Who’s Got a Hand in Your Policy?
Policy Auditing with FullArmor’s Fazam Auditing 1.0.
FullArmor’s Fazam Auditing tracks Group Policy changes in Windows 2000. It runs on any Win2K server version and tightly integrates with an existing systems management framework, like Microsoft Operations Manager (MOM) or NetIQ’s App and Security Manager. FullArmor is also dedicated to scaling its product to fit most of the bigger framework management tools like HP OpenView and BMC Patrol, which are scheduled for support in the coming year.
For this review, I concentrated on Fazam’s integration with MOM. Fazam completely relies on MOM’s backend event monitoring engine and agents, eliminating the need to push out any more agents. Upon installation, Fazam’s rule sets are sent to the existing MOM agents and ultimately to the MOM UI for action management. There’s no Fazam console; only your MOM console, in which you can manipulate your FAZAM auditing events and alerts. Although MOM captures and manages many alerts in the Win2K environment, all the FAZAM auditing alerts will show up with “Fazam Auditing” as the source, so you can easily sort and find Group Policy Object (GPO)-related events. You can also customize the source of each event.
Getting used to the MOM console to manage Fazam events takes a bit of time. If you’re new to MOM, configuration of event change will be a bit more time-consuming. After you’re comfortable with the UI, configuring event-specific triggers is a breeze. You can divide each GPO event trigger by user or computer type changes. For example, you can configure an alert to fire on “computer specific” setting changes only, for one GPO or all. I especially liked the granularity built into the product. You can set a generic alert (“Alert me if anyone changes the Default Domain Policy GPO”) or a very specific alert (“Only alert me if the default password length value changes in the Default Domain Policy GPO”).
Fazam’s best feature by far is its effortless reporting capabilities.
Built into an easy-to-view Web interface is the ability to pull GPO change
data and report on it. You can set report criteria including start and
end times, domain, user, domain controller where the change was made,
and the GPO you’re looking for. You can also specify the maximum number
of events to report.
| The Fazam Auditing Reporter Console
provides a simple Web-based interface for tracking Group Policy changes.
(Click image to view larger version.)
Regardless of whether or not MOM is configured to capture specific GPO alerts in its UI, the Fazam Database captures and stores all GPO changes. So, if you forget to set up an event trigger and your boss asks who turned off the mandatory company screen saver, simply click on the Fazam Auditing Report shortcut, fill in a few dates and the name of your Screen Saver GPO and find the culprit.
Change control management is also built in. Fazam Auditing truly conquers the hassle of GPO change conflict with its Check-In/Out process. It further has the ability to run through an approval process before changes are put into production and keeps track of all version history in its repository.
For enterprise networks configured with many Group Policies—and many
Group Policy admins—I highly recommend this product. The real-time GPO
change alerting Fazam Auditing offers saves hours of troubleshooting,
which means bottom-line savings for your company. If you’re willing to
invest in the somewhat costly price of MOM and have a SQL 2000 server
already in place, the $9 per user figure is a small price to pay.
Kirk Vigil, MCSE, MCSA, is a systems engineer for Netbank Inc. He's worked with the Windows NT/2000 line of products for more than 10 years, focusing on enterprise messaging. He specializes in the design and implementation of Win2K.