, as a rule, in reports) guarantees that risk factors are controlled properly, and at the same time users are granted the necessary rights for accomplishment of their work.

2) Audit of changes for the purposes of security gain

Occasionally internal threats are much more serious, than external, and the reason for that – excessive trust. Audit of changes allows to perform check of all changes of the Active Directory. Changes are usually made to security settings after the gap in a system was detected. Such reactive approach is connected with the fact that without daily activities for audit of changes there is no opportunity to predict as these changes will affect IT infrastructure. Those infrastructures which rely on mandates of access to a system (tickets) or other processes of approval of changes can be all the same subject to threats in the field of security if afterwards it is found out that the sent information was inaccurate or obviously false. The only way to learn that security was broken – to obtain information on changes directly from the Active Directory.

3) Audit of changes in a context of requirements of standards for information security

Such standards in the field of information security as SOX, HIPAA, FISMA and PCI, differently explain standards of security namely that needs specifically to be traced and written about events of access and changes. These standards exist to provide protection of both the organizations, and end consumers. Finally, these standards are designed to confirm that the organization protects, writes and monitors changes which anyway mean access to confidential information. For the Active Directory of it it is extremely difficult to achieve using the built-in instruments of audit, as leads to emergence of programs of third-party developers.

4) Audit of changes for the purpose of improvement of controllability

It is simple to perform changes of the Active Directory if the user or the administrator has necessary rights. However recovery after such changes can long hours and even days. And even if the test equipment was initially used, unexpected results all the same can appear, doing essential the need for change management of the Active Directory. Audit of changes can improve considerably a possibility of the administrator to recover operability of a system after undesirable changes. Record of changes during certain time allows to perform the further analysis - for detection of the hidden problems which are not obvious during the normal work with the Active Directory.

All this gave an impetus to emergence of the auxiliary tools especially relevant in large IT infrastructures with the different IT administrations levels.

Requirements imposed to functions of the programs performing audit of the Active Directory:

1) Automatic data acquisition

To maximize efficiency collection of information, this process should be automated or using use of scripts, or using third-party programs. Without it collection of information on a permanent basis is impossible. Collecting of data should is performed regularly, otherwise there is a risk of loss of important information owing to rewriting of the event log or problems with exhaustion of an empty seat on the server. This important requirement to instruments of audit of changes so without it timely audit is impossible.

2) The effective centralized data storage

Automation usually requires additional system resources and can negatively affect functioning of a system that in turn can lead to stability problems. For this reason it is important that influence of the applied method of data collection was minimum. Moreover, data storage should be considered also in the course of implementation of the software solution. While it is possible, data of events and audit can be stored only in a local system where events took place. However a preferable method – centralization of this information in the certain data warehouse where they would be at the same time protected and available. Such approach has the advantages as the need to analyze information and to create reports on its basis becomes a part of daily activity of the IT administrator or group responsible for implementation of audit of changes of the Active Directory.

3) Collection of information should be reliable.

In the course of data collection, preference should be given to those methods which use Event Log and other built-in instruments of audit which differ from the methods requiring implementation of agents or change of the system code for extraction of data on an event. Implementation of it allows to fix any potential problems connected with stability of system operation or incompatibility of programs. Especially it is relevant for Windows of systems in which it is impossible to rely only on data of the event log as the generated information is not complete. Completely to understand this or that event, information from different sources should be aggregated, and the subsequent analysis should consider already aggregated information. Protection of such information for the purposes of short-term and long-term storage is also important process. It is important that none of privileged users had access to them and furthermore opportunities to delete or otherwise to interfere with these data. Access to such information should be limited or in general is prohibited.

4) Scalability

To perform audit of changes, the software solution for audit should be scalable. It should adapt to constantly changing infrastructure of the organization, but at the same time without 'breakthroughs' in the course of implementation. Implementation and further use of solutions for audit of changes will be simplified in that case when software or significant changes in a configuration are not required additional to adapt to changes in the organization. The solution for audit of changes should take gradual (granular) changes, such as changes of the general network topology, controllers of domains and Active Directory into account. It is necessary to exercise constant control of changes for the purpose of providing the best service quality to users and providing records of audit to IT services and support services.

5) Possibility of formation of detailed reports

When data collection from different sources is automated, and data are stored in the protected place, then audit of changes of the Active Directory begins to play a pro-active role in fulfillment of requirements of standards in the field of information security, data protection and increase in the general stability of network functioning. Detailed reports are necessary for providing to IT administrators, management and auditors, and at them there has to be a possibility of setup of final results on each change of the Active Directory for any time frame.

Daily use of reports guarantees complete transparency of all IT infrastructure and fulfillment of requirements of standards in the field of information security. Additional opportunities, such as notification by e-mail and a subscription for reports, also have an impact on overall effectiveness of system management. Thus, the possibility of formation of detailed reports is the key to successful implementation of audit of changes and daily management of IT infrastructure.

6) Notifications in real time

An opportunity to receive notifications on changes of AD in real time is closely connected with a possibility of formation of detailed reports. Notifications in real time allow administrators to be aware instantly of those changes performed with critical objects and data. It allows administrators to react proactively to potentially dangerous incidents that was unavailable to them earlier. Therefore function of notifications should be in real time included in structure of the program for audit of changes of the Active Directory.

7) The included options of recovery and canceling of undesirable changes

At the Active Directory there is a number of functions for recovery though they require reset and the considerable volume of an empty seat to function properly. It is also necessary to test settings for that object which needs to be recovered. For audit of changes of the Active Directory the complete solution therefore recovery function is also the integral function of the software solution for audit of changes of the Active Directory is required. Moreover, the built-in functions are limited to that level of detail with which an object can be recovered. For example, the changed attributes cannot be recovered if the backup copy is not available. Existence of a possibility of granular recovery is invaluable at management of the Active Directory. For example, it is necessary to recover separate membership in groups of security which was recently changed, without canceling at the same time other changes.

8) Additional requirements

The preferred solutions should be simple in implementation and have a connectivity of add-on modules for formation of the complete software package to maximize potential benefits from audit of changes. Some additional types of systems can include firewalls, routers, servers with databases, storage devices and other technologies of Microsoft, such as Exchange and SharePoint.

Approach of NetWrix to audit of changes of the Active Directory

Approach of NetWrix includes all necessary functions for achievement of the effective audit of changes presented in the software solution. NetWrix Active Directory Change Reporter is the program which monitors changes of the Active Directory in all IT infrastructure, including popular storage devices. The program daily sends complete reports and generates notifications in real time on changes of the Active Directory, namely: who, when, where and that changed, for each change of AD, including users, divisions (OU), groups, domain controllers, a configuration, the scheme of the section and other changes. The report includes the previous and new values for changes of objects of AD for the purpose of increase in security and control over changes of AD. Automatic information acquisition and formation on its basis of reports not only exceeds possibilities of the built-in Windows tools and storage devices, but expands opportunities, reducing time and efforts spent for the collection of information about changes performed manually or using difficult scripts. Also in the program archiving of all modifications which will help to find out details of changes months and years later is possible. All this allows to extend audit of changes of the Active Directory in SIEM systems, such as SCOM for increase in control of IT infrastructure.