ENABLE LOGON/LOGOFF AUDITING

Lepide Software LepideAuditor Suite ENABLE LOGON/LOGOFF AUDITING This document explains the steps required to enable the auditing of logon and logoff events for a domain.

Table of Contents 1. Introduction... 3 2. Steps for Agent-based Auditing... 3 3. Steps for Agentless Auditing... 3 3.1 Installing Logon/Logoff Audit Module... 4 3.2 Stopping Logon/Logoff Module... 10 3.3 Uninstalling Logon/Logoff Audit Module... 11 4. Common Steps for Server... 13 4.1 Generating Logon.exe file... 13 4.2 Creating Group Policy Object at Server... 19 5. Support... 32 5.1 Helpline... 32 2015 Lepide Software Pvt. Ltd. Page 2

1. Introduction To collect logon/logoff events, LepideAuditor Suite needs an agent to be added on server and a group policy at the server linked with this agent. This will help the software to monitor the logon/logoff events, generate their reports, show their LiveFeed updates, sending their reports on schedule, and dispatching alerts on real-time basis. The following items will not be generated if the required steps are not performed on the server. "Successful User Logon/Logoff" and "Domain Controller Logon/Logoff" Reports Custom Reports, LiveFeed, alerts, and scheduled reports for above reports 2. Steps for Agent-based Auditing In case of selecting agent-based auditing, the agent to collect logon and logoff events will be installed by default on the server. So, there is no additional steps are required to be performed except the default steps illustrated herein below for server. 3. Steps for Agentless Auditing In case of agentless auditing, no agent will be installed on server to collect the logon and logoff events. Therefore, it is required to install a module agent on a Domain Controller of the domain, which will collect these events and pass it to software. A separate installer file to install logon/logoff module will be supplied with the downloaded setup. It is required to run this installer file and install Logon/Logoff Audit module agent on any domain controller of the domain. Please refer to page Install Logon/Logoff Audit Module page to know more about it. 2015 Lepide Software Pvt. Ltd. Page 3

3.1 Installing Logon/Logoff Audit Module If you are adding the domain in agentless mode that is without installing agent, then it is required to install LepideAuditor Logon/Logoff Audit Module on any of the domain controllers to collect logon/logoff events. If not installed, then logon/logoff events will not be collected; therefore, reports ("Successful User Logon/Logoff" and "Domain Controller Logon/Logoff") and their associated LiveFeed, alerts, and scheduled reports will not be generated. The installer file for this module will come with main setup file of software, which you can download from http://www.lepide.com/lepideauditor/download.html. After downloading its installer file, execute the following steps to install the Logon/Logoff Audit Module. 1. Double click the downloaded installer file to start the installation. Figure 1: Starting the Installation 2015 Lepide Software Pvt. Ltd. Page 4

2. Click "Next" to proceed. This will display the following wizard. Figure 2: License Agreement 3. It's recommended to read the license agreement carefully before installing the software. 4. If you agree to the license agreement and want to continue the installation, then check "I accept the agreement" and click "Next". 2015 Lepide Software Pvt. Ltd. Page 5

5. Here, you can customize the location of the shortcuts folder in the Start Menu. Figure 3: Option to modify the Shortcuts folder 6. Click "Browse" and select a different location to modify the location of the shortcuts folder in the Start Menu. 2015 Lepide Software Pvt. Ltd. Page 6

7. Click "Next" to use the default or customized shortcuts folder. This will display the following screen. Figure 4: Perform Additional Tasks 8. Check the boxes titled "Create a desktop icon" and/or "Create a Quick Launch icon", if you want. 9. Click "Next" to proceed further. 2015 Lepide Software Pvt. Ltd. Page 7

Figure 5: Module is now ready to install 10. Click "Install" to begin the installation procedure. Figure 6: Module is being installed 2015 Lepide Software Pvt. Ltd. Page 8

11. When the installation process is completed successfully, you'll receive the following message. Figure 7: Module is installed 12. Click the Finish button to complete the process. It is recommended to keep the option "Launch LepideAuditor Logon/Logoff Audit Module" checked. Figure 8: Module is running 2015 Lepide Software Pvt. Ltd. Page 9

13. You can click cross icon on this dialog box to close it. However, LepideAuditor Logon/Logoff Audit Module will kept running and its icon will be visible in the system tray. Figure 9: Showing icon and options for Logon/Logoff Audit Module 3.2 Stopping Logon/Logoff Module You have to stop app server either to stop receiving logon/logoff events to uninstall the Module. Follow the steps below, 1. Right click on the server icon in system tray, and click "Exit". Figure 10: Option to stop and exit from Logon/Logoff Audit Module 2. Once you click "Exit", following warning message will appear on screen. 3. Click "Yes" to stop the module. Figure 11: Warning Message while stopping module 2015 Lepide Software Pvt. Ltd. Page 10

3.3 Uninstalling Logon/Logoff Audit Module Execute the following steps to uninstall the Logon/Logoff Module. 1. There are two ways to start the uninstallation. a. Go to Start All Programs "LepideAuditor Logon/Logoff Audit Module", click "Uninstall LepideAuditor Logon/Logoff Audit Module". b. Click Start Control Panel. Its window appears. Launch "Add/Remove Programs" or "Programs". Select "LepideAuditor Logon/Logoff Audit Module" and click "Remove". 2. Following any of the above methods will display a warning message. 3. Click Yes to uninstall the module. Figure 12: Warning to uninstall the module. 2015 Lepide Software Pvt. Ltd. Page 11

Figure 13: Module is being uninstalled 4. After completing the un-installation, the following message box will appear. 5. Click OK to finish this process. Figure 14: Module has been uninstalled. This will uninstall the LepideAuditor Logon/Logoff Audit Module from your system. 2015 Lepide Software Pvt. Ltd. Page 12

4. Common Steps for Server You have to perform the following steps to generate logon.exe for server and then to create a Group Policy to link it. This will enable the monitoring of logon/logoff events. If you have not generated "logon.exe" and linked it with server, then you will get the following error while generating "Successful User Logon/Logoff" or "Domain Controller Logon/Logoff". Figure 15: Error while generating logon/logoff reports Follow the steps herein below for both agentless and agent-based auditing to fix this issue and to enable the collection of logon/logoff events. 4.1 Generating Logon.exe file Perform the steps below at software to generate Logon.exe file for enabling monitoring. 1. Use any of the following methods to start with. A. While adding a domain with Advanced Configuration, you will come at the following step. 2015 Lepide Software Pvt. Ltd. Page 13

Figure 16: Advanced Domain Configuration B. While modifying the domain, click "Object Class and Other Settings" to access the following settings. 2015 Lepide Software Pvt. Ltd. Page 14

Figure 17: Modifying Object Class and other Settings 2. Check "Audit Successful User Logon/Logoff" option. 3. Click icon. It will show the following dialog box. Figure 18: Dialog box to create logon/logoff script 2015 Lepide Software Pvt. Ltd. Page 15

4. Follow any of the steps below as per the auditing mode. a. For Agent-based Auditing: Enter "IP Address" of server, of which logon/logoff events has to be monitored. b. For Agentless Auditing: Enter the IP Address of the domain controller, where Logon/Logoff Audit Module has been installed. 5. Click icon to select the location at server where you want to the save this executable file. Figure 19: Browse for Server It is recommended to save the executable file at the shared folder of server, of which logon/logoff events you want to monitor. 6. Select the folder and click "OK". This will take you back to previous dialog box, which will now show the selected folder. 2015 Lepide Software Pvt. Ltd. Page 16

Figure 20: Sample details to save executable file 7. Click "OK". It will generate the executable file and will save at the specified location. You will receive the following message confirming the same. Figure 21: Successfully generated executable file 8. Click the link saying "Please follow link" to know the steps to be performed at the server. It will open a HTML file in the default Web Browser. 2015 Lepide Software Pvt. Ltd. Page 17

Figure 22: Document showing further steps to be performed 2015 Lepide Software Pvt. Ltd. Page 18

4.2 Creating Group Policy Object at Server Execute the steps below at the domain controller, of which logon/logoff monitoring you want to enable. 1. Go to "Start Menu" "All Programs" "Administrative Tools" "Group Policy Management". This will display the Group Policy Management window. Figure 23: Group Policy Management 2. In the left panel, expand the nodes to reach the node of domain controller. 2015 Lepide Software Pvt. Ltd. Page 19

3. Right click on the node of domain. This will display the following context menu. Figure 24: Context Menu for a DC in Group Policy Management 4. Select the option "Create a GPO in this domain, and Link here...". This will display the following dialog box to create a new Group Policy Object (GPO). Figure 25: Box to create a new GPO 5. Provide a name for the new Group Policy say - "Logon Logoff by LepideAuditor". Figure 26: Providing a name for the GPO 2015 Lepide Software Pvt. Ltd. Page 20

6. Click "OK". This will create the new GPO and will show it in the Group Policy Management. Figure 27: Showing the newly created GPO 2015 Lepide Software Pvt. Ltd. Page 21

7. Right click on this newly created GPO. Figure 28: Right Click Menu for the new GPO 8. Select the option "Edit" in this context menu. This will show the Group Policy Management Editor. Figure 29: Group Policy Management Editor 2015 Lepide Software Pvt. Ltd. Page 22

9. In the left pane, expand the nodes in this order - "Logon Logoff by LepideAuditor" "User Configuration" "Policies" "Windows Settings" Scripts (Logon/Logoff)". This will display two policies - Logon and Logoff in the Right Panel. Figure 30: Showing Logon and Logoff Policies 10. Here, you have to modify any of these two policies. In this test case, we're modifying the logon policy. 2015 Lepide Software Pvt. Ltd. Page 23

11. Double click the "Logon" policy in the Right Panel. This will display the following dialog box. Figure 31: Logon Properties 12. Click "Add" on this tab. This will display the following box to add a script. Figure 32: Dialog box to add a logon script 2015 Lepide Software Pvt. Ltd. Page 24

13. Click "Browse" in this new box. Leave this box opened up as it is. Figure 33: Dialog box to open a logon script file 2015 Lepide Software Pvt. Ltd. Page 25

14. Open the shared folder where you have copied the "Logon.exe" script file. Copy it. Figure 34: Copying file "Logon.exe 15. Paste this file "logon.exe" in the folder section of the "Browse" window. 2015 Lepide Software Pvt. Ltd. Page 26

Figure 35: Pasted the file named "Logon.exe 16. Select the file and click "Open". This will take you back to the "Add a Script" box, which will display the selected file. Figure 36: File has been selected 2015 Lepide Software Pvt. Ltd. Page 27

17. Click "OK". This will take you back to the "Logon Properties". Figure 37: Required Logon Properties 18. Click "Apply" and then click "OK". This will close the "Logon Properties". 19. Close the window of "Group Policy Management Editor". 20. Come back to "Group Policy Management" window. 21. Select the newly created/modified policy in the Left Panel. This will display its details in the Right Panel. 2015 Lepide Software Pvt. Ltd. Page 28

Figure 38: Showing the properties of newly created policy 22. In its Right Panel, the "Security Filtering" section lets you select the objects like users, groups and computers on which this policy will be applied. 23. Click "Add" to display the box to add the objects upon which this policy will be applicable. Figure 39: Select the objects to be affected by this policy 2015 Lepide Software Pvt. Ltd. Page 29

24. Type "Everyone" in the text box and click "Check Names". This will select all objects. Figure 40: Selecting everyone 25. Click "OK" to confirm the change and take you back to the "Group Policy Management" window, which will now display the newly added object. Figure 41: Showing 'Everyone' in Security Filtering 2015 Lepide Software Pvt. Ltd. Page 30

26. Close the "Group Policy Management" window. 27. Go to the Run Prompt or Command Prompt and type the command "gpupdate". Figure 42: Command Prompt 28. Press Enter to run the "gpupdate" command. This will update the group policies. Figure 43: Updated the Group Policies successfully 2015 Lepide Software Pvt. Ltd. Page 31

29. It is required to logoff the current user and then logon again at the Windows Server to run the Logon.exe on the server. This will enable both the collection of logon/logoff events and the generation of relevant reports, alerts, and LiveFeed updates. 5. Support If user logon and logoff events are still not being captured and/or displayed in LepideAuditor Suite, then please contact our Support Team. 5.1 Helpline +91-9818725861 1-866-348-7872 (Toll Free for USA/CANADA) You can also email us about your queries at: sales@lepide.com for Sales support@lepide.com for Support contact@lepide.com for General Queries 2015 Lepide Software Pvt. Ltd. Page 32