Successful File Server Auditing: Looking beyond native auditing

Transcription

1 Successful File Server Auditing: Looking beyond native auditing Whitepaper 2013

2 1. Introduction File system auditing deals with security of Windows file servers, protecting business critical data and ensuring service availability with minimum downtime. File system administrators need to be fully cognizant of all the happenings in the file server environment including file access information, file system events and other activities. Latest reports on changes to Files, Folders, Shares and Permissions helps in maintaining a safe and secure File system environment, eliminates security threats and also helps in sustaining compliance. Of all the user-initiated events related to file servers, file access is of primary importance as once a user gets access to a file or folder, a number of changes can be affected by him cascading the damage. Thus, scrutinizing File access related changes helps in mitigating a majority of risks originating out of it. File system auditing is no more just about passive auditing of past events. Admins look for a system that can generate real time alerts for critical events, so that necessary action could be taken to avoid the possibility of any damage or loss arising out of it. File System auditing solutions also assume importance in sustaining compliance as they offer a centralized pool of File server audit data that can be archived for a long period of time to meet various standards such as SOX, HIPAA, and PCI etc. 2. Need and Importance of File Server Auditing Windows File system could be used as storehouse of critical business data and network shared application. Any unauthorized access to File servers and undesirable changes to shares and permissions may expose sensitive data resulting in business loss. Hence, administrators need to monitor in real time who accessed what and when; also what changes were made to shares and permissions and who all could benefit from such change. Organizations face the internal requirement of comprehensive File system auditing because of a number of reasons: To prevent unauthorized access to sensitive business data. Analyze access rights given to users and their uses thereof to mitigate any risk arising out of it. Keep File systems safe from intentional changes to Permissions to misuse the privilege. Eliminate destructive changes to File and Folders that could result in data loss. Monitor the activities of delegated users to eliminate risk factors. Archive changes to support forensic investigations of events occurring years ago. Get event details in simple understandable English instead of complex jargons of native event viewer. Apart from the internal File system auditing requirements, there are a number of external factors that make File system auditing a necessity:

3 Various industry specific compliances such as SOX, HIPAA, PCI etc. lay down a number of regulations that can be fulfilled only through comprehensive auditing. Having a demonstrative capability of performing File system auditing can infuse confidence in various stakeholders thus increasing reputation of the organization. File system auditing can help you present event logs in the required format for the purpose of litigation. 3. Options available for File System Auditing 3.1 Native Auditing Native File system auditing too can present the Who, What, When and Where information about File system events but requires a disproportionate amount of effort as logs are scattered around with a lot of unuseful data. Windows event viewer can help Admins to analyze File system logs manually, but it may take a lot of time to uncover the facts and that too not in a desirable format. For serious File system auditing requirement, it would be unwise to consider native auditing as an option. Native File system auditing suffers from a number of drawbacks such as: A single event such as copying a file from one location to another could generate a bulk of event logs. Reconstructing the move in plain English from such logs can take a lot of time and effort. Native auditing lacks comprehensive reporting feature which is a necessity for successful file server auditing. There is no provision to generate instant alert on critical changes that can leave Admins in dark and also increase the response time to corrective measures if any at all that takes place. built-in reports to meet compliance requirements. Admins need to manually go through tons of event logs data and find the required information. Absence of a centralized platform to look into the File system event logs means Admins need to visit each file server in the network and set auditing rules and collect required insight. There is a chance of precious data loss on account of log overwrites in absence of proper settings. Inefficient storage means inability to support long-term archiving which in turn could result in compliance violations. 3.2 File System auditing: Third Party Solutions To overcome the above mentioned short comings, you can use commercial File System auditing solutions available in the market. They not only help you to get around the limitations of native auditing, but also offer a host of other benefits that are important to ensure secure file system environment. In today s world, File system auditor is no longer merely a tool to satisfy external auditing requirements; organizations are considering it as an apt tool to aid in securing sensitive

4 business data and generate useful information for intelligent decision making regarding file system environment. 4. A practical approach apt for the real world LepideAuditor for File Server (LAFS) is a powerful tool to audit all file servers in the network and generate reports on them. Software is more than just a tool to satisfy compliance requirements; it ensures that critical business data stored on File systems is safe from unauthorized access and modifications. It offers a host of features that are important from real world perspective of auditing File systems in the network: Provides Who, What, When and Where information for all access attempts and changes made to Files, Folders, Shares and Permissions on the File server. Reports on all access rights given to users and Files and Folders that they are accessing to give complete control to administrators. Consolidates event logs from all File servers in the network and reports and alerts on important event from a centralized platform. Archives event logs for a longer period of time thus helping in staying compliant and forensic investigations. Generates real-time alerts on critical events such as unauthorized access to folders containing sensitive data and deletion or modification to important files. 5. LepideAuditor for File Server vs. Native Auditing SL. Feature LepideAuditor for File Server Native Auditing 1. Track File server changes to give Who, What, When and Where information for each change. 2. Tracks Files and Folders access/share and permission changes. Yes Yes. Alerts and Built-in reports to track File and Folder access related changes. 3. Compliance support Yes. Long term archiving and customizable built-in reports help you to stay complaint to industry acts and standards. 4. Real-time Alert Yes. Allows you to set instant Difficult to identify the changes as there could be multiple log entries for a single change. Need to analyze logs manually to find out such changes. Difficult to support long-term archiving and search required information from cryptic logs.

5 alerts for the changes that you think are important. 5. Consolidated Logs Yes. Acts as a centralized platform to collect logs from all File servers in the network and report and alert on them. 6. Reporting on event logs Yes. Offers a number of builtin reports to give detail information about each change. 7. Schedule Report feature Yes. Automatic generation and delivery of reports at specified address. 8. Easy identification of changes Yes. Highlights different types of changes in different color with old and new value. 9. Long term archiving Yes. Archive event logs for years in secure and efficient storage of SQL server. 10. Granular rollback of changes Yes. Identify unwanted changes easily and rollback with just a few clicks. built-in reports. Need to get information through Windows event viewer. Inefficient storage. Takes lot of memory space for archiving event logs. Cumbersome process to identify unwanted changes followed by complex set of steps for granular rollback. 6. Get an edge over native auditing As you can see from the comparison chart above, software offers clear advantages over native auditing. When it comes to real world scenario, you cannot leave a system as important as File server, on native auditing. LepideAuditor for File server is a must for administrators to satisfy internal and external audit requirements. It offers immense benefits in comparison to small cost that one has to pay for it.

6 About company Lepide Software Pvt. Ltd. is a leading provider of Network management, Server management and IT management solutions. Company has offered a number of cutting edge technological tools to serve these areas. LepideAuditor for File Server is yet another addition to the list of software products from the company that has won accolades from the industry. Strength of the company lies in deep industry experience and expertise of technical workforce that helps in producing cost-effective solutions. To know more about the company visit: Sales, Support Contact information Contact: For Sales: sales [@] lepide.com For Support: support [@] lepide.com For Resellers: resellers [@] lepide.com