Product Reviews

Who’s Got a Hand in Your Policy?

Policy Auditing with FullArmor’s Fazam Auditing 1.0.

• By Kirk Vigil
• 08/01/2003

For this review, I concentrated on Fazam’s integration with MOM. Fazam completely relies on MOM’s backend event monitoring engine and agents, eliminating the need to push out any more agents. Upon installation, Fazam’s rule sets are sent to the existing MOM agents and ultimately to the MOM UI for action management. There’s no Fazam console; only your MOM console, in which you can manipulate your FAZAM auditing events and alerts. Although MOM captures and manages many alerts in the Win2K environment, all the FAZAM auditing alerts will show up with “Fazam Auditing” as the source, so you can easily sort and find Group Policy Object (GPO)-related events. You can also customize the source of each event.

Getting used to the MOM console to manage Fazam events takes a bit of time. If you’re new to MOM, configuration of event change will be a bit more time-consuming. After you’re comfortable with the UI, configuring event-specific triggers is a breeze. You can divide each GPO event trigger by user or computer type changes. For example, you can configure an alert to fire on “computer specific” setting changes only, for one GPO or all. I especially liked the granularity built into the product. You can set a generic alert (“Alert me if anyone changes the Default Domain Policy GPO”) or a very specific alert (“Only alert me if the default password length value changes in the Default Domain Policy GPO”).

Fazam’s best feature by far is its effortless reporting capabilities. Built into an easy-to-view Web interface is the ability to pull GPO change data and report on it. You can set report criteria including start and end times, domain, user, domain controller where the change was made, and the GPO you’re looking for. You can also specify the maximum number of events to report.

The Fazam Auditing Reporter Console provides a simple Web-based interface for tracking Group Policy changes. (Click image to view larger version.)

Regardless of whether or not MOM is configured to capture specific GPO alerts in its UI, the Fazam Database captures and stores all GPO changes. So, if you forget to set up an event trigger and your boss asks who turned off the mandatory company screen saver, simply click on the Fazam Auditing Report shortcut, fill in a few dates and the name of your Screen Saver GPO and find the culprit.

Change control management is also built in. Fazam Auditing truly conquers the hassle of GPO change conflict with its Check-In/Out process. It further has the ability to run through an approval process before changes are put into production and keeps track of all version history in its repository.

For enterprise networks configured with many Group Policies—and many Group Policy admins—I highly recommend this product. The real-time GPO change alerting Fazam Auditing offers saves hours of troubleshooting, which means bottom-line savings for your company. If you’re willing to invest in the somewhat costly price of MOM and have a SQL 2000 server already in place, the $9 per user figure is a small price to pay.