Netwrix Auditor

2022: Discovery of a vulnerability that allows attackers to execute arbitrary code

A critical vulnerability in Networrix Auditor allows attackers to execute arbitrary code. This became known on July 18, 2022.

The vulnerability was discovered by specialists from Bishop Fox.

According to Bishop Fox, the vulnerability affects all supported versions of Networrix Auditor up to 10.5 and occurs when untrusted data is deserialized. The root cause of the vulnerability was the insecure.NET Routing component, available via TCP port 9004 on the Networrix server. With its help, an attacker can transmit malicious objects and code to the Networrix server, as well as execute arbitrary commands.

All commands are executed with NT AUTHORITY\SYSTEM privileges, so exploiting the vulnerability allows an attacker to take full control of the Networrix server. In addition, the Active Directory domain may also be at risk because the Networrix Auditor runs with elevated privileges in the Active Directory environment.

To prevent any possible risks, experts recommend that companies using Auditor update the software to the latest version released on June 6^[1].

2017

Netwrix Auditor 9.5

On December 19, 2017, Networrix announced an update for its Networrix Auditor software product, a change audit, data access control and leak prevention solution. Networrix Auditor 9.5 monitors the actions of users in the system, collects data on existing information security risks, conducts a risk assessment and analyzes existing access rights. The release strengthened the analytical and information security components, as well as integration with Linux and Unix systems.

Networking Auditor 9.5 Functionality:

• Risk Assessment: The function of finding, prioritizing, and addressing security gaps. Verification and assessment of effective security policies and compliance with information security standards is provided; prevention of data leakage and theft, minimization of consequences of internal and external attacks.
• Search for abnormal activity. The built-in mechanism for assessing user behavior in the system allows you to detect attackers among employees or accounts compromised from outside. The mechanism allows you to prevent or speed up the investigation of information security incidents.
• Access Rights Analysis. The ability to analyze the existing access rights to key applications and sensitive data (in Active Directory and Windows Server) in order to strengthen system security by eliminating accidental inheritance of rights and abuse of authority.
• API integration. Additional free add-ons enable customers to use Networrix in their existing environments immediately, without complex customizations, installations, or additional implementations. Networrix Auditor 9.5 successfully integrates with Linux and Unix systems.

Netwrix Auditor 9.0

On May 31, 2017, Networrix introduced the Networrix Auditor 9.0 update: the program monitors and analyzes user actions in the IT infrastructure, ensures data security, and prevents insider and virus attacks.

Networking Auditor 9.0 Features:

• Security risk notifications based on user behavior analysis. Use user behavior analysis to detect suspicious activity early across all IT systems. Activity alerts on file servers are based on access attempt thresholds. Standard alerts are available, and alerts can be customized according to various parameters.
• Add-on for Cisco. Prevent unauthorized interception of traffic on your network by using the Networrix Auditor Add-on for Cisco devices. Now you can get full visibility of what is happening on network devices using a familiar tool.
• Granular restriction of access to audit data. Configure access to the Networrix Auditor so that individual employees and groups receive only the data and authority they need to perform their work duties.
• Report templates for GLA, GDPR, CJIS and other information security standards. In accordance with information security standards, organizations should implement policies and procedures that ensure the integrity, availability and security of data, regardless of their location. Prove that your infrastructure meets all the requirements of international information security standards and industry regulations using the built-in reports required to pass audits for compliance with GDPR, CJIS, FERPA, NERC CIP, SOX, HIIPA, PCI DSS, GLBA, and others.

2016: Netwrix Auditor 8.0

On April 14, 2016, Networrix announced the release of Auditor 8.0. The software provides complete transparency of events in the infrastructure, strengthens the security of local or cloud data.

Presentation of Networrix Auditor 8.0 (2016)

Release 8.0 simplifies security threat detection and allows you to tightly monitor critical data at all levels of your IT environment, including hybrid clouds and storage.

Networking Auditor 8.0 Features:

• The module for Office 365 enhances data security in the cloud by auditing settings changes and controlling access to other people's mailboxes in Microsoft Exchange Online.
• File analysis is required for unstructured data management decisions. New reports identify unused files, excessive access to resources, and suspicious activity such as frequent attempts to read or modify a file.
• Storage modules EMC and, NetApp for Windows File Servers extend the ability to control changes and access attempts on storage systems, as well as identify internal threats and prevent leaks of unstructured data. The new Networrix Auditor supports//, EMC IsilonVNXVNXe NetApp Data ONTAP including version 8.3.2.
• RESTful API provides unlimited monitoring and reporting capabilities, allows you to integrate Networrix Auditor with any application installed on the server or in the cloud.
• New types of software distributions. In addition to the existing method of deploying Networrix software in traditional infrastructures, a ready-made virtual machine is offered for VMware vSphere and Microsoft Hyper-V, applications for Microsoft Azure platforms and Amazon Web Services.

2015

Netwrix Auditor 7.1

On November 6, 2015, Networrix announced the release of significant corrections for its Networrix Auditor software. The software release will simplify internal investigation of information security incidents and optimize data collection for audits^[2].

Networrix Auditor 7.1 supports NetApp Clustered Data ONTAP to monitor malicious activity across all NetApp storage clusters.

Release 7.1 simplifies access to archived audit data. There was an opportunity to investigate information security incidents, even if they occurred in the distant past. Audit data is available for the entire period required to conduct the investigation and identify the causes of the incident.

Support for the NetApp Data ONTAP clustered operating system will help users get complete information about all file changes and access attempts, while using all the capabilities of the NetApp OS version, including clustering mode.

Built-in reports:

• Account Permissions Report - the report shows which users have access to data on file shares and storage (it will help to track and compare the level of access rights of employees with their positions);
• Networrix Auditor System Health - the report informs about the performance of the Networrix Auditor software (ensures constant monitoring of critical applications and quick troubleshooting of the system).

According to the management of Networrix Corporation, the late release of Networrix Auditor solves two problems: it raises awareness of internal threats and helps to obtain evidence for investigating information security incidents much faster, the software will assist users in a more holistic approach to information management, increase the security of IT processes, help manage large amounts of confidential information, reducing the risk of data leakage and non-compliance with information security standards.

Netwrix Auditor Vega

On May 21, 2015, Networrix announced the release of Networrix Auditor Vega, a software product for auditing changes in IT infrastructure, managing security settings and data access. Sales of this version of the software have already begun.

Presentation by Networrix Auditor Vega, 2015

Properties of the Networrix Auditor Vega:

• Interactive search allows you to ask a question in English and quickly get an answer - what data has been changed, by whom and when, as well as who has or had access to various elements of the IT infrastructure;
• The role-based audit access system allows you to differentiate the level of access by minimizing authorization. Now the client part of the Networrix Auditor software can be used on any computer to obtain reports and statistics;
• Industry-specific report templates speed up the export of audit data to standards-based, PCI DSS 3.0 HIPAA SOX ,/, and FISMANIST ISO reports.

2014: Netwrix Auditor 6.0

In May 2014, Networrix announced the release of a new version of the flagship product - Networrix Auditor 6.0, which provides complete transparency of the IT infrastructure. The first software demonstration was held as part of TechEd North America 2014.

"The increase in information security breaches and data loss in retail, healthcare and hospitality clearly indicates that traditional security mechanisms (firewalls, IDS and antiviruses) cannot continue to be seen as the only means of protection against external attacks and internal threats," says Michael Fimin, CEO of Networrix. "The ability to continuously monitor events within your IT system is critical to preventing information security incidents and violations of information security standards. Networrix Auditor provides comprehensive infrastructure monitoring, tracking even the smallest events, replacing many software solutions. "

Networrix Auditor offers a comprehensive approach to tracking changes in IT infrastructure, monitors all elements, constantly interacting with key systems: selects, collects and consolidates data, compiles and sends reports. The Networrix Auditor architecture ensures the continuous availability of collected data - unlike built-in logs, Networrix Auditor report archives are stored for 7 years or more, which allows you to quickly recover events of any statute of limitations.

Benefits of the new version of the Networrix Auditor:

• Configurable review panels: Networrix Auditor allows you to take a single look at all the changes that have occurred in the IT infrastructure over any period of time, thanks to convenient and informative graphs;
• Microsoft SharePoint Audit - Enables you to track changes in SharePoint server access, configuration, and content settings. Networrix Auditor provides support for the largest number of systems among all similar applications;
• Summary reports: Networrix Auditor allows you to track user activity on all systems for any period of time, as well as understand what changes have been made to each system on behalf of specific accounts;
• Creating an Access Rights Matrix: Using the Networrix Auditor makes it easier to audit for compliance with FZ-152 requirements. The product also supports other regulations - PCI, HIPAA, SOX;
• Continuous infrastructure monitoring: The Networrix Auditor reduces the time required to investigate information security incidents.

2013

Rename to Networrix Auditor

In June 2013 Netwrix Corporation , it announced the renaming of the Networrix Change Reporter product to Networrix Auditor. The new product name supports Networrix's global strategy for developing solutions that provide robust functionality and support for a wide range IT of platforms. Networrix Auditor offers a comprehensive approach to tracking changes in, To IT infrastructure monitors all elements, constantly interacting with key systems: selects, collects and consolidates, data tracking the slightest modifications. Alerts, reporting, and audits of historical data are the tools needed to reduce incidents, INFORMATION SECURITY ensure continuity business processes , and comply with industry standards.

NetWrix Change Reporter Suite 4.0

NetWrix Change Reporter Suite (NetWrix CR Suite) is an integrated solution for automated tracking and alerting of any critical changes to the entire IT infrastructure. The package programs provide easy-to-read reports with complete information on each individual change that has taken place in the organization. The 4.0 package consists of several products that have also been modified to meet the needs of modern companies.

Significantly strengthened the component responsible for auditing servers for Windows OS management - NetWrix Windows Server Change Reporter. The solution centrally monitors the server group and sends detailed reports with all detected changes on a daily basis. WSCR Suite has improved the management component: firstly, it became possible to control all Windows servers from a single console, and secondly, the ability to integrate into a single management interface for other manufacturer products. It also makes it easier to access all statistics through a convenient toolbar.

The next revision in Change Reporter Suite 4.0 concerns tracking the actions of privileged users. There are a number of filters and key parameters that are customized based on the needs of a particular organization. These settings allow you to focus on the most vulnerable applications in the system - all actions performed in these applications are recorded as a video report. Thus, you can track the initiator of the change and the process itself, as well as cancel the settings if necessary.

Like all NetWrix products, the solution supports most international and industry security standards such as SOX, HIPAA, FISMA, PCI DSS.

NetWrix Change Reporter Suite 3.2

The solution received an update to the Active Directory audit module and a new event log data consolidation module for Windows and syslog. The installation of the software package has become even easier - version 3.2 adds the automatic installation and configuration of SQL Server 2012 Express Edition with Advances Services (SQL Server 2008 for Windows Server 2008, Windows Server 2003 or lower). The NetWrix Change Reporter Suite includes the following changes:

• The Active Directory audit module - NetWrix Active Directory Change Reporter - received support for Windows Server 2012/Windows 8 and Exchange 2013. Active Directory auditing is now available on all supported Microsoft operating systems .
• A module has been added to manage NetWrix Event Log Manager event logs. It consolidates and archives event logs in Windows and syslog, receives notifications about individual events. With the addition of this module to NetWrix Change Reporter Suite 3.2, more than 30 new reports on IT infrastructure changes have become available.
• The entire software package can now be installed on Windows Server 2012 and Windows 8, ensuring stable and reliable operation in the most modern infrastructure. All products included in the package now support Windows Server 2012 domains.
• Also received the NetWrix Management Console update, which provides easier management of all components included in the NetWrix Change Reporter Suite.

'Today's IT infrastructures

are evolving incredibly quickly. And in order to get the greatest return on investments in the construction of IT infrastructure, Chief information officers need to keep under control the changes taking place in it, - said Mikhail Ananyev, Sales Director of Netrix Europe LLC. - Our solution has always ensured that IT professionals at various levels can easily track changes and manage their IT infrastructure at the highest level. With the new version of NetWrix Change Reporter Suite, we have raised the bar for controlling IT infrastructure changes even higher. '

NetWrix Change Reporter Suite 3.0

The NetWrix Change Reporter Suite, designed to audit changes to the IT infrastructure, received an update to version 3.0. This product is a comprehensive solution of several modules included in it, two of which received an update, namely the module responsible for auditing SQL Server, and a module that allows you to record access to user mailboxes.

We also updated the console - it became easier to work with the program - and simplified the process of installing and configuring the program, which means reducing the time and cost of implementing the solution. And of course, improvements were made and the stability of the program was increased.

Let's take a closer look at updating the software modules that received the update in version 3.0:

• NetWrix SQL Server Change Reporter 2.5
• Auditing the contents of the database at the record, line and column level, including the current and previous values;
• Reports contain information about the computer from which the change was made, which helps to even more accurately identify the source, for example, in a situation where several changes were made under the same account;
• Audit of SQL Jobs, Steps and Job Scheduling changes;
• Audit changes to rights to tables, views, stored procedures, and functions;
• The ability to receive reports in compressed form as attachments to electronic messages in CSV format.
• NetWrix Non-owner Mailbox Access Reporter for Exchange 3.0:
• Support for Microsoft Exchange Server 2010;
• Reports now show the types of mailbox objects accessed: email, appointment, contact, task, contact, and more;
• Users are sent notifications about access to their mailboxes;
• Support for SMTP authentication (SMTP SLL);
• The stability of the program has been increased.

NetWrix Change Reporter Suite 2.1

In version 2.1. The module responsible for auditing File Servers and File Server Change Reporter storage devices has been updated:

• Added support for Failover Clusters
• Added support for EMC VNX/VNXe storage devices
• New 'Folder Permissions Changes' and 'All Actions on File Server' reports enabled

2012: Description of NetWrix Change Reporter Suite

NetWrix Change Reporter Suite is an integrated solution for automated tracking and alerting you to any critical changes across your IT infrastructure. It does not matter who, where, when and what exactly changed - in, Active Directory file Microsoft Exchange and servers, file systems like and, NetApp EMC virtual or physical infrastructure, databases - all SQL Server components are centrally controlled, and the data obtained is combined and provided in the form of easy-to-read reports that are sent according to the schedule to information security services and internal or external auditors.

Using AuditAssurance technology, the NetWrix Change Reporter Suite provides complete reports on each individual change that has occurred in the organization: who, where, when, and what has changed and the values before and after the change. The data can be filtered by various criteria, such as the name of the person who made the changes or viewed the data, time, and other parameters.

Examples:

Platform	Typical Audit Issues
Active Directory	Who added a user to the group? Who successfully logged in/failed to log in? Who delegated control rights to the department?
VMware	Who created the new virtual machine? Who changed the resource pool settings ?
MS Exchange	Who deleted the mailbox ? Who accessed another user's mailbox ? Who changed the Information Store settings ?
SQL Server	Who changed the structure of the table in the SQL database ? Who deleted the SQL database ? Who added the new login ?
File Server	Who changed NetApp Filer file permissions ? Who viewed important files on file servers? Who deleted files from the file server ?
Group Policy	Who disabled the enhanced password policy ? Who disconnected the GPO from the department ? Who configured the new software installation policy ?
Server Configuration	Who installed the software and which software ? Who made changes to the system registry ? Who changed the computer configuration settings ?
SharePoint	Which Web applications were created/changed/deleted? Which servers were added to the farm or removed ? How did the inbound/outbound email settings change ?
SCVMM Environments	What changes have been made to the virtual machine settings ? Which virtual machines have been added/removed ?
Network Devices	Which new device has been added to the network? Who has changed the Network Monitor settings? (*) Who changed the routing table on the router? (*) Which account is granted Network Monitor Administrator privileges? (*) Which device was removed from the network ?

(*) Marked (*) features will be available in the nearest released version of the product.

Notes