Change Is Good -- Mostly
NetPro's monitoring tool can help you keep a firm grip on changes in your network.
When people make uncontrolled changes to files, servers, folder structure or
whatever else, it can create serious complications for managers trying to standardize
business systems and practices. Change management has to be part of a standard
maintenance routine as your systems evolve.
So what's the problem? Start with a good auditing tool and catch everything
in the event logs, right? Well, that would work as long as you regularly review
the event logs. You have to pay equal attention to all changes, regardless of
1: Virtually inoperable or nonexistent
5: Average, performs adequately
NetPro's answer to this monitoring madness is ChangeAuditor 3. This is a real-time
monitoring solution that essentially reviews events as they occur. A managed
agent on the system collects events from Active Directory, Exchange or file
servers and sends them to a central repository in real time. Once an event shows
up, you can have it queried and reported for a customized picture of what's
happening in your network. If something critical shows up in the logs, the system
can send you an alert.
Up and Running
ChangeAuditor comes in three parts, and was still pretty easy to install and
operate. It runs on top of any SQL database, like MSDE or SQL Server 2005. You'll
start by installing a repository to collect all the events. Then roll out agents
to the systems you need to monitor and deploy a client to your system and you're
ready to watch the fun.
The Deployment Wizard has a simple interface for rolling out agents. Just click
the machines you're targeting and let it fly. It's essential that you ensure
your clients meet the minimum requirements specified in the documentation. While
that sounds like a given, the software doesn't have an intuitive way of informing
you during the install. The log doesn't disclose many clues either, so take
the time to make sure the machines you'll be monitoring are prepared before
loading the agents.
The Deployment Wizard also lets you easily remove agents in a clean fashion.
My only criticism here is that I would have liked to see the Deployment Wizard
at least linked in the ChangeAuditor console. It's actually a separate executable.
Within the ChangeAuditor client, the system starts reporting on data as it's
added to the repository. Monitored events come in near real-time, and there
are graphs, charts and status overviews. The Overview Audit is interesting,
as this is where you can see things appear nearly as they happen.
While ChangeAuditor's primary focus is tracking changes made to AD, it also
tracks actions like stopping and starting services or changes to application
services like DNS or Exchange. The repository will store changes made to group
or OU memberships, added or deleted accounts and any changes made to GPOs or
domains. You can arrange how these events are listed according to your own requirements.
You can also tie alerts to major events, so if someone creates a user account,
for example, you'll get an e-mail right away.
[Click on image for larger view.]
|Figure 1. NetPro
ChangeAuditor's reports give you a detailed analysis of every change made
to your network.
ChangeAuditor's centralized model is neat, simple and effective. If someone
wanted to delete the managed node's event log, it wouldn't help them hide any
transgression. The event could still be in the repository. So, too, will the
attempt to delete the event log. If I ever needed to search managed nodes for
an event, those searches are happening in the ChangeAuditor repository, so machines
don't even need to be turned on to be searched.
Although it's extremely close, ChangeAuditor is not truly real time in its
reporting. Depending on polling times, it may take a minute or so for an alert
on a local subnet to be polled and written to the Repository. It could take
another minute for an alert to be sent out. More than likely, this is reasonable
for most network auditing situations, depending on how you define "real
time." Just don't be surprised if, when you stop a service, you don't see
that event immediately listed in the repository.
Regulations & Reporting
One really cool reporting feature is that ChangeAuditor answers compliance to
regulatory efforts, such as SOX, HIPAA, GLBA and FISMA. All of those regulatory
frameworks require specific auditing controls, as well as other access controls
to critical data. What makes this cool is that reports are organized by regulatory
compliance structure and then by the actual factors related to that regulation.
For example, for SOX, you can report on Acquisition and Implementation, Delivery
and Support, Monitoring, and Planning and Organization. These reports take the
guesswork out of aligning to the regulatory process if you're doing a self-assessment.
ChangeAuditor won't go through and verify your network for you to ensure compliance
with SOX or HIPAA. It will, however, let you know of any changes that are violations
or are otherwise flagged by those regulations. So, you could pull a search for
a specific SOX check, get zero results from the repository, and still be out
of compliance. Remember, ChangeAuditor only speaks about changes -- changes
made since you installed the agent to the PC. It's up to you to check for your
network's state of compliance.
ChangeAuditor also comes with two additional tools. There's one for file servers,
so you can watch for changes to important system-level files. There's another
for Exchange, which gives you the same kind of real-time monitoring of your
Monitoring event logs and maintaining effective change control discipline is
a difficult task, especially when you're keeping track of many different machines.
Still, you have to keep an eye on the fence, no matter what kind of security
plan you're trying to put together. Using a tool like NetPro Computing's ChangeAuditor
can make your life easier by centralizing alerts so you can review and catch
them as they happen.
Rick A. Butler, MCSE+I, is the Director of Information Services for the United States Hang Gliding Association.