In this blog post we provide Windows systems administrators with a high-level overview of the Blackbird Auditor, an Active Directory auditing solution.
The Blackbird Group is raffling off a 1,000 user license including a 1st year maintenance (total value 7,200 USD) for Blackbird Auditor for Active Directory. The deadline of this contest is June 30, 2012. If you want to take part, please send an email with the subject Blackbird to.
In Microsoft Windows Active Directory administration nomenclature, auditing refers to the capture and display of user- and/or system-generated activity.
Many systems administrators are required by governmental and/or industry regulations to track changes on our domain systems to a fine degree of granularity. Some of these regulatory laws include the following:
As you know, Windows Server 2008 R2 includes a built-in auditing framework that can help to determine the so-called “4 W’s” of audit policy:
- What was the change?
- Where was the change made?
- When was the change effected?
- Who made the change?
Traditionally, we enable auditing in one or more Group Policy Objects (GPOs) that we deploy to our domain. We then use Event Viewer to analyze local and remote auditing events. We can even leverage event log forwarding and subscriptions to aggregate audit log data from multiple systems across the domain or forest.
The main downside to Windows Server 2008 R2 audit policy is that it is quite cumbersome to manage, especially when we aggregate data from multiple sources.
With respect to GPO reporting, Windows Server 2008 R2 provides us with the Resultant Set of Policy (RSoP) tools that are baked into the Group Policy Management Console. Again, though, the tools scale poorly and are relatively inflexible.
To attain a deeper appreciation of the limitations inherenet in traditional Windows auditing, I encourage you to read the white paper “The Tradeoffs and Risks of Traditional Windows Auditing” from the Blackbird Group’s Web site.
Speaking of the Blackbird Group, today’s blog post centers upon their Blackbird Auditor for Active Directory solution, which is software aimed squarely to replace the aforementioned auditing toolset.
In this article we will examine Blackbird Auditor for Active Directory from the following angles:
- Software Setup
- Using Built-in Audit Views
- Analyzing and Exporting Captured Audit Data
- Rolling Back Changes with RSAT Extensions
Let’s get started!
Setting up the Software
The Blackbird Management Suite is a Microsoft Management Console (MMC) snap-in that relies upon a SQL Server database for AD metadata storage. Therefore, a local or remote instance of SQL Server is a prerequisite to installing this software.
NOTE: You can use SQL Server Express if you want to; you are not required to have a full edition of SQL Server to run Blackbird Auditor for AD.
After you have SQL Server installed and ready to accept incoming remote connections, you can download the binaries and obtain your license code from the Blackbird Group’s Web site.
The order in which you install the software is significant. Here is the nutshell workflow:
- Install the 32-bit or 64-bit Blackbird Management Suite Server
- Install the Blackbird Management Suite Console on the Blackbird server
- Install the Blackbird RSAT Extensions on your other domain controllers
- Install the relevant extension packages on the Blackbird server
Heads-up: Blackbird says that only one Blackbird Management Suite server is allowed per forest. Each extension package (also called a module) enables Blackbird Management Suite to capture particular types of data from domain member computers. These modules are named as follows:
- Blackbird Auditor for AD
- Blackbird Auditor for File System
- Blackbird Event Vault
- Blackbird Privilege Explorer
- Blackbird Privilege Manager for AD
- Blackbird Recovery for AD
In this review, we are concerned only with the Blackbird Auditor for AD module.
Administrators can license as many or as few of these modules as their systems management needs dictate. Licensing is calculated per “heartbeat,” which means that you pay only for the number of human users (and not service accounts) that are embraced by the software’s functionality.
Using Data Handlers and Audit Views
In Blackbird Management Suite terminology, Data Handlers represent the rough equivalent of agent software. Specifically, Data Handlers allow the Blackbird Collector component to retrieve Active Directory data from each domain controller. Ideally, you should deploy the Data Handler to all of the domain controllers in your organization.
To deploy Data Handlers, we open the Blackbird Management Console, right-click the Domain Controllers node and select Deploy data handler from the shortcut menu.
In the Deploy Data Handler dialog box (shown in the next screenshot), we can install the agent bits on some or all domain controllers within the forest.
Deploying data handlers
NOTE: Blackbird Management Suite requires the use of several service accounts that need administrator-level access to your domain controllers as well as to SQL Server. During setup you’ll also be asked to specify a communications TCP port; keep this in mind as you plan your Blackbird implementation.
Our next task is to specify auditor accounts. These are Active Directory users who are allowed to configure Blackbird Auditor for AD and to view audit report data.
Now that we’ve deployed the Data Handlers and specified our auditor accounts, we can turn our attention to Audit Views. Audit Views are the (very) rough equivalent of the Custom Views that are found the Windows Server 2008 R2 Event Viewer.
Specifically, an Audit View filters the retrieved AD audit data according to pre-defined criteria. Blackbird Auditor for AD provides us with several pre-built Audit Views that cover the most common administration and regulatory compliance scenarios; these are shown in the following screenshot:
Built-in Audit Views
Of course, we can build our own Audit Views from scratch if we wish. As you can see in the following figure, we define an audit view by scoping data retrieval according to the “4 Ws” of audit policy.
Defining a new Audit View
In practice, these Audit Views give administrators quick insight into specific changes occurring in Active Directory over time. As we shall see a bit later in this article, Blackbird Auditor for AD allows for full previous/current value comparisons as well as selective or full rollback to previous states.
Analyzing and Exporting Audit Data
To view captured audit data, we can simply expose a predefined or custom-created Audit View in the Blackbird Management Console, right-click the appropriate view, and select Open from the shortcut menu.
This action launches the Audit Viewer tool, a standalone application that includes the “you either love it or you hate it” Ribbon UI introduced in Microsoft Office 2007.
The Audit Viewer displays each audit entry in three simultaneous views. The Summary pane gives you a simple list of all audit entries scoped in that Audit View. What’s cool about this view is that we can see both previous and current values for audit entries that involve a change.
In the following figure we see the results of the “All User Creation in the Last 30 Days” built-in Audit View on my test domain controller. If the Audit View contents included changes in addition to object creations, then we would see before and after data values as well.
Audit Viewer results
The Activity pane shows high-level audit statistics. For instance, in the following screenshot, we see a breakdown of the specific types of AD activity recorded by the tool over the past 24 hours. Be aware that these views are eminently customizable. For instance, we can edit this view on-the-fly to show account activity over the past month, and so on.
Finally, the Details pane shows (a) a summary report of the entry; and (b) which specific Active Directory schema attributes were involved in the audited action.
Audit details view
Rolling Back Object Data with RSAT Extensions
As I mentioned earlier, the Blackbird Data Handler and Collector components work together to aggregate and store Active Directory metadata in the Blackbird Auditor SQL Server database.
What this means for us administrators is that:
- Blackbird Auditor for AD does not rely upon AD itself for the storage of schema information
- We can undo changes and perform restores directly from the Blackbird backup repository
For example, we can examine the Blackbird Management Suite Recycle Bin to enumerate and potentially recover deleted AD objects.
The Blackbird RSAT Extensions serve to integrate Blackbird auditing, analysis and recovery features into other core Windows AD management consoles. For instance, we can view the audit trail and/or roll back changes to an AD user object from Active Directory Users and Computers simply by right-clicking the object in question. This is shown in the following figure:
Blackbird RSAT extensions in action
You might have also noticed other Blackbird-related entries in previous screen capture. For instance, we can quickly generate a report of all of that particular user’s activity, and optionally roll back any changes made to the object’s schema properties.
We can also track the evolution of our GPOs by accessing the Rollback shortcut menu item in Group Policy management console (GPMC). As you can see in the following figure, Blackbird enables us to quickly compare the current state of a GPO with a previous incarnation that is stored in the Blackbird backup repository.
GPO change analysis
The Rollback functionality in Blackbird Auditor for AD is very impressive. With a few mouse clicks you can undo the most potentially damaging of AD object changes. For example, if a junior-level administrator inadvertently deleted an OU and is unable to regenerate the lost objects by using standard Windows tools, you can easily perform the restore from within the Blackbird Management Console.
In my opinion, Blackbird Auditor for AD is an extremely easy to use product. As busy systems administrators, we often don’t have time to spend performing elaborate setups and slogging through steep learning curves when implementing management software.
I think that those of you who are hit by compliance regulations can derive special benefit from this software. Please feel free to leave any questions in the comments portion of the post. If I cannot answer them directly, I will forward them to the Blackbird team.
If you want to take part in this raffle and have the chance to win a 1,000 user license (total value 7,200 USD) for Blackbird Auditor for Active Directory, please send an email with the subject Blackbird to. The deadline of this contest is June 27, 2012.