Product Reviews

Change Is Good -- Mostly

NetPro's monitoring tool can help you keep a firm grip on changes in your network.

• By Rick A. Butler
• 01/01/2007

So what's the problem? Start with a good auditing tool and catch everything in the event logs, right? Well, that would work as long as you regularly review the event logs. You have to pay equal attention to all changes, regardless of importance.

NetPro's answer to this monitoring madness is ChangeAuditor 3. This is a real-time monitoring solution that essentially reviews events as they occur. A managed agent on the system collects events from Active Directory, Exchange or file servers and sends them to a central repository in real time. Once an event shows up, you can have it queried and reported for a customized picture of what's happening in your network. If something critical shows up in the logs, the system can send you an alert.

Up and Running
ChangeAuditor comes in three parts, and was still pretty easy to install and operate. It runs on top of any SQL database, like MSDE or SQL Server 2005. You'll start by installing a repository to collect all the events. Then roll out agents to the systems you need to monitor and deploy a client to your system and you're ready to watch the fun.

The Deployment Wizard has a simple interface for rolling out agents. Just click the machines you're targeting and let it fly. It's essential that you ensure your clients meet the minimum requirements specified in the documentation. While that sounds like a given, the software doesn't have an intuitive way of informing you during the install. The log doesn't disclose many clues either, so take the time to make sure the machines you'll be monitoring are prepared before loading the agents.

The Deployment Wizard also lets you easily remove agents in a clean fashion. My only criticism here is that I would have liked to see the Deployment Wizard at least linked in the ChangeAuditor console. It's actually a separate executable.

Within the ChangeAuditor client, the system starts reporting on data as it's added to the repository. Monitored events come in near real-time, and there are graphs, charts and status overviews. The Overview Audit is interesting, as this is where you can see things appear nearly as they happen.

While ChangeAuditor's primary focus is tracking changes made to AD, it also tracks actions like stopping and starting services or changes to application services like DNS or Exchange. The repository will store changes made to group or OU memberships, added or deleted accounts and any changes made to GPOs or domains. You can arrange how these events are listed according to your own requirements. You can also tie alerts to major events, so if someone creates a user account, for example, you'll get an e-mail right away.

[Click on image for larger view.]

Figure 1. NetPro ChangeAuditor's reports give you a detailed analysis of every change made to your network.

ChangeAuditor's centralized model is neat, simple and effective. If someone wanted to delete the managed node's event log, it wouldn't help them hide any transgression. The event could still be in the repository. So, too, will the attempt to delete the event log. If I ever needed to search managed nodes for an event, those searches are happening in the ChangeAuditor repository, so machines don't even need to be turned on to be searched.

Although it's extremely close, ChangeAuditor is not truly real time in its reporting. Depending on polling times, it may take a minute or so for an alert on a local subnet to be polled and written to the Repository. It could take another minute for an alert to be sent out. More than likely, this is reasonable for most network auditing situations, depending on how you define "real time." Just don't be surprised if, when you stop a service, you don't see that event immediately listed in the repository.

Regulations & Reporting
One really cool reporting feature is that ChangeAuditor answers compliance to regulatory efforts, such as SOX, HIPAA, GLBA and FISMA. All of those regulatory frameworks require specific auditing controls, as well as other access controls to critical data. What makes this cool is that reports are organized by regulatory compliance structure and then by the actual factors related to that regulation. For example, for SOX, you can report on Acquisition and Implementation, Delivery and Support, Monitoring, and Planning and Organization. These reports take the guesswork out of aligning to the regulatory process if you're doing a self-assessment.

ChangeAuditor won't go through and verify your network for you to ensure compliance with SOX or HIPAA. It will, however, let you know of any changes that are violations or are otherwise flagged by those regulations. So, you could pull a search for a specific SOX check, get zero results from the repository, and still be out of compliance. Remember, ChangeAuditor only speaks about changes -- changes made since you installed the agent to the PC. It's up to you to check for your network's state of compliance.

ChangeAuditor also comes with two additional tools. There's one for file servers, so you can watch for changes to important system-level files. There's another for Exchange, which gives you the same kind of real-time monitoring of your e-mail system.

Monitoring event logs and maintaining effective change control discipline is a difficult task, especially when you're keeping track of many different machines. Still, you have to keep an eye on the fence, no matter what kind of security plan you're trying to put together. Using a tool like NetPro Computing's ChangeAuditor can make your life easier by centralizing alerts so you can review and catch them as they happen.