You are on page 1of 64

ChangeAuditor 5.

6
Quick Start Guide

2011 Quest Software, Inc. ALL RIGHTS RESERVED

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information.

Patents
This product is protected by U.S. Patent #7,979,494. Additional Patents Pending.

Trademarks
Quest, Quest Software, the Quest Software logo, ChangeAuditor, Defender, InTrust, and Quest Authentication Services are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Softwares trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners.

Third Party Contributions


ChangeAuditor contains some third party components. For a complete list, see the Third Party Components page in the ChangeAuditor online help. ChangeAuditor Quick Start Guide September 2011 Version 5.6

Table of Contents
About This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 About Quest Software . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Chapter 1 ChangeAuditor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Business Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Business Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 What is ChangeAuditor?. . . . . . . . . . . . . . . . . . . . . . . . .12 How Does ChangeAuditor Work?. . . . . . . . . . . . . . . . . . .13 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .15 Chapter 2 Install ChangeAuditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Step 1: Install ChangeAuditor Coordinator . . . . . . . . . . . .22 Step 2: Install ChangeAuditor Client . . . . . . . . . . . . . . . .24 Step 3: Add User Accounts to ChangeAuditor Security Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Step 4: Start the ChangeAuditor Client . . . . . . . . . . . . . .26 Step 5: Deploy ChangeAuditor Agents . . . . . . . . . . . . . . .27 Chapter 3 ChangeAuditor Walkthrough. . . . . . . . . . . . . . . . . . . . . . . 29 Check Agent Status. . . . . . . . . . . . . . . . . . . . . . . . . . . .30 ChangeAuditor Client Overview. . . . . . . . . . . . . . . . . . . .30 Client Walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Chapter 4 ChangeAuditor for Active Directory . . . . . . . . . . . . . . . . . 37 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Audit Custom User Attributes . . . . . . . . . . . . . . . . . . . . .38 Audit Users Based on Their Group Membership. . . . . . . . .39 Chapter 5 ChangeAuditor for Windows File Servers . . . . . . . . . . . . . 41 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Quest ChangeAuditor

Create a File System Auditing Template. . . . . . . . . . . . . .43 Make File System Changes and Run a Report . . . . . . . . . .44 Chapter 6 ChangeAuditor for Exchange . . . . . . . . . . . . . . . . . . . . . . 45 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Make Changes in Exchange and Run a Report . . . . . . . . .47 Enable Exchange Mailbox Auditing . . . . . . . . . . . . . . . . .48 Chapter 7 Customizing ChangeAuditor . . . . . . . . . . . . . . . . . . . . . . . 51 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Create a Custom Search . . . . . . . . . . . . . . . . . . . . . . . .52 Group and Filter Data . . . . . . . . . . . . . . . . . . . . . . . . . .54 Exclude Accounts from Auditing . . . . . . . . . . . . . . . . . . .56 Appendix A ChangeAuditor Product Specific Features. . . . . . . . . . . . . 59

About This Guide


Overview Conventions About Quest Software Contacting Quest Software Contacting Quest Support

Quest ChangeAuditor

Overview
This document has been prepared to assist you in installing and becoming familiar with Quest ChangeAuditor. Even though the majority of the document refers to ChangeAuditor for Active Directory, it also steps you through the process of setting up ChangeAuditor for Exchange and ChangeAuditor for Windows File Servers. This document is intended to be used to set up a test lab environment. It is not intended as a stand-alone document and makes references to supporting product documentation that should be used when deploying the product in your production environment.

Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references.
ELEMENT Select Bolded text Italic text Bold Italic text Blue text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Used for emphasis. Indicates a cross-reference. When viewed in Adobe Reader, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.

About This Guide

ELEMENT

CONVENTION Used to highlight a troubleshooting tip pertaining to the topic being described.

Used to highlight permissions required to perform the action being described.

+ |

A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.

About Quest Software


Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to www.quest.com.

Contacting Quest Software


Phone Email Mail 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com

Web site

Please refer to our Web site for regional and international office information.

Quest ChangeAuditor

Contacting Quest Support


Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com. From SupportLink, you can do the following: Review thousands of solutions from our online Knowledgebase Download the latest releases and service packs Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com.

1
ChangeAuditor Overview
Business Challenges Business Solutions What is ChangeAuditor? How Does ChangeAuditor Work? System Requirements

Quest ChangeAuditor

Business Challenges
Challenge 1:
Microsoft Active Directory is at the heart of your mission-critical network infrastructure. Dont leave Active Directory management, support and administration to chance. Issues with your directory can result in unplanned and costly service disruptions and business-crippling network downtime, as well as harmful security breaches and non-compliance with critical government regulations such as Sarbanes-Oxley (SOX), Payment Card Industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA). Organizations need to be notified -- in real-time -- of critical changes to Active Directory.

Challenge 2:
Your File Systems contain critical and sensitive information. Typically, it is very difficult to track and enforce who has access to which documents and most violations of information security policies and misuse of access rights go undetected. Similar to Active Directory issues, issues with your File Systems can also result in unplanned and costly service disruptions, business-crippling network downtime, harmful security breaches and non-compliance with critical government regulations.

Challenge 3:
Email has become the predominant business tool for communications within and between organizations. As a result, email serves as a repository of information - some of it sensitive and vulnerable to misuse. Many organizational policy violations go undetected because most security actions are not audited. This can result in lost productivity and system downtime - a risk no organization should take. Today, companies need in-depth auditing and reporting for Exchange security and compliance to prove regulatory compliance and drive efficiencies.

10

ChangeAuditor Overview

Business Solutions
The ChangeAuditor family of products provides total auditing and security coverage for Microsoft Infrastructure including Active Directory, Windows File Servers, and Exchange. ChangeAuditor audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know the who made the change including the IP address of the originating workstation, where and when it occurred along with before and after values. Then automatically turn that information into intelligent, in-depth forensics for auditors and management -and reduce the risks associated with day-to-day modifications. ChangeAuditor uses a modular approach which allows for separate product deployment and management for key environments including Active Directory, Windows File Servers and Exchange. ChangeAuditor for Active Directory drives the security and control of Active Directory by tracking all AD configuration changes in real-time. ChangeAuditor tracks, audits, reports and alerts on the changes that impact your directory including changes to users, groups, nested groups, GPOs, computer, services, registry, local users/groups and DNS - without the overhead of native auditing. In addition, ChangeAuditor for Active Directory allows you to lock down critical Active Directory, ADAM (AD LDS) and Group Policy objects, to protect them from unauthorized or accidental modifications or deletions. ChangeAuditor for Windows File Servers enables administrators to achieve the comprehensive auditing coverage of native auditing tools without the mass of cumbersome data that native event logs generate. ChangeAuditor for Windows File Servers includes auditing for Windows file server activity related to files and folders, shares and changes to permissions. Granular selection allows the auditing scope to be set on an individual file or folder as well as the entire subtree recursive or non-recursive. ChangeAuditor for Windows File Servers also allows you to include or exclude certain files or folders from the audit scope in order to ensure a faster and more efficient audit process. ChangeAuditor for Windows File Servers also provides an access control model that permits ChangeAuditor Administrators to protect business-critical files and folders on the file server. ChangeAuditor for Exchange is the watchful eye that proactively tracks, audits, reports and alerts on Exchange configuration and permission changes without the need for native auditing. ChangeAuditor for Exchange audits for all critical changes to Exchange including administrative groups, mailbox policies, public and private information store auditing, organizational changes such as Active Sync mailbox policy changes, distribution list changes and more. Using
11

Quest ChangeAuditor

the Exchange Mailbox Monitoring feature you can also audit for non-owner activity access and get complete visibility into these types of changes, including who accessed someone elses mailbox, what message they accessed, and what they did with the message (read, delete, move, etc.). Continually being in-the-know helps you to prove compliance, drive security, and improve uptime while proactively auditing changes to Exchange Server configurations and permissions. ChangeAuditor for Exchange can also provide additional protection over important mailboxes. The Exchange Mailbox protection feature prevents unwanted access to Exchange mailboxes, making it much more difficult for rogue administrators to access critical mailboxes.
In addition to ChangeAuditor for Active Directory, ChangeAuditor for Windows File Systems, and ChangeAuditor for Exchange, Quest offers the following auditing solutions for your environment: ChangeAuditor for SQL Server ChangeAuditor for LDAP ChangeAuditor for EMC ChangeAuditor for NetApp ChangeAuditor for Quest Authentication Services (QAS) ChangeAuditor for Defender See the corresponding user guides or event reference guides for more information about these ChangeAuditor products.

What is ChangeAuditor?
ChangeAuditor provides complete, real-time change management that drives network availability and productivity with proactive auditing, in-depth forensics and comprehensive reporting on all key configuration changes in Windows -including Active Directory, Windows File Servers and Exchange. Enables enterprise-wide change management from a single client. Ensures a secure and compliant networking environment by tracking all critical changes in real-time. Automates procedures to continually track and report on compliance initiatives. Strengthens internal controls through real-time insight into both authorized and unauthorized changes. Drives availability by enabling proactive troubleshooting.

12

ChangeAuditor Overview

Turns information into intelligent in-depth forensics for auditors and management.

How Does ChangeAuditor Work?


ChangeAuditor consists of four components: ChangeAuditor Agents ChangeAuditor Coordinator ChangeAuditor Client Microsoft SQL Server Database

The ChangeAuditor Agents are deployed to all servers (domain controllers and member servers) tracking configuration changes in real-time. When a change is made on a server running a ChangeAuditor Agent, the change information (audited event) is captured by the agent and is forwarded to the specified ChangeAuditor database. For each configuration change detected, ChangeAuditor creates an audited event entry in the ChangeAuditor database with the following information: the type of configuration change event the time and date of the configuration change event the identity of the machine the change was made on the identity of the managed object the change pertains to the old and the new value of the change (if applicable) the IP address of the workstation/client machine from which the change originated

The ChangeAuditor Coordinator is responsible for fulfilling client and agent requests and for generating alerts. Multiple coordinators can be installed in a single forest to provide fault tolerance of the ChangeAuditor service tier. The ChangeAuditor Client is the user interface that provides immediate access to key configuration change information. From the ChangeAuditor Client you can perform tasks such as: define search criteria to return specific events and view the search results enable/disable alerts and view the events that triggered these alerts view agent and coordinator statistics
13

Quest ChangeAuditor

define custom Active Directory and ADAM (AD LDS) object and attribute auditing define file system auditing for Windows File Servers, EMC and NetApp devices specify the SQL instances to be audited for SQL Server auditing specify the mailboxes to be audited for Exchange Mailbox auditing specify the containers to be excluded from LDAP auditing configure object protection for Active Directory, Exchange, File Systems and Group Policies configure email notifications

14

ChangeAuditor Overview

System Requirements
To ensure a successful ChangeAuditor installation, we strongly suggest creating a clean Windows 2003/2008 test environment (virtual or physical). If this is not possible, please ensure that your test environment is healthy and the following requirements are met. The following tables summarize the hardware and software requirements for the ChangeAuditor components. For a more in-depth description of the system requirements, please refer to the Release Notes or the ChangeAuditor Installation Guide.
The Hardware Requirements table lists options for the SQL database, platform and operating system which are supported and can be used. An asterisk (*) in this table indicates that there is a recommended system requirement for that component.

HARDWARE REQUIREMENT WHERE TO INSTALL: Member Server

CLIENT

COORDINATOR

AGENTS

(dedicated)

Domain Controller Workgroup Server Workstation/Laptop SQL DB OPTIONS (SEPARATE DEDICATED INSTANCE) SQL Server 2005 SP2 SQL Server 2008 SQL Server 2008 R2 PLATFORM OPTIONS x86 (32-bit) x64 (64-bit)

15

Quest ChangeAuditor HARDWARE REQUIREMENT OPERATING SYSTEM OPTIONS Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 Core Windows Server 2008 R2 Windows Server 2008 R2 Core Windows XP SP2 Windows Vista Windows 7 CPU Minimum Recommended RAM Minimum Recommended SCREEN RESOLUTION 1 GB 2 GB 1024x768 256 color 1 GB 2 GB N/A 512 MB 2 GB N/A P4 2.0 GHz P4 3.0 GHz P4 2.0 GHz P4 3.0 GHz PIII 1.0 GHz P4 2.0 GHz SP1 required CLIENT COORDINATOR AGENTS

SOFTWARE REQUIREMENT .NET FRAMEWORK

CLIENT .NET 4.0 (or higher)

COORDINATOR .NET 4.0 (or higher)

AGENTS .NET 3.5 SP1 (or higher) ONLY agents installed on Exchange Servers with CAS (OWA role)

MSXML PARSER 6.0 SQLXML 4.0 MDAC 2.8 SP1 16

ChangeAuditor Overview

SOFTWARE REQUIREMENT INTERNET EXPLORER 6.0 (OR HIGHER)

CLIENT

COORDINATOR

AGENTS

FOOTPRINT ESTIMATES HARD DISK SPACE USED (MB) ESTIMATED RAM USED (MB)

CLIENT 70 100 - 200

COORDINATOR 40 25

AGENTS 500 Core Agent: 25 CAAD: 25 CAADAM: 3 CAEX: 20 CAWFS: 20 CASQL: 15 CALDAP: 15 CAEMC: 10 CANETAPP: 10

17

2
Install ChangeAuditor
Before You Begin Step 1: Install ChangeAuditor Coordinator Step 2: Install ChangeAuditor Client Step 3: Add User Accounts to ChangeAuditor Security Groups Step 4: Start the ChangeAuditor Client Step 5: Deploy ChangeAuditor Agents

Quest ChangeAuditor

Before You Begin


It is recommended that you perform the following steps before you begin the installation procedure: If you do not already have ChangeAuditor, you can download it from the Quest web site at http://support.quest.com. Before you can download the product, you must register with Quest. If you are a registered Quest user, log on using your email address and password. Once you have registered or logged in, locate the product and version that you want to download from the product list. On the download window, click the link and save the file to an appropriate directory (e.g., c:\temp).

If you have purchased multiple ChangeAuditor products (e.g., ChangeAuditor for Active Directory, ChangeAuditor for Exchange, ChangeAuditor for Windows File Servers, etc.), you only need to download one instance of the ChangeAuditor product. The code is the same for all and the license keys are the mechanism used to determine what features are enabled/disabled in the product.

Review the Requirements section Review the complete installation process Review Appendix A: Installation Notes and Best Practices in the ChangeAuditor Installation Guide Read the Release Notes for updated information Ensure you have the appropriate license files to enable ChangeAuditor product(s). A separate license file is required to enable each of the ChangeAuditor products: ChangeAuditor ChangeAuditor ChangeAuditor ChangeAuditor ChangeAuditor ChangeAuditor ChangeAuditor ChangeAuditor ChangeAuditor for for for for for for for for for Active Directory Windows File Servers Exchange SQL Server LDAP Quest Authentication Services (QAS) Defender NetApp EMC

ChangeAuditor will prompt you for a valid license file during the coordinator installation process. If an invalid or expired license is entered, the coordinator installation will not continue. 20

Install ChangeAuditor

We recommend installing the ChangeAuditor components in the following order: Database (SQL Server) - Choose the SQL database you are going to use. If you wish to install the ChangeAuditor database to a SQL instance other than the default instance of the selected SQL server, create the new instance before running the installer. Coordinator - Once you have confirmed that the database instance you are going to use is installed and functioning correctly, install the ChangeAuditor Coordinator. Client - Once you have confirmed that the coordinator is functioning correctly, install the ChangeAuditor Client.
It is recommended that you install the first ChangeAuditor Coordinator and client, but do NOT deploy agents until after you have installed all of the additional coordinators required. During the coordinator installation, you are presented the option of adding the current user to the ChangeAuditor Administrators security group. If you elected NOT to add the current user during the installation process or want to add additional user accounts to the ChangeAuditor security groups, you need to add them prior to launching the ChangeAuditor Client. It is also recommended that you then add these security groups to the appropriate SQL database role (i.e., ChangeAuditor Administrators - <InstallationName> group to the ChangeAuditor_Administrators role and ChangeAuditor Operators - <InstallationName> group to the ChangeAuditor_Operators role). Please refer to Add Users to ChangeAuditor Security Groups for more information about these security groups.

Agents - Finally, launch the ChangeAuditor Client to deploy agents to your domain controllers and member servers.

21

Quest ChangeAuditor

Step 1: Install ChangeAuditor Coordinator


MINIMUM PERMISSIONS User account performing the coordinator installation: The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server: Windows permissions to create and modify registry values. Windows administrative permissions to install software and stop/start services. * It is recommended that the user account performing the installation, be a member of the Domain Admins group in the domain where the coordinator is being installed. Service account running the coordinator service (LocalSystem by default): Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running a ChangeAuditor Coordinator. Local Administrator permissions on the coordinator server. SQL Server database access account specified during installation: An account must be created to be used by the Coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions: Must be assigned the SQL Server role of dbcreator Must be assigned the following database roles in the msdb database: db_datareader db_datawriter SQLAgentUserRole

22

Install ChangeAuditor

To install a ChangeAuditor Coordinator:


This installation must be performed locally on a member server running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 or Windows Server 2008 R2.

1.

Verify that the user account you will be using to execute the coordinator installation is at least a Domain Admin in the domain to which the coordinator server belongs.
Membership in the Enterprise Admins group is NOT required, but can make agent deployment to domain controllers in multiple domains easier. Deploying agents to member servers requires that you must be a Domain Admin in every domain that contains servers that you are targeting for installation.

2.

Use an existing account or create a new user account in Active Directory that will be used by ChangeAuditor to access the SQL Server. Create a SQL Login for this AD user account and assign the following permissions to this login: Server role: dbcreator Database roles to msdb database: db_datareader db_datawriter SQLAgentUserRoles

3.

4.

From the desired member server, insert the ChangeAuditor DVD or if you downloaded the product from the Quest web site, run the autorun.exe file to launch the Quest ChangeAuditor autorun. On the Install page of the autorun, select the Install ChangeAuditor Coordinator link that is compatible with your system architecture (x86 or x64) to launch the ChangeAuditor Coordinator Setup wizard. Enter the information requested on the Coordinator Setup wizard pages: When prompted, read and accept the license agreement. On the Product Licensing page, use the Licenses button to open the License Status dialog. On the License Status dialog, select the Browse button to locate and apply the new ChangeAuditor license.

5.

6.

If you are installing multiple ChangeAuditor products (e.g., ChangeAuditor for Active Directory, ChangeAuditor for Windows File Servers, ChangeAuditor for Exchange, etc.), select each of the licenses to be applied.

23

Quest ChangeAuditor

On the Customer Installation Information screen, select Next to use the default (DEFAULT) installation name.

When installing one Coordinator in your Active Directory forest, it is recommended that you use the default (DEFAULT) installation name. If you are planning on installing multiple coordinators, please refer to the ChangeAuditor Installation Guide for more details regarding installing multiple coordinators and the significance of specifying an installation name.

On the Select Installation Folder page, select Next to use the default installation path (%SystemDrive%\Program Files\Quest Software\ChangeAuditor\Service\). On the SQL Server Selection page, select which instance of SQL is to be used and enter the credentials for the user account previously created. On the ChangeAuditor Administrators page, the Add the current user to the "ChangeAuditor Administrators <InstallationName>" security group check box is selected by default and will add the current user to the ChangeAuditor Administrators - <InstallationName> group.

Any user that will be running a ChangeAuditor Client must be added to either this security group or the ChangeAuditor Operators security group. In addition, users responsible for deploying ChangeAuditor Agents must be a member of the ChangeAuditor Administrators group in the specified ChangeAuditor installation.

7.

On the Ready to Install page, select the Install button to begin the ChangeAuditor Coordinator installation. On the last page of the wizard, select the Finish button to exit the wizard.

Verify that the Coordinator service has been successfully installed by right-clicking the ChangeAuditor Coordinator icon in the System Tray and selecting Coordinator Status. Check for the correct version and that the Coordinator Status is 'Running'.

Step 2: Install ChangeAuditor Client


1. On the desired workstation, laptop or member server, insert the ChangeAuditor DVD or run the autorun.exe file to launch the Quest ChangeAuditor autorun.

24

Install ChangeAuditor

2.

On the Install page, select the Install ChangeAuditor Client link that is compatible with your system architecture (x86 or x64). This will launch the ChangeAuditor Client Setup wizard. Enter the information requested on the Client Setup wizard pages: When prompted, read and accept the license agreement. On the Select Installation Folder page, select Next to accept the default installation path (%SystemDrive%\Program Files\Quest Software\ChangeAuditor\). On the Configure Shortcuts page, select the locations where youd like to create shortcuts for the ChangeAuditor Client. On the Ready to Install page, select the Install button to begin the client installation. On the last page of the setup wizard, select the Finish button to exit the wizard.

3.

4.

Use Add/Remove Programs to verify that the Quest ChangeAuditor Client was successfully installed.

Step 3: Add User Accounts to ChangeAuditor Security Groups


During the coordinator installation process, you were presented with the option to add the current user to the ChangeAuditor Administrators security group in the specified ChangeAuditor installation. If you elected NOT to add the current user during the installation process or wish to add additional user accounts, please use the following procedure; otherwise skip to Step 4: Start the ChangeAuditor Client. 1. Once the ChangeAuditor Coordinator and ChangeAuditor Client are installed, you must add all of the user accounts who will be running the ChangeAuditor Client to one of the following security groups: ChangeAuditor Administrators - <InstallationName> Group provides access to all aspects of ChangeAuditor and to roll out ChangeAuditor Agents ChangeAuditor Operators - <InstallationName> Group provides access to ChangeAuditor with the exception of making configuration changes

2.

In addition, all users responsible for deploying ChangeAuditor Agents must also be a member of the ChangeAuditor Administrators group in the specified ChangeAuditor installation.

25

Quest ChangeAuditor

3.

Use one of the following applications to add the appropriate user accounts to the ChangeAuditor security groups: Domain in Native Mode: Use the Active Directory Users and Computers MMC snap-in. Domain in Mixed Mode: Use the Microsoft Computer Management native tool.

For more detailed instructions on adding user accounts to security groups, please refer to the ChangeAuditor Installation Guide.

4. 5. 6.

To apply the change, logout and back in. All users running a ChangeAuditor Client must have also the proper SQL credentials for accessing the ChangeAuditor database. One way of accomplishing this would be to add the ChangeAuditor Administrators and ChangeAuditor Operators groups to the appropriate SQL database roles which were also created during the Coordinator installation: ChangeAuditor_Administrators ChangeAuditor_Operators

7. 8.

Launch the Microsoft SQL Management Studio and connect to the SQL database server. Create a SQL login for the ChangeAuditor Administrators group and assign this login to the ChangeAuditor_Administrators role for the ChangeAuditor database. Create a SQL Login for the ChangeAuditor Operators group and assign this login to the ChangeAuditor_Operators role for the ChangeAuditor database.
For more detailed instructions on adding groups to SQL database roles, please refer to the ChangeAuditor Installation Guide.

9.

Step 4: Start the ChangeAuditor Client


After completing the ChangeAuditor installation (which includes installing the coordinator and at least one client), the first step is to ensure that you can connect to the coordinator. 1. Select Start | All Programs | Quest Software | ChangeAuditor | ChangeAuditor Client to launch the ChangeAuditor Client.

26

Install ChangeAuditor

2.

When you launch the ChangeAuditor Client, the client will display the Connection Profile dialog allowing you to connect to the 'Default Connection' profile or define/specify a different connection profile. Select the Connect button to use the Default Connection profile.
If you cannot connect, ensure that the Quest ChangeAuditor Coordinator service is running AND that you are a member of either the ChangeAuditor Administrators or ChangeAuditor Operators security group.

3.

If you do not have the proper credentials required for access, the appropriate credentials dialogs will be displayed allowing you to enter the required credentials. Once connected, you will be presented with the Deployment page of the ChangeAuditor Client, allowing you to select the servers to which ChangeAuditor Agents are to be deployed.

4.

Step 5: Deploy ChangeAuditor Agents


PERMISSIONS REQUIRED FOR DEPLOYING AGENTS: The Agent Deployment wizard runs under the security context of the currently logged on user account. Therefore, you must have administrative authority to install software on every target machine. This means you must be a Domain Admin in every domain that contains servers that you are targeting for installation. If you are targeting domain controllers only, membership in the Enterprise Admins group will grant you authority to all domain controllers in the forest. In addition, all users responsible for deploying ChangeAuditor Agents must also be a member of the ChangeAuditor Administrators group in the specified ChangeAuditor installation. If you are not a member of this security group for this installation, you will get an access denied error.

To deploy ChangeAuditor Agents: 1. Verify that the user account you will be using to deploy agents is at least a Domain Admin in every domain that contains servers where agents are to be deployed. Verify that the user account is also a member of the ChangeAuditor Administrators group in the specified ChangeAuditor installation.

2.

27

Quest ChangeAuditor

3.

Launch the ChangeAuditor Client. The Deployment page will automatically be displayed if agents have not yet been deployed. Otherwise, use View | Deployment to open the Deployment page. The Deployment page will be populated with the servers (domain controllers and member servers) discovered in your Active Directory environment.
The Deployment page may initially be empty until the current forests server topology has been initially harvested. This page will be automatically refreshed once this task has completed.

4.

From this list, select an entry and use the Credentials | Set tool bar button or right-click command to enter the proper user credentials for installing agents on the selected domain. On the Domain Credentials dialog, select the domain from the list and click the Set button. On the Logon Credentials dialog enter the credentials of a user with administrator rights on the selected domain.

5.

After entering the proper credentials, select the entry back on the Deployment page and select Credentials | Set from the tool bar or right-click menu. If you get a Valid Creds status in the Deployment Results column, you can start deploying agents to that domain. If you get an Access Denied status in the Deployment Results column, use the Credentials | Set command to re-enter the proper credentials for installing agents.

6. 7.

Select one or more servers on the Deployment page and select the Install or Upgrade tool bar button or right-click command. On the Install or Upgrade dialog select one of the following options to schedule the deployment task: Now (default) When

If you select the When option, enter the date and time when you want the deployment task to be initiated. Select OK to initiate or schedule the deployment task depending on the option selected. 8. As agents are successfully connected to the ChangeAuditor Coordinator, a desktop notification will be displayed in the lower right-hand corner of your screen.
To deactivate these desktop notifications, select the Action | Agent Notifications menu command.

28

3
ChangeAuditor Walkthrough
Check Agent Status ChangeAuditor Client Overview Client Walkthrough Make Changes to Active Directory and Run a Report Set up Email Alert Notifications Enable Email Alerts for 'All Events'

Quest ChangeAuditor

Check Agent Status


Once agents have been deployed, the next step is to ensure that all of the agents have checked in. 1. From within the ChangeAuditor Client, use the View | Statistics | Agent menu command (or Crtl+F11) to open the Agent Statistics page. A list of all deployed agents will be displayed. Check to ensure that the status of each agent is 'Active'.
If an agents status is not connected, ensure that the agent service is running on that domain controller/member server.

2.

ChangeAuditor Client Overview


The ChangeAuditor Client connects directly to the ChangeAuditor database and is the user interface that provides immediate access to key configuration change information. The following table gives you an idea of the pages available in the ChangeAuditor Client and the tasks that can be performed.
TABBED PAGE: OVERVIEW TASKS THAT CAN BE PERFORMED ON PAGE: Access valuable information about the application (e.g., agent status, repository status, top agent activity, etc.) View real-time results for your 'favorite' search SEARCHES View list of available searches Create new custom searches Run searches Set a search as your 'favorite' Enable/disable alerts View alert history Generate and publish reports

30

ChangeAuditor Walkthrough

TABBED PAGE: SEARCH RESULTS

TASKS THAT CAN BE PERFORMED ON PAGE: View search results View event details or search properties Preview results based on changes made to a search Compare results side-by-side Print search results

REPORT

View a SQL Reporting Services (SRS) rendering of the audited events returned for a selected search or built-in report View results for built-in SRS reports including Event Summary, Event Analysis and File Monitoring reports NOTE: Since these reports can be viewed directly from the ChangeAuditor Client, they do NOT require SRS.

AGENT STATISTICS

Get a global view of all installed agents Review current status and statistics for each agent Stop, start and restart an agent Retrieve associated trace logs

COORDINATOR STATISTICS

Get a global view of all installed coordinators Review current status and statistics for each coordinator Retrieve associated trace logs

LOG

View selected trace log Search selected trace log

ADMINISTRATION TASKS

Configuration Task List: Define and assign agent configurations Configure coordinator email notifications Define group expansion Define database maintenance activities Define SQL Reporting Services templates to allow users to import SRS settings for publishing ChangeAuditor reports Define who is authorized to use the ChangeAuditor Client features

31

Quest ChangeAuditor

TABBED PAGE: ADMINISTRATION TASKS

TASKS THAT CAN BE PERFORMED ON PAGE: Auditing Task List: Enable/disable event auditing and modify an events severity level or description Define custom Active Directory object class auditing Define custom AD attribute auditing Define a Member of Group auditing list to specify the users to be audited based on their group membership Define Active Directory containers that are to be excluded from LDAP query auditing Define custom ADAM (AD LDS) object class auditing Specify ADAM (AD LDS) attributes for auditing Define an Exchange Mailbox auditing list to specify what directory objects mailbox activities are to be audited Create File System Auditing templates to define the files/folders to be audited Create Registry Auditing templates to define the registry keys to be audited Create Service Auditing templates to specify the system services to be audited Create SQL Auditing templates to define the SQL instances and operations to be audited Create Excluded Accounts templates to define individual accounts that are to be excluded from ChangeAuditor auditing Create EMC Auditing templates for each EMC file server (CIFS) to be audited Create NetApp Auditing templates for each NetApp filer to be audited Protection Task List: Define protection for critical Active Directory objects Define protection for critical ADAM (AD LDS) objects Define protection for critical Group Policy objects Define protection for critical Exchange Mailboxes Define protection for critical File System files, folders and shares

ALERT HISTORY

View details regarding the events that triggered the selected alert

32

ChangeAuditor Walkthrough

Client Walkthrough
The following scenarios will introduce you to some of the ChangeAuditor pages mentioned above. We will be performing the following tasks to set up your testing environment: use the Searches page to run a report and generate a Search Results page use the Coordinator Configuration page (on the Administration Tasks tab) to set up email notification use the Searches page to enable an SMTP alert
The scenarios in this chapter assume that ChangeAuditor for Active Directory is licensed. If it is not licensed, making changes to Active Directory will not generate any of the events mentioned.

Make Changes to Active Directory and Run a Report


1. Make changes to Active Directory, for example: Open Active Directory Users and Computers and add a new OU called 'Quest Test'. This OU can be at any level within the AD topology. Create and link a new GPO called 'Sample GPO' to the Quest Test OU.

If you are using Windows Server 2008, use the Group Policy Management Console to create a new GPO.

Add a new user to the Domain Admins security group. Finally, open Active Directory Sites and Services and expand the Inter-Site Transport folder, then the IP folder. Double-click on the DEFAULTSITELINK and change the replication interval.

2. 3. 4. 5.

Launch the ChangeAuditor Client (Start | All Programs | Quest Software | ChangeAuditor | ChangeAuditor Client). From within the ChangeAuditor Client, click on the Searches tab (or Ctrl+F10) to open the Searches page. In the left-hand pane, expand the Shared | Built-in Reports folder and then the All Events Reports folder. In the right-hand pane, locate All Active Directory Events and double-click the entry. This will run the selected report.
33

Quest ChangeAuditor

6.

A new Search Results page will be displayed populated with the Active Directory audited events generated.

7.

Ensure that the following events were generated for each of the Active Directory changes made above: A new OU was added. A new GPO was created, renamed and linked to an OU (three events). A new user was added to the Domain Admins security group (two events). The DEFAULTSITELINK was changed.

8.

To display additional details for an audited event, double-click the audited event entry in the results grid of the Search Results page. This will display the Event Details pane across the bottom of the page.
If the Search Properties tabs are displayed across the bottom of the page, select the Event Details tool bar button. The Event Details pane will replace the Search Properties tabs.

Set up Email Alert Notifications


1. 2. 3. 4. Select the View | Administration menu command (or Ctrl+F12) to open the Administration Tasks page. Select the Configuration task button at the bottom of the navigation pane (left-hand pane). Select Coordinator in the Configuration task list to open the Coordinator Configuration page. On the SMTP Configuration pane, select the Enable SMTP for Alerts check box to enable e-mail alert notifications.

34

ChangeAuditor Walkthrough

5.

Checking this option will activate the remaining fields on this pane to configure alert emails. Enter the following information: Mail Server From Address Reply To Subject Line

6.

If the specified mail server requires authentication, select the My Server Requires Authentication check box and enter the account information. Select the Test SMTP tool bar button to test the mail server configuration. Once the mail server configuration is verified, select the Apply Changes tool bar button to save the configuration. Now that SMTP alerting is enabled and configured, you can enable email alerts for individual search definitions.

7. 8. 9.

Enable Email Alerts for 'All Events'


1. 2. 3. Click on the Searches tab (or Ctrl+F10) to open the Searches page. In the left-hand pane, expand the Shared | Built-in Reports folder and then the All Events Reports folder. In the right-hand pane, locate the All Events search definition, right-click and select the Alert | Enable Transport | SMTP command. Selecting this command will display the Alert Custom Email dialog allowing you to enter the email address of the person(s) who are to receive the alert.
To send an alert to the user who initiated the change that triggered the alert, select the Add Who check box at the bottom of the Alert Custom Email dialog.

4.

5.

To test this new alert, undo the Active Directory changes previously made: Open Active Directory Users and Computers and delete the 'Quest Test' OU. Delete the 'Sample GPO' GPO. Remove the user you added to the Domain Admins security group. Open Active Directory Sites and Services and expand the Inter-Site Transport folder, then the IP folder. Double-click on
35

Quest ChangeAuditor

the DEFAULTSITELINK and change the replication interval back to its original setting. 6. Wait approximately two minutes for the coordinator to pick up the events and trigger the alert to be sent. (This time may be quicker or slower depending on email latency.) To later disable the alerts, return to the Searches tab, right-click the All Events search definition and select Alert | Disable Alert. Select Yes to confirm that you want to disable the alert.

7.

36

4
ChangeAuditor for Active Directory
Introduction Audit Custom User Attributes Audit Users Based on Their Group Membership

Quest ChangeAuditor

Introduction
The scenarios presented in this chapter show you how to use some additional Active Directory auditing features offered in ChangeAuditor for Active Directory.
Active Directory auditing is only available if you have licensed the ChangeAuditor for Active Directory product. The product will not prevent you from specifying Active Directory auditing; however, associated events will not be captured unless the proper license is applied.

Please refer to the ChangeAuditor Product Specific Features table in Appendix A for the list of features/functionality dependent on the different product licenses.

Audit Custom User Attributes


The Active Directory Attribute auditing feature allows you to specify individual schema attributes to be audited. To define custom attribute auditing: 1. 2. 3. 4. Open the Administration Tasks tab. Select the Auditing task button at the bottom of the navigation pane (left-hand pane). Select Attributes under Active Directory in the Auditing task list to open the Active Directory Attribute Auditing page. Select an object class from the list located across the top of this page. Selecting an entry in this list, will populate the list boxes across the bottom of the dialog with the applicable attributes. For example, select the group object. 5. In the Unmonitored Attribute list box, located in the lower left-hand pane of this page, select one or more attributes and use the Add button to select them for auditing. For example, select the description attribute. 6. To change the severity level assigned to an attribute, in the right-hand list box, place your cursor in the Severity cell and use the drop-down arrow to select the severity you want to assign to the selected attribute. To remove an attribute from auditing, select the attribute from the right-hand pane and select the Remove button. Selecting this button will move the selected attribute back into the Unmonitored Attribute list box.

7.

38

ChangeAuditor for Active Directory

8.

Once you have selected at least one attribute for auditing, the associated Monitored Attributes column in the list box across the top of this page will display the number of custom attributes selected for auditing. This value will also be displayed in the Monitor Attributes column back on the Active Directory Auditing page.
The default attributes which are automatically being audited for each object are NOT included in the Monitored Attributes counts.

9.

To test these events, make a change to the attribute selected for auditing. For example, launch ADUC and change the description of a user.

10. Go back to the ChangeAuditor Client and re-run the All Events report. Open the Searches tab. Expand the Shared | Built-In Reports | All Events Reports folder in the left-hand pane. Locate and double-click All Events in the right-hand pane. This will display a new Search Results page displaying the audited events.

Audit Users Based on Their Group Membership


The Member of Group auditing feature allows you to audit specific users based on their group membership. That is, you will be auditing changes made only to the specified user objects. To define a Member of Group Auditing list: 1. 2. 3. 4. Open the Administration Tasks tab. Select the Auditing task button at the bottom of the navigation pane (left-hand pane). Select Active Directory under the Auditing task list to display the Active Directory Auditing page. From this page, select the user object class and use the Delete tool bar button. (By default, ChangeAuditor monitors all users; therefore, in order to use this feature, you must first delete the user object class.)

39

Quest ChangeAuditor

5.

From the left-hand pane of the Administration Tasks tab, select Member of Group under Active Directory in the Auditing task list to display the Member of Group Auditing page. Use the Add tool bar button to display the Member of Group Auditing wizard. Use the Browse and Search pages to locate and select a group and use the Add button to add the selected group to the Selected Objects list at the bottom of the wizard. Repeat this step until you have selected all of the groups you want to add to the Member of Groups Auditing list. Then use the Select button to save your selections, close the wizard and return to the Member of Group Auditing page, where your selections will now be listed.

6. 7.

8.

To test the auditing of users based on their group membership, make one or more changes to a user object that is included in the previously defined Member of Groups Auditing list. You can also make changes to a user object that is not in the list to verify that no events will be generated for that user.

9.

Go back to the ChangeAuditor Client and re-run the All Events report. Open the Searches tab. Expand the Shared | Built-In Reports | All Events Reports folder in the left-hand pane. Locate and double-click All Events in the right-hand pane. This will display a new Search Results page displaying the audited events.

10. Ensure that the changes you made to the user object(s) in the list are displayed and that the changes you made to the user object(s) not in the list are not displayed.

40

5
ChangeAuditor for Windows File Servers
Introduction Getting Started Create a File System Auditing Template Make File System Changes and Run a Report

Quest ChangeAuditor

Introduction
ChangeAuditor for Windows File Servers provides you with the ability to search, report and alert on changes to a specific file or folder or all volumes. Using ChangeAuditor for Windows File Servers you can receive real-time alerts whenever someone tries to access a secure file or folder.
File System auditing is only available if you have licensed the ChangeAuditor for Windows File Servers product. The product will not prevent you from specifying file system auditing, however, associated events will not be captured unless the proper license is applied.

Please refer to the ChangeAuditor Product Specific Features table in Appendix A for a list of ChangeAuditor features/functionality dependent on a specific product license.

Getting Started
1. Verify that ChangeAuditor for Windows File Servers is licensed. From the member server where ChangeAuditor is installed, launch the License Manager (Start | All Programs | Quest Software | ChangeAuditor | License Manager). On the About ChangeAuditor dialog, verify that the License Status field is set to 'Installed' for ChangeAuditor for Windows File Servers. If the License Status field indicates that ChangeAuditor for Windows File Servers is 'Uninstalled', use the Update License button to locate and apply the appropriate license.

2.

Create a new folder on the C: drive of an agented server and then add a new .txt file in this folder. This folder will be used in the following scenarios as an auditing target. In order to capture File System audited events in ChangeAuditor, you must first complete the following steps to define the files/folders to be audited and the operations to be captured: Create a File System Auditing template which specifies the files/folders and operations to be audited. Add this template to an agent configuration. Assign the agent configuration to ChangeAuditor Agents.

3.

Please refer to the procedures on the following pages to perform these tasks.

42

ChangeAuditor for Windows File Servers

Create a File System Auditing Template


For this scenario, we will create a template to audit all changes made to the folder you just created. 1. 2. 3. 4. Open the Administration Tasks tab. Select the Auditing task button at the bottom of the navigation pane (left-hand pane). Select File System in the Auditing task list to open the File System Auditing page. Use the Add tool bar button to launch the File System Auditing wizard which will step you through the process of creating a File System Auditing template. Enter a name for the template. Select the Folder option. Enter or use the drop-down arrow or the button to select the folder you previously created on the C: drive. By default, the scope of coverage for the selected folder will be This Object and All Child Objects. Leave this setting for this scenario; however, if you wanted to change this setting, use the drop-down arrow in the scope cell. On the Events tab, select the File Events and Folder Events check boxes to track all changes made to the selected folder. Open the Inclusions page, enter * and use the Add button to add it to the Included Names list. Entering * will audit all files and folders in the selected folder. Skip the Exclusions tab. In this scenario, we will not be excluding any subfolders or files from auditing. (Optional) If you want to define any processes that are to be allowed to change audited objects without generating an audited event, select Next. Select one or more processes from the list at the top of the page and use the Add button to add them to the list box at the bottom of the page.

5.

To create the template and assign it to an agent configuration, expand the Finish button and select Finish and Assign to Agent Configuration. On the Configuration Setup dialog select the agent configuration (right-hand pane) to which the template is to be assigned and drag and drop it onto the newly created template. The Assigned cell for the template will change to Yes.

6.

43

Quest ChangeAuditor

7. 8.

Select OK to save your selection, close the dialog and display the Agent Configuration page. If this configuration is not assigned to any agents, you will need to assign it to one or more installed agents at this time. On the Agent Configuration page, select one or more agents from the agent list and select the Assign tool bar button. On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agent(s) and select the OK button.

9.

On the Agent Configuration page, select the agent(s) assigned to use the modified agent configuration and select the Refresh Configuration tool bar button. Verify that is displayed in the File System column.

If you do not refresh the agents configuration, the client will automatically check for a new agent configuration based on the polling interval setting. The default is every 15 minutes.

Make File System Changes and Run a Report


1. To test file system auditing, make some changes to the folder specified above, for example: 2. add a .doc file change the security permissions on a file (right-click file, open the Security tab and add another user with full control) delete the sample .txt file add a sub-folder change the security permission of the new folder

Go back to the ChangeAuditor Client to review the audited events generated. You can display them by either: Opening the Agent Statistics tab, locating the agent where these changes were made and clicking the number link in the Events Today column. Opening the Searches tab and running the All File System Events report. Expand the Shared | Built-in Reports | All Events Reports folder in the left-hand pane. Locate and double-click All File System Events in the right-hand pane.

44

6
ChangeAuditor for Exchange
Introduction Getting Started Make Changes in Exchange and Run a Report Enable Exchange Mailbox Auditing

Quest ChangeAuditor

Introduction
ChangeAuditor for Exchange provides extensive, customizable auditing and reporting for all critical changes to Exchange, including administrative groups, mailbox policies, public and private information store auditing, organizational changes such as Active Sync mailbox policy changes, distribution list changes and more.
Exchange auditing is only available if you have licensed the ChangeAuditor for Exchange product. The product will not prevent you from specifying Exchange auditing, however, associated events will not be captured unless the proper license is applied.

Please refer to the ChangeAuditor Product Specific Features table in Appendix A for a list of ChangeAuditor features/functionality dependent on a specific product license.

Getting Started
1. Verify that ChangeAuditor for Exchange is licensed. From the member server where ChangeAuditor is installed, launch the License Manager (Start | All Programs | Quest Software | ChangeAuditor | License Manager). On the About ChangeAuditor dialog, verify that the License Status field is set to 'Installed' for ChangeAuditor for Exchange. If the License Status field indicates that ChangeAuditor for Exchange is 'Uninstalled', use the Update License button to locate and apply the appropriate license. Launch the ChangeAuditor Client and open the Administration Tasks tab. Open the Active Directory Auditing page. Verify that the user object class is listed. (This object class is included by default, however, we removed the user object class as part of the 'Auditing Users Based on Their Group Membership' scenario from the ChangeAuditor for Active Directory Auditing chapter.) If it is not listed, use the Add tool bar button to add it. Restart the agent to use the latest configuration.

2.

Verify that ChangeAuditor is setup to monitor all users in the domain.

46

ChangeAuditor for Exchange

Make Changes in Exchange and Run a Report


1. 2. Create a new test user with an Exchange mailbox. Make some changes to the test user just created. For example, if you are using Exchange 2003, open ADUC and make the following changes: On the Email Address tab, create a new alternate SMTP address (e.g., alternate@yourcompany.com). Still on the Email Address tab, create a new primary SMTP address (e.g. primary@yourcompany.com). Still on the Email Address tab, set the address created above as the primary SMTP address. On the Exchange General tab, click on the Delivery Options button and specify a user to send email on behalf of.

If you are using Exchange 2007, use the Exchange Management Console to make changes to the test user.

3.

Open the Exchange System Manager, expand Global Settings, and right-click on Message Delivery and select Properties. Select the Sender Filtering tab and add a new filter to catch emails sent from spam@spam.com. Still from the Exchange System Manager, expand Administrative Groups and select New. Create a new group called 'Test'. Launch the ChangeAuditor Client and run the 'All Exchange Events in the last 24 hours' report to view the audited events generated from the changes made above. Open the Searches tab. Expand the Shared | Built-In Reports | Recommended Best Practice Reports | Exchange folder in the left-hand pane. Locate and double-click All Exchange Events in the last 24 hours in the right-hand pane. This will display a new Search Results page displaying the audited events.

4. 5.

47

Quest ChangeAuditor

Enable Exchange Mailbox Auditing


To enable Exchange Mailbox auditing, you must first define whose mailbox activities (users or groups) are to be audited. To define an Exchange Mailbox Auditing list: 1. 2. 3. 4. 5. From within the ChangeAuditor Client, open the Administration Tasks tab. Select the Auditing task button at the bottom of the navigation pane (left-hand pane). Select Exchange Mailbox in the Auditing task list to open the Exchange Mailbox Auditing page. Select the Add tool bar button to display the Exchange Mailbox Auditing wizard. Use the Browse and Search pages to locate and select a directory object (i.e., User, Group, Container, DomainDNS, OrganizationalUnit, BuiltinDomain) and use the Add button to add the selected object to the Selected Object list at the bottom of the wizard. Repeat this step until you have selected all the directory objects you want added to the Exchange Mailbox Auditing list and use the Select button to save your selections, close this wizard and return to the Exchange Mailbox Auditing page, where your selections will now be listed. 6. If you specified to audit an individual users mailbox and you want to audit for by owner events, place your cursor in the Events cell and select the Owner, Non-Owner option from the drop-down list. In addition, some of the Exchange Mailbox Monitoring events are disabled by default due to the potentially high volume of events that can occur. If you want to capture any of these events, you will need to enable them. Open and Administration Tasks tab and open the Audit Events page (select Audit Events under the Auditing task list). Locate the Exchange Mailbox Monitoring events to be enabled. You can sort the event list in one of the following ways: Click on the Status column heading to sort the list by Disabled/Enabled -- bringing the disabled events to the top of the list. Click in the data filtering cell under the Facility Name heading and start typing Exchange Mailbox Monitoring. As you type, this will filter the list to display only those events included in the Exchange Mailbox Monitoring facility.

7.

48

ChangeAuditor for Exchange

8.

If there is a specific event, click in the data filtering cell under the Event Class heading and start entering the name of the event. As you type, this will filter the list to include only those events that match the characters entered. Select the entry to be enabled and select the Enable tool bar button.

To test the Exchange Mailbox Monitoring events, open Outlook and perform various mailbox activities for any of the users included in your Exchange Mailbox Auditing List. Go back to the ChangeAuditor Client and run the All Exchange Events report. Open the Searches tab. Expand the Shared | Built-In Reports | All Events Reports folder in the left-hand pane. Locate and double-click All Exchange Events in the right-hand. This will display a new Search Results page displaying the audited events.

9.

49

7
Customizing ChangeAuditor
Introduction Create a Custom Search Group and Filter Data Exclude Accounts from Auditing

Quest ChangeAuditor

Introduction
Now that you are familiar with running searches and viewing the results received, lets discuss some additional ChangeAuditor features which will allow you to customize whats being audited by ChangeAuditor and the results you are receiving.

Create a Custom Search


If you do not see a Built-in Report that suits your needs, it is very easy to create a custom report under the Private or Shared folder in the explorer view (left-hand pane of the Searches page). Private searches are those that only you can run and view, whereas Shared searches can be run and viewed by all ChangeAuditor users. 1. 2. 3. Open the Searches page. In the explorer view (left-hand pane), expand and select the folder where you want to save your search. Select the New tool bar button at the top of the Searches page to display and activate the Search Properties tabs, where you can define the search criteria. See the table below for a brief description of the tabs available and how to define search criteria. For more detailed information, please refer to the ChangeAuditor User Guide. TABS
INFO

DESCRIPTION
Name your search

HOW TO ADD CRITERIA


Enter name Optionally enter description

WHO

Search for events generated by a specific user, computer or group. By default, ChangeAuditor searches for change events generated by all users, computers and groups.

Select Add tool bar button Select the user/computer/group Select Add button Click Select to save selection Note: To use a wildcard expression to specify a user or group, expand the Add tool bar button and select Add Wildcard Expression.

52

Customizing ChangeAuditor

TABS
WHAT

DESCRIPTION
Search for events based on subsystem, event class, object class, severity or results. By default, all entities will be included in a new search definition.

HOW TO ADD CRITERIA


Select Add tool bar button Use drop-down menu to select an entity Select scope, actions and/or entity (depending on dialog) Select Add button Click OK to save selection

WHERE

Search for events captured by a specific agent or within a specific domain or site. By default, all agents will be included in a new search.

Select Add tool bar button Select the agent, domain, or site Select Add Click OK to save selection Note: To use a wildcard expression to specify a domain, site or agent, expand the Add tool bar button and select Add Wildcard Expression.

WHEN

Search for events that occurred during a specific date/time range. By default, new searches will include the events captured in the last seven days.

Check date interval option and enter dates Optionally enter time interval

ORIGIN

Search for events originating from a specific workstation or server. By default, ChangeAuditor searches for all events regardless of where they originated.

Select Add tool bar button Enter a wildcard expression to search for a workstation or server Click OK to save selection

COMMENT

Search for events that contain specific comments. By default, ChangeAuditor includes all events regardless of whats in the comment field.

Enter comments (word or string of characters) To search for comments that do not contain the word or string entered, select the Exclude option To search for events that do not contain any comments, select the Blanks option

53

Quest ChangeAuditor

4.

Once you have defined the search criteria, select the Run tool bar button from one of the Search Properties tabs to save and run the search.

Group and Filter Data


Using the column headings in the data grids throughout the client, you can customize the content displayed by defining the sort order or sort criteria, moving or hiding columns. In addition, you can group data to create a collapsed view or filter the data to limit the data displayed in the grids to locate specific information. To group data: 1. Select a column heading (the column heading will pop off the table) and drag it to the space above the table. For example, use the left mouse button to click the Subsystem heading and drag that column heading to the space above the table.

2.

Optionally, repeat this step to select additional headings to create a hierarchy of groupings. This will collapse the table and display the groupings that can be expanded to view the detailed information that applies to each group.

54

Customizing ChangeAuditor

3. 4. 5. 6.

To expand a group and display the individual events listed, click on the + sign to the left of the label. When a grouping is in place, you can use the Pie Chart or Bar Graph icons, located at the top of the grid, to redisplay the data. In either of these views, use the Data Grid icon to redisplay the data in the grid format. To remove a grouping, simply select the heading and drag it back down into the table area.

To filter data: Throughout the client, you will see a row of cells under the headings row in each of the data grids. These cells provide data filtering options which allow you to filter and sort the data displayed.

1. 2.

Place your cursor in one of these cells, and click the Click here to filter data... In the selected cell, enter the word or string of characters to be used to filter the data displayed. Filtering will take place as you type your entry. By default, ChangeAuditor will use either the 'starts with' or 'contains' expression to filter the data. However, if you click on the search criteria button ( in diagram above), you can select a different expression. To remove the filtering and return to the original data grid, click on the Remove Filter button ( ) to the far left of the cells. To remove the filtering of an individual cell, use the Remove Filter button to the right of that cell.

3.

4. 5.

55

Quest ChangeAuditor

Exclude Accounts from Auditing


The Account Exclusion feature allows you to define a list of trusted accounts which are to be excluded from the ChangeAuditor auditing process. This enables you to exclude change events generated by accounts that make a large number of changes via scripting or by accounts which are trusted. To use the account exclusion feature, you must first complete the following steps to define the user/computer accounts that can make changes without triggering an audited event in ChangeAuditor: 1. 2. 3. 4. Open the Administration Tasks tab. Select the Auditing task button at the bottom of the navigation pane (left-hand pane). Select Excluded Accounts under the Auditing task list to open the Excluded Accounts Auditing page. Select the Add tool bar button to launch the Excluded Accounts wizard which will step you through the process of creating an Excluded Accounts template. On the first page of the wizard, enter a name for the template and optionally select the facilities/event classes to be excluded.

To include ALL event classes/facilities in this Excluded Accounts definition, leave the list box across the bottom of this page empty.

On the second page of the wizard, use the Browse or Search pages to locate and select the user or computer accounts that are to be excluded from ChangeAuditor auditing. Use the Add button to add these accounts to the list box at the bottom of this page.

5.

To create the template and assign it to an agent configuration, expand the Finish button and select Finish and Assign to Agent Configuration. On the Configuration Setup dialog select the agent configuration (right-hand pane) to which the template is to be assigned and drag and drop it onto the newly created template. The Assigned cell for the template will change to Yes. Select OK to save your selection, close the dialog and display the Agents Configuration page.

6.

7.

56

Customizing ChangeAuditor

8.

If this configuration is not assigned to any agents, you will need to assign it to one or more installed agents at this time. On the Agent Configuration page, select one or more agents from the agent list and select the Assign tool bar button. On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agent(s) and select the OK button.

9.

On the Agent Configuration page, select the agent(s) assigned to use the modified agent configuration and select the Refresh Configuration tool bar button or right-click command. Verify that is displayed in the Exclude Account column.

If you do not restart the agent, the client will automatically check for a new agent configuration based on the polling interval setting. The default is every 15 minutes.

10. Use a user account that is included in the exclusion list to make changes to Active Directory, File Systems and/or Exchange. 11. Run the All Events report to ensure that the changes you made are NOT reported. Open the Searches tab. Expand the Shared | Built-In Reports | All Events Reports folder in the left-hand pane. Locate and double-click All Events in the right-hand pane.

57

Appendix A ChangeAuditor Product Specific Features


This appendix provides a summary of the ChangeAuditor features and/or functionality that is dependent upon a specific ChangeAuditor product license. The following table displays the features that are only available when the corresponding ChangeAuditor product is licensed. If a feature/functionality is not listed here, it works in ChangeAuditor regardless of the license applied.
The product will not prevent you from performing any of the administration tasks on the Administration Tasks tab; however, associated events will not be captured and/or associated protection will not occur unless the proper license is applied. To hide unlicensed ChangeAuditor features from the Administration Tasks tab (including unavailable audit events throughout the client), use the Action | Hide Unlicensed Components menu command.

CHANGEAUDITOR PRODUCT LICENSE FACILITIES (SEARCHES/EVENTS) Connection Object Custom AD Object Monitoring Custom Computer Monitoring Custom File System Monitoring Custom Group Monitoring Custom Object Monitoring Custom User Monitoring Defender DNS Service DNS Zone Domain Configuration Domain Controller Configuration ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor Windows File Servers ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Defender ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory 59

Quest ChangeAuditor

CHANGEAUDITOR PRODUCT LICENSE EMC Exchange Administrative Group Exchange Distribution List Exchange Mailbox Monitoring Exchange Organization Exchange Permission Tracking Exchange Security Group Exchange User Forest Configuration FRS Service Group Policy Item Group Policy Object IP Security LDAP Query NetApp NETLOGON Service NTDS Service Organizational Unit (OU) QAS Monitoring Replication Transport Schema Configuration Site Configuration Site Link Bridge Configuration Site Link Configuration SQL Broker Event SQL CLR Event SQL Cursors Event ChangeAuditor for EMC ChangeAuditor for Exchange ChangeAuditor for Exchange ChangeAuditor for Exchange ChangeAuditor for Exchange ChangeAuditor for Exchange ChangeAuditor for Exchange ChangeAuditor for Exchange ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for LDAP ChangeAuditor for NetApp ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for QAS ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL

60

ChangeAuditor Product Specific Features

CHANGEAUDITOR PRODUCT LICENSE SQL Database Event SQL Deprecation Event SQL Errors and Warnings Event SQL Full Text Event SQL Locks Event SQL Object Event SQL OLEDB Event SQL Performance Event SQL Progress Report Event SQL Query Notifications Event SQL Scan Event SQL Security Audit Event SQL Server Event SQL Session Event SQL Stored Procedures Event SQL Transactions Event SQL TSQL Event SQL User-Configurable Event Subnets SYSVOL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for SQL ChangeAuditor for Active Directory ChangeAuditor for Active Directory

61

Quest ChangeAuditor

CHANGEAUDITOR PRODUCT LICENSE SEARCH CRITERIA (WHAT TAB) Subsystem | Active Directory Subsystem | ADAM (AD LDS) Subsystem | Exchange Subsystem | File System Subsystem | Group Policy Subsystem | LDAP Query Subsystem | SQL Object Class ADMINISTRATION TASK TAB AUDITING TASK LIST | GLOBAL Active Directory Active Directory | Attributes Active Directory | Member of Group Active Directory | Excluded LDAP ADAM (AD LDS) ADAM (AD LDS) | Attributes Exchange Mailbox ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for LDAP ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Exchange ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Exchange ChangeAuditor for Windows File Servers ChangeAuditor for Active Directory ChangeAuditor for LDAP ChangeAuditor for SQL ChangeAuditor for Active Directory

AUDITING TASK LIST | AGENT TEMPLATES File System SQL AUDITING TASK LIST | NAS TEMPLATES EMC NetApp ChangeAuditor for EMC ChangeAuditor for NetApp ChangeAuditor for Windows File Servers ChangeAuditor for SQL

62

ChangeAuditor Product Specific Features

CHANGEAUDITOR PRODUCT LICENSE PROTECTION TASK LIST | GLOBAL Active Directory ADAM (AD LDS) Group Policy Exchange Mailbox ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Active Directory ChangeAuditor for Exchange

PROTECTION TASK LIST | AGENT TEMPLATES File System ChangeAuditor for Windows File Servers

63

You might also like