Product Review: Netwrix Auditor for Active Directory

by [Published on 9 July 2014 / Last Updated on 9 July 2014]

In this article the author reviews Netwrix Auditor for Active Directory.

Product: Netwrix Auditor for Active Directory

Product Homepage: click here

Free Trial: click here

Introduction

In 2010, I did my first review of Netwrix’s Change Reporter Suite for Windowsecurity.com, and was impressed. Then almost a year ago, I came back and reviewed the (then) latest version of their product, Netwrix Auditor, which had added a number of new features and functionalities. Once again, I came away liking the product very much. This time, I’m taking a look at the current version of the Active Directory auditing module, which is a very comprehensive solution that provides auditing for Windows Server Active Directory and Group Policy, AD recovery, inactive user tracking and alerting in case of password expiration.

The Windows Active Directory is, of course, at the heart of a Windows-based enterprise network, the mechanism by which admins organize and control the resources and other objects (computers, users and groups) that reside on the network. It is at the same time a structural framework, a database and a security apparatus that manages identities and provides authentication and authorization. Thus keeping tabs on what’s going on with AD is an essential part of keeping a Windows network secure and operating properly.

With so many organizations now subject to regulatory compliance requirements, change auditing is becoming less of an option and more of a mandatory part of your security strategy. But it also makes your job easier when troubleshooting problems. There are plenty of packages out there that are designed to do change auditing, but some are limited in their capabilities and others are comprehensive but way too complex in the installation and/or implementation of the features. I’ve found that Netwrix strikes a very good balance, giving you just about everything you need without the steep learning curve.

Getting Started

I’m working with version 6.0 of Netwrix Auditor for Active Directory. Netwrix Auditor uses native auditing (that is, it utilizes the built-in event logs) for greater system stability, but takes you far beyond the information you get from native monitoring alone. Data can be collected in two different ways: with or without agent software. That gives you a great deal of flexibility.

Unlike some solutions, Netwrix Auditor is quick and easy to install. As long as you already have a SQL server that can be used, the Netwrix software takes about ten minutes to install and the wizards make setting it up pretty painless.

The Netwrix Auditor console is pretty straight forward and logically organized. You might notice that it now has a bit of a “Windows modern UI” look (the interface formerly known as Metro), at least in terms of the Welcome screen.

Image
Figure 1

Running the data collection process is simple and relatively quick (depending on the systems being audited). You select the Managed Objects for which you want to collect data and simply click the Run button. That button turns into a Stop button during the collection process, so you can stop the process at any time.

Image
Figure 2

To view the changes that were detected in the data collection process, you start with the Enterprise Overview dashboard. It gives you a very nice “big picture” view of the changes so you know at a glance when changes were made and by whom, which servers are showing the greatest number of changes, and what types of changes were made (AD, Exchange, File Servers, etc.).

I do have one very minor quibble with the design of the dashboards, in that I wish the graphs would resize to fit when you reduce the size of the window. Instead, you have to scroll to see the entirety of the graphs, as shown in my screenshot below of the Enterprise Overview dashboard. This is a very small thing, but does impact the experience if you prefer smaller windows that allow you to view other open windows on the desktop.

Image
Figure 3

To get more specific information about changes to AD, all you have to do is open the Active Directory dashboard from the drop-down box at the top of the right pane. Same situation here with the lack of resizing. Here you can see, again, the dates and users who made the changes, as well as which domain controllers the changes were made on, and the types of objects that were modified.

Image
Figure 4

If you simply want a quick summary of whether/where/how changes have occurred, it doesn’t get much simpler than that.

There will be times when that’s enough and of course, there will be other times when you need more detailed information and/or you need it in a more permanent format, so you can further analyze it when you’re away from the computer or so you can present it to others as a printed document or as part of a slideshow.

That’s where Netwrix’s reporting capabilities come in. The number of pre-defined reports that Netwrix makes available is truly impressive. While you can create your own custom reports, you might not ever need to since the designers of this software seem to have thought of everything to anticipate the needs of the typical organization.

Here is a list of the available built-in reports pertaining to Active Directory in the Enterprise edition of Netwrix Auditor – all 122 of them.

It’s likely you will use some of these reports frequently and you may use others rarely or not at all. Some of the most important changes that you need to monitor for Active Directory include new and newly enabled user accounts, changes to group memberships, changes to permissions, group policy changes and changes to trust relationships, as the wrong changes in these areas – whether made deliberately or inadvertently – can have a serious impact on the security of your network.

You can configure your reports in a variety of ways. You can see all changes or just the specific types in which you’re interested. You’ll have to dig down in the tree structure a little to find them, though. Although you’ll see Reports under the Settings node in the left pane, that’s not where you go to do this. Instead, expand the managed object you’re auditing, then expand Active Directory, and there you’ll see Reports – the right one, this time. In the right pane, this will display a tabbed interface showing Reports, Reports Settings and State-in-Time Reports.

Image
Figure 5

There’s an overview chart available, and for each report you can configure filters to limit the time period covered by the report. Again, this is a very broad summary of what’s happened, giving you basically the same information you saw in the Active Directory dashboard, but for your specified time frame and in pie chart and graph formats.

More useful are the AD Change Tracking reports. Here you can select to view all changes, change management, computer accounts, contact objects, domain controllers, groups, organizational units, security, trusts and FSMO roles or user accounts.

If you select All Changes, you’ll get the option for further breakdowns or you can go ahead and see it all.

Image
Figure 6

Whichever option you select, you’ll now be able to filter not only by time (From/To) but also by who changed (domain\user) what changed, how to sort (by action, object type, who changed, what changed, where changed or when changed), forest name, where changed, object type and property name.

Reports are generated surprisingly quickly. Color coding is used to help you immediately identify whether an object was added (green), modified (yellow) or removed (red). The records are provided in an easy-to-read table format that – unlike the native logs – gives you just the information you need without drowning you in redundant or irrelevant or extra undecipherable data.

An example of (part of) the report is shown in the screenshot below.

Image
Figure 7

A nice feature is the ability to have a record of the change review history (through the Change Management node) and specify the reasons. This is very easy to do; you just select Change Review History, and then click Click to Update Status in the box of the particular change you want to put notes on. Here you can set the review status (new, in review or resolved) and type in the reason in the appropriate field.

Under the Computer Accounts node (still in Reports | AD Change Tracking), you can view reports on new, changed and deleted computer accounts, as you would expect, but also tucked in here is a very handy report that shows installations of operating system service packs on domain controllers, member servers and workstations. Although you may already have this information available from your patch management solution, it’s nice to have it here, as well.

I also like that there is a specific report for viewing changes made to contact information such as email, address, phone numbers and so forth. It’s important to keep up with changes made to those attributes of each user account. Under the Groups section, you can see changes to administrative, security and distribution groups. Of course, one of the most important reports in terms of security will be the Changes to Objects Security, which shows you all changes to the security settings for AD objects, so you can easily tell what permissions were added or removed, changes to audit settings, and so forth.

The AD state-in-time assessments are extremely useful, as well. For example, you can quickly see at a glance which user accounts are expired or locked, which ones have non-expiring passwords, or the last logon time for each user.

There’s a subscription feature by which you can configure automatic generation and delivery of the reports you want on a schedule. A wizard walks you through the setup process.

Image
Figure 8

Summary

I have liked Netwrix Auditor for a long time and it seems that with each new version, it gets even easier to use and offers new functionalities that make me say, “Oh, wow – that’s a great idea.” If you’re an IT pro who is looking for an auditing solution that you can get up and running in minutes instead of hours or days, and that you won’t feel as if you need a month-long course in the operation of the product to find your way around the interface, you’ll probably like Netwrix Auditor for Active Directory as much as I do.

I’m used to running into brick walls when I do software reviews; so often there are big “gotchas” involved in either the installation or the operational process that can waste hours, in some cases – or at least send me back to scrolling through the manual or even, as a last resort, contacting the company’s tech support. The “test drive” for this review went so smoothly it was almost scary. Everything just worked. But don’t take my word for it. Head over to the Netwrix web site and go through the one-to-one demo and/or download the 20 day free trial and take it for a spin yourself.

The few complaints that I have about this solution are very minor, as noted within this review. They certainly aren’t serious enough to prevent Netwrix Auditor from deserving the WindowsNetworking.com Gold Award with rating 4.8 out of 5 for usability, features and functionality.

WindowsNetworking.com Rating 4.8/5

Learn more about Netwrix Auditor for Active Directory or download a Free Trial!

Featured Links