- Interact with Azure Cosmos DB with PowerShell - Tue, Sep 14 2021
- Azure health services: Track Microsoft cloud outages and maintenance - Wed, Sep 8 2021
- Powerline: Customize your PowerShell console - Tue, Aug 31 2021
Most Windows systems administrators know that Active Directory includes Group Policy-based auditing. However, we also know that the built-in auditing isn’t very flexible. For instance, how would you respond if you needed to?
- provide “who, what, when, how” information regarding privileged Active Directory changes;
- generate meaningful reports to give to your compliance officers;
- help your development staff write code that retrieves detailed AD audit data; or
- audit user account changes in an Office 365 Azure AD instance?
The value proposition behind Netwrix Auditor for Active Directory is that administrators get a “single pane of glass” view of Active Directory configuration changes and access events. There are several pre-built reports, as well as an application programming interface (API). Moreover, if you purchase Netwrix Auditor for Azure AD, you can audit Office 365-based Azure AD instances as well.
Installation and first run ^
Netwrix offers a 20-day trial evaluation of Netwrix Auditor for Active Directory on its website. Although you can download, install, and configure SQL Server 2014 Express Edition with Advanced Services, I suggest you have a SQL Server instance already online; note that you’ll need SQL Server Reporting Services (SSRS) in addition to the database engine.
You’ll also need to ensure that the Windows Server member server on which you install the product has the .NET Framework 3.5 bits previously installed; the Netwrix installer won’t do that work for you.
As you can see from the following screenshot that shows the Netwrix Auditor splash screen, the Active Directory application is only one of many (separately licensed) apps.
In my lab environment, I chose the Full installation option because I wanted to test both the Active Directory and Azure AD applications.
As I said earlier, you’ll need to point the Netwrix installer at your SQL Server/SSRS instance and supply the appropriate configuration details.
After the installation is completed, you’ll have two new administrative utilities:
- Administrator console: This Windows desktop application configures the auditing environment.
- Netwrix Auditor client: This is your query/reporting tool.
The following screenshot shows the Netwrix Auditor administration console.
The three main nodes in the console interface are:
- Managed Objects: Audit definitions for each supported application
- AuditArchive: Database connections, long-term audit data storage options
- Settings: Credentials, SMTP e-mail server addresses, licenses
Defining a managed object ^
As I said a moment ago, in Netwrix Auditor a managed object defines a target application (AD in this case, of course), database details, auditing scope, and real-time alert settings. Here’s a composite screenshot showing a couple of the wizard screens:
The following screenshot shows my completed Active Directory managed object configuration.
Make sure you run a data collection job immediately so you can gather an AD data snapshot. One of the many cool things you can do with Netwrix Auditor is compare past and present states of Active Directory, Group Policy, logons, or directory partition metadata.
Viewing audit data ^
Pop open the Netwrix Auditor console to access your collected audit data. The home page provides one-click access to the most common tasks; I show you that in the following figure.
On my test system, I clicked on one of the saved searches, AD or Group Policy modifications by Administrator since yesterday, on the home page and viewed the following results:
What’s very helpful, at least in my humble opinion, is Netwrix’s adoption of the “who, what, when, where” auditing security principle into this software. This is the information that security and compliance officers need to know, and this tool provides those answers.
Another option is to use the Interactive Search feature to run your own custom queries. Again, as you can see in the next figure, you build queries using that “who, what, when, where” syntax that is user-friendly and intuitive.
- Use the buttons to specify the search parameters.
- Rearrange, change values, or remove parameters
- Run the search! Super easy.
Generating reports ^
Remember that Netwrix Auditor is a solution that “rides on top of” built-in Windows Server security auditing and SQL Server Reporting Services. The good news here is that we don’t have to learn the funky SSRS syntax to construct reports; instead, Netwrix Auditor for Active Directory has dozens of pre-built reports as shown below.
One point about these built-in reports that you shouldn’t overlook is that many of them are built specifically to follow well-known industry compliance standards. Therefore, Netwrix Auditor can make passing your compliance audits potentially much faster and more accurate.
The actual reports show up in a format that anyone who’s used SSRS should instantly recognize. You can export the reports as delimited text, HTML, or PDF.
Azure AD auditing ^
A separately licensed Azure AD application allows you to run auditing on one or more Office 365 Azure Active Directory instances. If you’ve used Azure AD, then you know that this isn’t an LDAP-based, Group Policy-linked directory service—therefore, you have fewer auditing options available to you, with or without Netwrix.
The following screenshot summarizes the configuration workflow.
AD object and attribute restore ^
Netwrix understands that knowing about an unwanted AD change (deleting a user account, for instance) is only half the battle. That is, how the heck can you reconstitute the object?
Netwrix Auditor for AD has a built-in wizard for restoring AD changes down to the attribute level; that’s pretty darned cool!
As you can see, Netwrix can restore AD objects and attributes either from its own data store or directly from AD tombstone data.
Well, there you have it! If you’re a Microsoft shop that needs to get a firm handle on your security auditing, then you may want to give Netwrix Auditor a try. Again, you can download a 20-day demo from their website. Check out their documentation as well.
Subscribe to 4sysops newsletter!
Netwrix doesn’t offer pricing and licensing details on their public web site. Instead, reach out to them via e-mail and start a conversation with one of their sales associates. Happy auditing!