NETWRIX WINDOWS SERVER CHANGE REPORTER

NETWRIX WINDOWS SERVER CHANGE REPORTER INSTALLATION AND CONFIGURATION GUIDE Product Version: 4.0 March 2013.

Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment from NetWrix Corporation of any features or functions discussed. NetWrix Corporation assumes no responsibility or liability for the accuracy of the information presented, which is subject to change without notice. NetWrix is a registered trademark of NetWrix Corporation. The NetWrix logo and all other NetWrix product or service names and slogans are registered trademarks or trademarks of NetWrix Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and registered trademarks are property of their respective owners. Disclaimers This document may contain information regarding the use and installation of non-netwrix products. Please note that this information is provided as a courtesy to assist you. While NetWrix tries to ensure that this information accurately reflects the information provided by the supplier, please refer to the materials provided with any non-netwrix product and contact the supplier for confirmation. NetWrix Corporation assumes no responsibility or liability for incorrect or incomplete information provided about non-netwrix products. 2013 NetWrix Corporation. All rights reserved. Page 2 of 23

Table of Contents 1. INTRODUCTION... 4 1.1. Overview... 4 1.2. How This Guide is Organized... 4 1.3. Free Pre-Sales Support... 4 2. INSTALLATION PREREQUISITES... 5 2.1. Deployment Options... 5 2.2. Hardware Requirements... 5 2.3. Software Requirements... 5 2.4. Target Computer Requirements... 5 2.5. Supported Microsoft SQL Server Versions... 6 3. INSTALLING NETWRIX WINDOWS SERVER CHANGE REPORTER... 7 4. CONFIGURING RIGHTS AND PERMISSIONS... 8 5. CONFIGURING AUDIT SETTINGS ON TARGET SERVERS... 12 5.1. Configuring Windows Registry Audit Settings... 12 5.2. Configuring Local Audit Policies... 13 5.3. Maximum Event Log Size and Retention Method... 19 6. UPGRADING FROM PREVIOUS VERSIONS... 21 7. UNINSTALLING NETWRIX WINDOWS SERVER CHANGE REPORTER... 22 A APPENDIX: RELATED DOCUMENTATION... 23 Page 3 of 23

1. INTRODUCTION 1.1. Overview This guide lists all product requirements and provides detailed instructions on how to install and set up NetWrix Windows Server Change Reporter. For information on how to configure and use the product, refer to NetWrix Windows Server Change Reporter Administrator s Guide. 1.2. How This Guide is Organized This section explains how this guide is organized and provides a brief overview of each chapter. Chapter 1 Introduction: the current chapter. It explains the purpose of this document and its structure. Chapter 2 Installation Prerequisites lists all product hardware and software requirements, requirements to the target servers and supported Microsoft SQL Server versions. Chapter 3 Installing NetWrix Windows Server Change Reporter contains instructions on how to install NetWrix Windows Server Change Reporter. Chapter 4 Configuring Rights and Permissions explains how to configure rights and permissions for accounts used to collect data from target computers, to access the SQL database, and/or view reports. Chapter 5 Configuring Audit Settings on Target Servers provides instructions on how to configure audit settings on the target servers for monitoring by NetWrix Windows Server Change Reporter. Chapter 6 Upgrading from Previous Versions explains how to upgrade the product to the latest released version. Chapter 7 Uninstalling NetWrix Windows Server Change Reporter provides instructions on how to uninstall the product and remove its agents. A Appendix: Related Documentation contains a list of all documentation published to support NetWrix Windows Server Change Reporter. 1.3. Free Pre-Sales Support You are eligible for free technical support during the evaluation period of all NetWrix products. If you encounter any problems or would like assistance with the installation, configuration or implementation of NetWrix Windows Server Change Reporter, contact NetWrix Technical Support. Page 4 of 23

2. INSTALLATION PREREQUISITES 2.1. Deployment Options NetWrix Windows Server Change Reporter can be installed on any computer in any domain, or a workgroup. If you wish to monitor several domains, establish a trust relationship between these domains and the domain where the product is installed. Note: NetWrix Windows Server Change Reporter requires remote access to a set of standard Windows services, such as Remote Registry, Windows Management Instrumentation (WMI), and so on. If your target servers are behind the Firewall, for configuration details refer to the following NetWrix Knowledge Base articles: How to audit servers located in another subnet behind firewall and Ports required to monitor servers over the firewall. 2.2. Hardware Requirements Before installing NetWrix Windows Server Change Reporter, make sure that your hardware meets the following requirements: Table 1: Hardware Requirements Hardware Component Minimum Recommended Processor Intel or AMD 32 bit, 500MHz Memory 512MB RAM 2GB RAM Disk space 50MB 20GB 2.3. Software Requirements Intel or AMD 64 bit, 3GHz Note: The Itanium (IA64) processor is not supported. Note: More memory is required if the SQL database containing audit data runs on the same computer. Before installing NetWrix Windows Server Change Reporter, make sure that your system meets the following software requirements: Operating System Component Table 2: Software Requirements Windows XP SP3 or above Framework.NET Framework 3.5 Additional Software Windows Installer 3.1 or above 2.4. Target Computer Requirements Requirement Microsoft Management Console 3.0 or above Note: Microsoft Management Console is included in the Windows XP or above operating systems. The following requirements apply to the monitored computers: Operating System Component Table 3: Target Computer Requirements Windows XP or above Requirement Page 5 of 23

Framework.NET Framework 2.0, 3.0 or 3.5 Services NOTE: Only required if you enable the Network Traffic Compression product option. Make sure that the Remote Registry and Windows Management Instrumentation (WMI) services are started. 2.5. Supported Microsoft SQL Server Versions Microsoft SQL Server provides the Reporting Services that enable creating, viewing and managing reports based on data stored in a local SQL Server database. NetWrix Windows Server Change Reporter uses these Reporting Services to generate reports on changes to the monitored computers. To use the Reports functionality, Microsoft SQL Server must be installed on a computer that can be accessed by NetWrix Windows Server Change Reporter. The following Microsoft SQL Server versions are supported: Version Table 4: Supported Microsoft SQL Server Versions Edition SQL Server 2005 Express Edition with Advanced Services (SP3 or above) Standard or Enterprise Edition SQL Server 2008 Express Edition with Advanced Services Standard or Enterprise Edition SQL Server 2008 R2 Express Edition with Advanced Services Standard or Enterprise Edition SQL Server 2012 Express Edition with Advanced Services Standard or Enterprise Edition Microsoft SQL Server is not included in the product installation package and must be installed manually or automatically through the Reports Configuration wizard. This wizard automatically installs SQL Server Express with Advanced Services and configures the Reporting Services. SQL server version installed through the wizard depends on the operating system your computer is running (for details, refer to the following NetWrix Knowledge Base article: Which SQL Server versions can be installed automatically via NetWrix Management Console). For your convenience, we have provided instructions on the manual installation of Microsoft SQL Server with Reporting Services required for NetWrix Windows Server Change Reporter. For details refer to the following NetWrix technical article: Installing Microsoft SQL Server and Configuring the Reporting Services. For full installation and configuration details, refer to the documentation provided by Microsoft. Note: If you install NetWrix Windows Server Change Reporter on a read-only domain controller, SQL Server installation will fail (both manual or automatic through the Reports Configuration wizard). This is a known issue, for details refer to the following Microsoft Knowledge Base аrticle: You may encounter problems when installing SQL Server on a domain controller. To fix the issue, install the product on a different computer, or install SQL Server manually on a different computer that can be accessed by NetWrix Windows Server Change Reporter. Page 6 of 23

3. INSTALLING NETWRIX WINDOWS SERVER CHANGE REPORTER Procedure 1. To install NetWrix Windows Server Change Reporter 1. Download NetWrix Change Reporter Suite. 2. On the page that opens, click the Install link under Windows Server: Figure 1: NetWrix Change Reporter Suite Main Page 3. Follow the instructions of the setup wizard. 4. When prompted, accept the license agreement and specify the installation folder. 5. On the last step, click Finish. Product shortcuts will be added to the Start menu. Page 7 of 23

4. CONFIGURING RIGHTS AND PERMISSIONS The account that is used for data collection from target computers, Data Processing Account, as well as other accounts you may use to access the SQL database, and/or view reports, must comply with the requirements listed in the table below: Table 5: Required Rights and Permissions Account Task Requirements Data Processing Account. To run the product scheduled task and data collection Local administrator rights, including Manage auditing and security log policy enabled and Log on as a batch job policy defined; If the computer with the product installed and the monitored servers belong to the same domain, this account must be assigned the domain administrator permissions; Data Processing Account, or another account used to access to the SQL database. Account used to upload reports to the Report Server and to view reports. Account used to view reports. To access the SQL database with audit data To view reports in NetWrix Management Console To view reports in a browser If the computer with the product installed and the monitored servers belong to a workgroup or different domains, the target servers must have accounts with the same name and password as the Data Processing Account. All these accounts must be assigned the local administrator permissions, including the Log on as a batch job policy defined. For details on how to define the policy, refer to Procedure 2 To define the Log on as a batch job policy. Target database owner (dbo) role. For details on how to assign the dbo role to an account, refer to Procedure 3 To assign the database owner (dbo) role. Content Manager role for the SSRS Home folder. For details on how to assign the role, refer to Procedure 4 To assign the Content Manager role. Browser role for the SSRS Home folder. Procedure 2. To define the Log on as a batch job policy 1. On a domain controller, navigate to Start Administrative Tools Group Policy Management. 2. Expand the Forest Domains <your_domain> node, right-click Default Domain Policy and select Edit from the pop-up menu. 3. In the Group Policy Management Editor, in the left pane, navigate to Computer Configuration Policies Windows Settings Security Settings Local Policies User Rights Assignment and locate the Log on as a batch job policy on the right: Page 8 of 23

Figure 2: Group Policy Management Editor 4. Double-click this policy. In the dialog that opens, select the Define these policy settings: option and click the Add User or Group button: Figure 3: Logon as a batch job Properties 5. Specify the account that you want to define this policy for, and click OK to save the changes. Page 9 of 23

Procedure 3. To assign the database owner (dbo) role 1. On the computer where SQL Server is installed, navigate to Start All Programs Microsoft SQL Server SQL Server Management Studio. 2. Select the server and click Connect. 3. In the left pane, expand the Security node. Right-click the Logins node and select New Login from the pop-up menu. The Login New dialog will be displayed: Figure 4: Login New: General 4. Click the Search button next to the Login Name field and specify the user that you want to assign the dbo role to. 5. If you are assigning the dbo role to the Data Processing Account, make sure the Windows authentication option is selected. If this is a different account, select the SQL Server authentication option. 6. In the left pane, select Server Roles: Figure 5: Login New: Server Roles Page 10 of 23

7. You can assign the sysadmin role to the new login: all members of this role have the dbo role by default. If you do not want to assign the sysadmin role to this user, select public as server role. Then select User Mapping in the left pane. 8. Select the database used by NetWrix Windows Server Change Reporter to store audit data in the upper pane and check db_owner in the lower pane: Figure 6: Login New: User Mapping 9. Click OK to save the changes. If the account that you want to assign the dbo role to has already been added to SQL Server Logins, expand the Security Logins node, right-click this account, select Properties from the pop-up menu, and edit its roles. Procedure 4. To assign the Content Manager role 1. Open a web browser and type in the Report Server URL. 2. In the Report Manager, select the Folder Settings on the Home page, and click New Role Assignment (the path can vary slightly depending on your SQL Server version). 3. Specify the necessary group or user account in the following format: domain\group, or domain\user. The account should be in the same domain or in a trusted domain. 4. Select Content Manager. 5. Click OK to save the role assignments. Page 11 of 23

5. CONFIGURING AUDIT SETTINGS ON TARGET SERVERS Successful change monitoring requires a certain configuration of the audit settings on your target servers. These settings can be configured automatically after you have installed the product and started using it. If you wish to configure the audit settings manually, follow the procedures below: To configure Windows registry audit settings To configure local audit policies on pre-vista Windows versions To configure local audit policies on Windows Vista and above To specify the maximum event log size and retention method 5.1. Configuring Windows Registry Audit Settings The following audit permissions must be set to Successful for the HKEY_LOCAL_MACHINE\SOFTWARE, HKEY_LOCAL_MACHINE\SYSTEM, and HKEY_USERS\.DEFAULT nodes: Procedure 5. Set Value Create Subkey Delete Write DAC Write Owner To configure Windows registry audit settings 1. On your target server, open Registry Editor: navigate to Start Run, enter regedit and click OK. 2. In the registry tree, expand the HKEY_LOCAL_MACHINE node, right-click SOFTWARE and select Permissions from the pop-up menu. 3. In the Permissions for SOFTWARE dialog, click the Advanced button. 4. In the Advanced Security Settings for SOFTWARE dialog, select the Auditing tab and click the Add button. Figure 7: Advanced Security Settings for SOFTWARE Page 12 of 23

5. In the dialog that opens, select the Everyone group, and click OK. 6. In the Auditing Entry for SOFTWARE dialog, select Successful for the following access types: Set Value, Create Subkey, Delete, Write DAC, and Write Owner: Figure 8: Auditing Entry for SOFTWARE 7. Click OK and save all changes. 8. Repeat steps 2 to 6 for the HKEY_LOCAL_MACHINE\SYSTEM and HKEY_USERS\.DEFAULT nodes. 5.2. Configuring Local Audit Policies Configure local audit policies on your target servers as described in this Section, to get the Who and When values for the changes of the following monitored system components: Services Hardware and system drivers Windows registry Scheduled tasks Local users and groups The procedures below provide you with one of several possible ways to configure the audit policy, depending on your operating system version: To configure local audit policies on pre-vista Windows versions To configure local audit policies on Windows Vista and above You must be logged on as a member of the Administrators group or you must be granted the Manage auditing and security log right to perform this procedure. For instructions on how to assign the Manage auditing and security log right, refer to Procedure 8 To assign the Manage auditing and security log right. Page 13 of 23

Procedure 6. Note: The procedures below provide instructions on how to configure local audit policies for a whole domain. To configure local audit policies on pre-vista Windows versions 1. Navigate to Start Programs Administrative Tools Group Policy Management. The Group Policy Management dialog opens: Figure 9: Group Policy Management 2. Under the Domains node, right-click the <company domain name> node and select Create a GPO in this domain and Link it here. The New GPO dialog appears. 3. Type in the name of your new GPO into the Name field, and click OK. Figure 10: New GPO 4. Right-click the newly created GPO in the left pane of the Group Policy Management form and select the Edit option. Group Policy Management Editor opens. 5. Expand the Computer Configuration node on the left and then navigate to Policies Windows Settings Security Settings Local Policies Audit Policy. Page 14 of 23

Figure 11: Group Policy Management Editor 6. Double-click Audit account management on the right, select Success in the properties dialog, and click OK: Figure 12: Audit account management Properties Procedure 7. 7. Double-click Audit object access on the right, select Success in the properties dialog, and click OK. To configure local audit policies on Windows Vista and above 1. Navigate to Start Programs Administrative Tools Group Policy Management. The Group Policy Management dialog opens: Page 15 of 23

Figure 13: Group Policy Management 2. Under the Domains node, right-click the <company domain name> node and select Create a GPO in this domain and Link it here. The New GPO dialog appears. 3. Type in the name of your new GPO into the Name field, and click OK. Figure 14: New GPO 4. Right-click the newly created GPO in the left pane of the Group Policy Management form and select the Edit option. Group Policy Management Editor opens. 5. Expand the Computer Configuration node on the left and then navigate to Policies Windows Settings Security Settings Advanced Audit Policy Configuration Audit Policies Account Management: Page 16 of 23

Figure 15: Group Policy Management Editor 6. Double-click Audit Security Group Management on the right, select Success in the properties dialog, and click OK: Figure 16: Audit Security Group Management Properties Page 17 of 23

7. Double-click Audit User Account Management on the right, select Success in the properties dialog, and click OK. 8. Under the Audit Policies node, select Object Access: Figure 17: Group Policy Management Editor 9. Double-click Audit Handle Manipulation on the right, select Success in the properties dialog, and click OK. 10. Repeat step 9 for the Audit Other Object Access Events and Audit Registry policies. You can also refer to the Windows Server TechCenter article for additional information: Create a new Group Policy object: Group Policy. If you wish to use the local policy, you can find instructions in the following Windows Server TechCenter article: Define or modify auditing policy settings for an event category: Auditing. Procedure 8. To assign the Manage auditing and security log right 1. Navigate to Start Administrative Tools Group Policy Management. 2. In the left pane, navigate to Forest: <domain_name> Domains <domain_name> Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy) node and select Edit from the pop-up menu. 3. In the Group Policy Management Editor, in the left pane, navigate to Computer Configuration Policies Windows Settings Security Settings and select Local Policies. 4. On the right, double-click the User Rights Assignment policy. 5. Locate the Manage auditing and security log right and double-click it. The Manage auditing and security log Properties dialog will be displayed: Page 18 of 23

Figure 18: Manage Auditing and Security Log Properties Dialog 6. Click the Add User or Group button. In the dialog that appears, type in the name of the user that you want to grant this right to and click OK. 5.3. Maximum Event Log Size and Retention Method Specify the maximum size for the Application, Security, System and Microsoft-Windows- TaskScheduler/Operational event logs. The procedure below provides you with one of several possible ways to specify the event log settings. If you have multiple target computers, you need to perform this procedure on each of them. Procedure 9. To specify the maximum event log size and retention method 1. On the target server, navigate to Start Programs Administrative Tools Event Viewer: Figure 19: Event Viewer Page 19 of 23

2. In the Event Viewer tree, open the Windows Logs node, right-click Application and select Properties. The Log Properties dialog opens: Figure 20: Log Properties 3. Make sure the Enable logging check box is selected. 4. In the Maximum log size field specify the size: For pre-vista Windows version: 300 MB. For Windows Vista or above: 1GB. 5. Make sure the Do not overwrite events (Clear logs manually) option is NOT selected. If this option is selected, change the retention method by selecting another option: Overwrite events as needed (oldest events first). Click OK to save the changes. 6. Repeat steps 2 to 5 for the Security and System event logs under the Windows Logs node, and for the Microsoft-Windows-TaskScheduler/Operational event log by navigating to Applications and Services Logs Microsoft Windows TaskScheduler Operational. Page 20 of 23

6. UPGRADING FROM PREVIOUS VERSIONS Procedure 10. To upgrade NetWrix Windows Server Change Reporter 1. Make sure no data collection task is running. 2. On the computer where the product is installed, close all program windows (NetWrix Enterprise Management Console, wizards, and others). 3. Download NetWrix Change Reporter Suite. 4. On the page that opens, click the Install link under Windows Server: 5. When the installation is complete, enable the NetWrix Windows Server Change Reporter tasks in the Task Scheduler. After the product upgrade, the NetWrix Windows Server Change Reporter agents on the target computers will be upgraded automatically and all your current product settings will be preserved, but the upgrade from NetWrix Server Configuration Change Reporter v.3.0 to NetWrix Windows Server Change Reporter v.4.0 results in the following exceptions: False add/remove programs changes may be reported after the first data collection. The Report Manager will contain two report folders for both product versions: the old NetWrix Server Configuration Change Reporter folder and the new NetWrix Windows Server Change Reporter folder. All reports generated by NetWrix Windows Server Change Reporter are stored in the new folder. Audit data collected before the upgrade will only be available in the NetWrix Server Configuration Change Reporter folder. The database retention setting available in the new product version will be inapplicable to audit data collected before the upgrade. To delete old audit data collected before the upgrade manually, refer to the following KB article: How to delete audit data from the database after the upgrade. If you have NetWrix Management Console installed on the computer where you are going to perform the upgrade, the console SMTP settings will be applied to the Windows Server Change Reporter module. Otherwise, the SMTP settings specified for NetWrix Server Configuration Change Reporter will be saved in the console. Page 21 of 23

7. UNINSTALLING NETWRIX WINDOWS SERVER CHANGE REPORTER To uninstall NetWrix Windows Server Change Reporter, perform the following procedures in the order they are provided. You need to uninstall the product agent if you have enabled the Network Traffic Compression option. Procedure 11. Procedure 12. To uninstall the product agent 1. On the target server, navigate to Start Control Panel Programs and Features. 2. Select NetWrix Windows Server Change Reporter Agent Enterprise Edition in the dialog that opens and double-click it. 3. Click Yes in the confirmation dialog to start the NetWrix Windows Server Change Reporter uninstallation wizard. To uninstall NetWrix Windows Server Change Reporter 1. Navigate to Start Control Panel Programs and Features. 2. Select NetWrix Windows Server Change Reporter in the dialog that opens and double-click it. 3. Click Yes in the confirmation dialog to start the NetWrix Windows Server Change Reporter uninstallation wizard. Page 22 of 23

A APPENDIX: RELATED DOCUMENTATION The table below lists all documents available to support NetWrix Windows Server Change Reporter: Table 6: Document Name NetWrix Windows Server Change Reporter Installation and Configuration Guide Product Documentation The current document. Overview NetWrix Windows Server Change Reporter Administrator s Guide NetWrix Windows Server Change Reporter Release Notes Installing Microsoft SQL Server and Configuring the Reporting Services How to Subscribe to SSRS Reports Provides a detailed explanation of the NetWrix Windows Server Change Reporter features and step-by-step instructions on how to configure and use the product. Contains a list of the known issues that customers may experience with NetWrix Windows Server Change Reporter 4.0, and suggests workarounds for these issues. This technical article provides instructions on how to install Microsoft SQL Server 2005/2008 R2/2012 Express and configure the Reporting Services. This technical article explains how to configure a subscription to SSRS reports using the Report Manager. Page 23 of 23