LT Auditor+ for Windows Quick Start Guide Documentation issue: 5.3 Copyright Blue Lance Inc. Distributed by:
LT Auditor+ for Windows: Overview LT Auditor+ is a security software application that provides surveillance of user activity for Microsoft Windows & Novell NetWare servers and security activity for Microsoft Active Directory/NT Domains & Novell edirectory/nds to produce an enterprise wide audit trail. LT Auditor+ monitors, records, alerts on & reports on key user generated events across your network servers, providing consolidated reporting of security sensitive activity. LT Auditor+ meets the requirements of auditors by providing detailed reporting of who did what, where and when. LT Auditor+ for Windows works in conjunction with event logs and can be configured to monitor Microsoft Windows Active Directory or NT Domain activity, file/directory activity, login activity and system activity on the network in real time. Filters can be configured as per user defined security policies to collect logs for auditing. Audit logs collected on individual servers can be sent to a single server for enterprise wide consolidated reporting. SUPPORTED FEATURES Unobtrusively monitors and audits users, files and system activity Tracks sensitive files and directories using powerful filtering technology Immediate notification of security breaches via optional real time alerts Alerts deliverable via SNMP, SMTP or network broadcasts Granular reporting for faster and easier forensic analysis Monitors all Active Directory/NT Domain changes Supports Windows 2000, server 2003, Windows NT4 & all Active Directory/NT Domain versions on these platforms Powerful event filtering at collection and/or reporting stage Consolidated repository; multi server and cross platform (Windows/NetWare) Supports MS SQL & Oracle databases as well as XML & Pervasive Btrieve Pre defined audit exception reports and customisable options Drill down for more extensive forensic reporting All trademarks contained in this document are the properties of their respective owners.
Concept LT Auditor+ Management Console installed on a Windows server that will be the LT Auditor+ Manager Windows servers are remotely installed from this console Audit policies set on each server cause Windows to write events to the Event Logs Agent Services run on every Windows server collecting from Event Logs in real time (including the LT Auditor+ Manager server) Data collected according to configured filters, via logical Groups defined on the Manager Optional alerts according to configured filters Regular transfer to the Manager server Daily rollup to database Reports run from database using the LT Auditor+ SQL Report Generator Cross platform consolidation from NetWare: Data is transferred via IP from LT Auditor+ NetWare gateway server to LT Auditor+ Windows Manager server
1. Getting Started For further information or if you encounter any problems installing please see the files: README.TXT in the unzip folder or Windows folder of the CD, LT Auditor+ for Microsoft Windows User Guide.PDF (Adobe Acrobat) in the Manuals folder, LTA.CHM (Compiled Help) in the "Program Files\BlueLance, Inc\LT Auditor+ for Windows" folder. For additional information, please try our web support page (www.altman.co.uk/support), which has a Frequently Asked Questions (FAQ) section; if this does not help, contact Altman Technologies (see front sheet for contact details). The software is available as a download from the web or can be supplied on CD. The zip file you are provided with specifies the version number in its name & needs to be unzipped. Please read this entire document before starting the installation. Setting up Windows 2000/NT security policies Windows audit policies determine which security events are logged to the event logs. To set up audit policies: In your Microsoft Windows 2000 environment: a. From the Administrative Tools folder, launch the Local Security Policy (Windows 2000 Professional), Domain Controller Security Policy (Windows 2000 Server) or the Domain Security Policy (Windows 2000 Advanced Server) application. Note: The application you select is determined by the type of Windows 2000 operating system installed on your computer. b. Select Local Policies _Audit Policy and double click a policy name to modify that policy s settings. In your Microsoft Windows NT environment: a. From the Administrative Tools folder, launch the User Manager or Domain User Manager application. b. Select Policies _Audit and modify the policy s settings. You can set up file auditing policies for each directory that you want to audit. For complete instructions on setting file auditing policies, refer to Appendix A of the manual. It is recommended that the user installing LT Auditor+ should have administrative rights (i.e. Administrator equivalent on the Windows server that is Manager & a member of the Domain & Enterprise Administrators groups for remote server installs). System Requirements: Hardware Software 128 MB of RAM or more Windows NT 4 (SP6a) + IE 5.x or above & TCP/IP enabled Windows 2000 (SP3 or above) Windows XP (SP1 or above) Windows 2003 server
300 MB of disk space or more
2. Server Installation Event Log configurations To set up the event log configuration in a Windows environment: 1. Launch the Event Viewer. 2. In Windows 2000, right click an event log folder and select Properties. In Windows NT, select the Log menu and Log Settings. 3. Modify the log properties settings. a. Modify the Maximum log size field based on your storage requirements but not less than 10240KB (Security event log) or 1024KB (all other event logs). b. Modify the When maximum log size is reached section. To ensure that all events are correctly captured, select Overwrite events as needed. Setting up the database LT Auditor+ can be used with any of the following databases: Btrieve or XML Microsoft SQL Server 2000/7.0 Oracle databases 8i or later Btrieve and XML are built in to the product, so no set up is required. To create a database using SQL Server 7.0 or SQL Server 2000, refer to the following guidelines: Create a basic or custom database. Create the structure within the database for LT Auditor+ to run properly. This structure comprises three database components (i) Tables (ii) Views (iii) Stored procedures Assign permissions to the database. Note: For SQL Server installation requirements, refer to the Microsoft website at: http://www.microsoft.com Note: For Oracle installation requirements, refer to the Oracle website at: http://www.oracle.com For further instructions on constructing a SQL or Oracle database, refer to Chapter 3 Constructing a Database in the manual. To install LT Auditor+ on a workstation or server: Installing LT Auditor+ for Windows 1. Insert the LT Auditor+ CD into the CD ROM drive. 2. If Autorun is enabled, select LT Auditor+ for Windows. If Autorun is not enabled, execute Setup.exe from the NT folder on the CD. 3. The Install Wizard displays a welcome message and guides you through the installation process. Remote Server Installation Before you attempt to install LT Auditor+ on a remote server or workstation, you must be connected to the workstation/server and have administrative rights. To install LT Auditor+ remotely
on a workstation or server, select Start _Programs _LT Auditor+ _LT Auditor+ for Windows _Remote Install and the Install Wizard guides you through the installation process. 3. Configuring LT Auditor+ To configure LT Auditor+, launch the LT Auditor+ Management Console. 1. Configure the rollup destination database by performing the following steps: a. Select the Manager Console window. b. Right click on the root and select Settings for [machinename] c. On the General tab, select one of the following databases: i. LT Auditor+ Custom Format (= XML) ii. Pervasive Btrieve iii. Microsoft SQL Server iv. Oracle d. Click the Advanced button to configure database connectivity information such as server name, database name, user, and password. If you select LT Auditor+ Custom Format or Pervasive Btrieve, you can specify the destination file name. 2. On the Event Log List tab add the Event logs to be audited; recommended to use the LT Auditor+ Processed Log for evaluation purposes. Note: An event log will be audited only if there is at least 1 filter statement associated with it. a. Amend Archive, Transfer settings used within the application, SNMP and SMTP settings if required from their respective Tabs. 3. a. Create a filter statement for each event log that needs to be audited. Ensure that RealTime is specified for the log collection type. b. Configure jobs to: i. Transfer audit data ii. Rollup data into the required database Note: For complete details on creating a job policy or filter statement, refer to the manual. 4. Create group(s) and their agent server(s) by performing these steps: a. From the Manager Console window, create a new group. b. Right click the newly created group and create a new agent. Note: An agent can be added to a group only if it is not assigned to another manager. 5. Modify the agent s policy information by performing the following steps: a. From the Manager Console window, right click the group just created and select Policy Information for xxx (where xxx represents the group name). b. Repeat steps 2. & 3. (above) to configure the group s policy information. c. Create a Deployment job to send the group configuration to all member agents.
Assigning authorised users to manage LT Auditor+ By default, the user installing LT Auditor+ is the only user authorised to manage LT Auditor+. To allow other users to manage LT Auditor+ they need to be included into the authorised users list. All authorised users must have the following Windows trustee rights on all servers they manage: Full Control to the folder where LT Auditor+ is installed Full Control to the Windows directory (usually C:\WinNT). For complete instructions on using LT Auditor+ for Windows, refer to the manual. Uninstalling Uninstalling the software from the Manager server desktop does not automatically uninstall the agent servers. To do this, first free the agents by deleting them from within the group in the Manager Console, then uninstall the agent server(s) from their Control Panel, Add/Remove programs. Finally, run uninstall for the LT Auditor+ Windows software from the Control Panel, Add/Remove programs on the Manager server. Registering LT Auditor+ comes with a fully functional, 30 day evaluation licence. Before the end of this evaluation, if you wish to buy, we will supply you with a serial number to turn the evaluation into a full licensed version, enabling you to keep all the data & filters you have collected and customised. Updating versions There is no need to uninstall first. New versions can safely be installed over previous versions as long as you are within maintenance. You need to run Setup on a workstation, say Yes when it detects that a version of LT Auditor+ Windows is already installed and then use Patch job from the Management Console to update all agent servers. For more detailed instructions on how to upgrade, please see the Upgrade Start_Up document that accompanies each new version. Testing To test everything is running correctly, we recommend you set up filters & jobs as above, and then leave the agent services collecting for a day. You should then be able to report from the data collected using the (separately installed) LT Auditor+ Report Generator.