Product Review: Netwrix Auditor v7.0

by [Published on 16 June 2015 / Last Updated on 16 June 2015]

In this article the author reviews Netwrix Auditor v7.0.

Product: Netwrix Auditor v7.0

Product Homepage: click here

Free Trial: click here

Introduction

Network and security administrators expend a significant amount of effort and energy configuring and maintaining their managed systems for security and compliance. There are a variety of tools at their disposal to accomplish these tasks, and with the popularity of automation often these tasks can be performed transparently. However, just because a system is configured correctly today doesn’t necessarily mean it will stay that way in the future. Often the best intentions aren’t enough to keep up with today’s complex environments, and this is further complicated by administrators being responsible for more and more systems. The popularity and ubiquity of server virtualization technologies and cloud platforms (private and public) conspire to make effective management of configuration a serious challenge in today’s complex corporate computing environments. The speed and flexibility with which systems can be implemented and deployed is both a blessing and a curse. We can quickly provision systems to meet new business requirements, or expand capacity to meet increasing resource demands on existing systems, but this often leads to server sprawl which poses unique risks with regard to configuration management. A solution to audit and report on system configuration and demonstrate compliance is essential.

Netwrix Auditor v7.0, also named VEGA

Netwrix Auditor is an IT auditing platform that provides visibility into who changed what, where, and when, and who has access to what. It can be used to validate systems configuration, ensuring that systems are being effectively maintained. It can also be used to demonstrate the state of configuration to management and auditors. It is also a vital tool that can be leveraged to perform forensic investigations. Netwrix Auditor is easily deployed and provides a wide range of support to many popular IT infrastructure platforms and services.

Supported Platforms and Services

You can leverage Netwrix Auditor to monitor, audit, and report on configuration changes for the following platforms and services:

  • Active Directory
  • Exchange
  • File Servers
  • SharePoint
  • SQL Server
  • VMware
  • Windows Server
  • NetApp Filer
  • EMC VNX/VNXe/Celerra
  • Unix/Linux

Installation

The installation of the product is simple and straightforward. The Netwrix Auditor documentation recommends that the software should be installed on a workstation, not on a domain controller. I would recommend installing it on a dedicated management workstation, as opposed to installing it on an everyday system. Netwrix Auditor also requires .NET Framework 3.5 Service Pack 1 or later. Once the installation prerequisites have been met, choose an installation type. Select Full installation if you’re installing Netwrix Auditor in your environment for the first time. Select Client installation if you’ve already installed and configured Netwrix Auditor and want to install the management console on another machine to access audit data.

Image
Figure 1

Monitoring and Auditing Active Directory

To begin, select a system to be audited from the list of available managed objects. For demonstration purposes I’ve chosen to enable auditing for Active Directory.

Image
Figure 2

The management interface guides you through configuring Netwrix Auditor to audit the specified system. For Active Directory you’ll provide a user account that will be used to access all managed objects, specify an SMTP server required for emailing reports, and select the default domain and data processing account. An SQL server is required for data storage. You can choose to use an existing SQL server instance with SQL Server Reporting Services or you can choose to install and configure a new instance of SQL Server Express locally. If you choose this option you will be prompted to download Microsoft SQL Server 2012 Express or specify the location to the installation file.

Once the managed object configuration is complete, you can view the status of the managed object by opening the Netwrix Auditor Administrator Console and expanding Managed Objects. Here you can view the status of the object and the last data collection time. Here you can also view details about the managed object or manually launch data collection for it.

Image
Figure 3

Monitoring and Auditing Windows Systems

To provide monitoring and auditing for Windows systems, highlight Managed Objects in the administrator console and click Create New Managed Object.

Image
Figure 4

Select Computer Collection, click Next, and then specify a name for the computer collection and then choose a data processing account.

Image
Figure 5

Select Windows Server from the list of target systems and click next, and then choose an SQL instance to store the data. Optionally you can make the audit data available via summary emails only which does not require logging to SQL. Click Add to specify which systems should be included in the new computer collection. You can provide a computer name, an Active Directory container, or an IPv4 address range. Optionally you can choose to import computer names from a file. Here I’ve chosen to import computers via IPv4 address range.

Image
Figure 6

By default, Netwrix Auditor makes use of lightweight agents for data collection. If this option is chosen, an agent is installed on target computers allowing for the compression of audit data before it is transferred, which results in far less data being transferred over the wire. It is recommended that this option is selected.

Image
Figure 7

Netwrix Auditor leverages the native Windows event logs for audit data collection, and they must be configured to provide essential information for the solution to function correctly. You can do this automatically (recommended) or manually. Specify which system components will be monitored by enabling the appropriate component or registry setting. As you can see there is an abundance of information that is available for monitoring.

Image
Figure 8

Interactive Reports

An important component of any configuration monitoring and auditing platform is reporting. Frequently security administrators must demonstrate to executive management or external auditors that systems are being effectively managed, and this is where the power of Netwrix Auditor really shines. Using the Netwrix Auditor you can get a quick overview of monitored systems by selecting one of the preconfigured reports under the Enterprise Overview section. 

Image
Figure 9

Select the desired timeframe and click View Report. For the Active Directory overview you can quickly observe changes made by date, domain controllers with the most changes, who made the most changes, and which object types were most modified.

Image
Figure 10

In addition you can further refine the report by choosing a specific time and date range. You can also export the report to PDF, Excel, and Word formats. Of course you can also print the report, or export it to another data feed as required.

Interactive Search

Netwrix Auditor provides a powerful interactive search feature that allows the administrator to investigate incidents and browse audit data ad-hoc. This feature can be accessed by clicking Search in the Netwrix Auditor client. Here’s an example query that quickly determines what changes an administrator made on a specific domain controller.

Image
Figure 11

Search results also include drill-down functionality allowing for further detailed information gathering from returned data. Also, ad-hoc queries can even be saved for future use and shared with other users.

Built-In Compliance Reports

To make things easier on the administrator, Netwrix Auditor includes many pre-configured reports to choose from. There is a plethora of reports to choose from, and they are grouped by organizational level reports, Active Directory, Exchange, File Servers, SharePoint, SQL Server, VMware, and Windows Server.

Especially helpful are the native, pre-configured compliance reports that are sure to make any security audit much less painful. Reports are available for FISMA compliance, HIPAA compliance, ISO/IEC 27001 compliance, as well as PCI DSS v3.0 and SOX compliance.

Image
Figure 12

Delegated Access

Many companies need to provide access to audit data to various people within organization. Netwrix Auditor supports delegated access to audit data, which enables authorized individuals to access this data by installing the client software on their local machine. The Netwrix Auditor client can be installed on as many computers as required.

Summary

Netwrix Auditor v7.0 is an incredibly deep and powerful systems configuration monitoring and auditing platform. This quick product review barely scratches the surface on the capabilities it provides. In my brief time spent with the product, I can tell you that it will definitely make your systems auditing much simpler. It will also be a tremendously valuable addition to any organization under regulatory and compliance control, as the native compliance reports are sure to save a lot of time and frustration demonstrating to auditors that your systems are in compliance.

Netwrix Auditor v7.0 has a clean, intuitive, and well laid out management console that is very easy to use and navigate. Information and details are easily discoverable, and the initial welcome screen provides helpful guidance for getting started. The platform is one of the most well documented solutions I’ve used in quite some time. It includes highly detailed installation, user, and administrator guides that provide a wealth of information for those installing, configuring, or using Netwrix Auditor. About the only issue I came across was an apparent lack of support for IPv6. Some fields that required IP address input accepted only IPv4 addresses. I expect this to be addressed in future releases as IPv6 adoption in the corporate enterprise continues to rise.

Product Rating

I really enjoyed working with and evaluating this important security solution. It is mature and robust, and I really can’t identify any features that are missing to provide full comprehensive system configuration auditing and reporting. With that, I give this product the WindowSecurity.com Gold Award with the highest 5 out of 5 rating.

WindowSecurity.com Rating: 5/5


More information about Netwrix Auditor v7.0 or download a free trial

See Also


The Author — Richard Hicks

Richard Hicks avatar

Richard M. Hicks (MCP, MCSE, MCTS, MCITP:EA, MCSA, MVP) is a network and information security expert specializing in Microsoft technologies. He is the founder and principal consultant of Richard M. Hicks Consulting and is focused on helping organizations large and small implement DirectAccess, VPN, and cloud networking solutions on Microsoft Platforms.