IT SECURITY GURU PRODUCT REVIEW Netwrix Auditor 6.5 Supplier: Netwrix Corporation Product: Netwrix Auditor 6.5 Website: www.netwrix.com Price: Active Directory per user, 8 ex VAT File Server per user, 4 ex VAT Scores Performance Features Value for Money Ease of Use Support Overall Verdict: A sophisticated and affordable change and configuration auditing solution capable of providing stunning levels of information about all your business critical systems Change auditing in today s diverse IT infrastructures is a major challenge but businesses have a clear duty to implement these systems for their own safety and to comply with data protection regulations. A fundamental requirement is Active Directory (AD) auditing but add in Exchange services, file servers and databases and you have an administrative nightmare in the making. Netwrix Auditor looks to have every base covered and the latest v6.5 on review goes way beyond this basic remit. Not only can it audit AD and Group Policy but it keeps you abreast of inactive accounts and provides complete visibility of Exchange, SQL Server, Windows Server and SharePoint systems. 1
Virtualised environments come under its umbrella as it can monitor VMware vcenter, vsphere, ESX and ESXi systems. Along with Windows file servers, Netwrix Auditor also supports NetApp filers plus EMC VNX, VNXe and Celerra storage devices. Picture 1: NETWRIX 1.PNG Netwrix Auditor s dashboard provides a complete summary of all detected changes, where and when they occurred and who made them. Modules and installation We like the fact that Netwrix Auditor uses modules for each option so you only need to purchase the ones you want. Host system requirements are reasonable as it can run on any OS from Windows 7 or Server 2008 R2 upwards. 2
The installation process is well documented and easy to follow. Some manual intervention is required for Group Policy auditing as Microsoft s Group Policy Management Console (GPMC) must be installed on the host system. For testing we introduced Netwrix Auditor to the lab network which uses a Windows Server 2012 R2 AD domain controller. We also had systems running Exchange 2013, SQL Server 2014 and Windows Server 2012 R2 file servers. Picture 2: NETWRIX 2.PNG Netwrix Auditor provides a wealth of information about Active Directory changes and heaps of predefined reports. 3
Swift AD audit setup Netwrix Auditor impresses from the outset as every component is integrated seamlessly into a single console. Our first task was to create managed objects and a handy wizard helped set up auditing for our AD domain, Group Policy and Exchange environments. The process is very smooth and the wizard spotted that our domain had an Exchange organisation and automatically enabled auditing for this. During this process you can set data collection to use Netwrix Auditor s lightweight agent. Ideal for distributed networks, it gathers audit data on remote systems and compresses it before transmission to the main console. Along with auto-configuration of native log collections for AD, Group Policy and Exchange, the wizard offers options for real-time alerts. These watch out for critical AD modifications such as changes to the Admin group membership and domain configuration and send email alerts to selected recipients. 4
NETWRIX 3.PNG The File Server module showed us everything we needed to know about activity on our network shares. AD reporting The Netwrix Auditor console opens with an Enterprise Overview showing what changes have been detected over the selected time period. Using the drop-down menu, we could quickly swap views for specific modules such as AD, Exchange, File Servers and SQL Server. AD reporting is incredibly detailed as Netwrix provides hundreds of predefined reports covering everything from all AD changes by date and modified computer accounts to user account or organisational changes. The bottom line is we could easily see what was changed or added, when it happened and which user was responsible. The same high level of detail was provided for Group Policy and Exchange and we could schedule data collections for specific intervals each day. Using subscriptions, we could set up regular report generation and have them emailed to selected individuals in PDF, Word or Excel formats. The rollback feature uses Netwrix Auditor s snapshots to provide recovery and rollback services allowing us to restore any AD object from a user to an entire Organisational Unit. And if you need cast-iron proof that unauthorised changes had been made, the video report service provides links to video recordings of activity on monitored systems. 5
NETWRIX 4.PNG The Video Report Player gives you all the proof you need that unauthorised changes have been made. File Server module We found the File Server module the lengthiest to set up. We needed to create a new audit object for Group Policy, configure advanced security settings for every monitored share and add Netwrix Auditor managed objects for each one. The manual does cover all these steps in detail and we think it s well worth the effort as the information provided is extensive. The Enterprise Overview dashboard shows the most active file servers and users along with logged read and changes. As with all dashboard views, we could select a graph and drill down for more information. Reports showed us which folders and files has been added, removed and modified, which server this occurred on, when it happened and the users involved. 6
The best of the rest For our Exchange 2013 system, we could keep a close eye on mailbox and recipient management activities along with any modifications to servers, groups and stores. Creating a managed object for our SQL Server 2014 system was swift and its object change reports covered modifications ranging from application role, credential and schema to columns, tables and users. VMware reporting is impressive as well as Netwrix Auditor covers modifications of datacenters and hosts to resource changes and snapshot activity. The VM sprawl report is very useful as it shows VM creation trends over time. Conclusion Netwrix Auditor 6.5 impressed us during testing as the amount of information it provided about our key systems was quite remarkable. Components such as the File Server module can take a while to configure correctly but the single management console means it s all very accessible and the modular design makes it excellent value. 7