ChangeAuditor for Active Directory Queries

Solve migration and performance issues by analyzing Active Directory queries

Simplify and refine LDAP query data.

ChangeAuditor for Active Directory Queries provides real-time tracking, analysis and reporting on all Microsoft® Active Directory®-based and LDAP queries. By detecting queries in real time, you can eliminate the time and complexity required for auditing and determine the source of queries prior to a directory migration or consolidation. You can also measure domain controller performance and easily translate query data into the simple terms of who, what, when, where and originating workstation.

Features

  • Detailed AD queries – Identify the who, what, where, when and originating workstation for each query in simple terms, saving the administrator time normally spent digging for more details.
  • Secure and signed – Identify queries against Active Directory (AD) that do not conform to your internal security policy because they are not secure or signed.
  • Domain controller performance forensics – Show which users and applications are performing LDAP queries that can affect domain controller performance.
  • Migration discovery process – Learn what machines need connectivity to LDAP during and after a migration.
  • Real-time alerts on the move –  Receive email and mobile alerts regarding critical changes and patterns, enabling you to respond faster to threats even while you're not on site.
  • Event timeline – View, highlight and filter change events and the relation of other events over the course of time in chronological order across your Microsoft® Windows® environment for better understanding and forensic analysis of those events and trends.
  • Related searches – Instantly get all information on the change you're viewing and all related events—with a single click—such as what other changes came from specific users and workstations, eliminating additional guesswork and unknown security concerns.
  • High-performance auditing engine – Eliminate auditing limitations and capture change information without the need for native audit logs, resulting in faster results and significant savings of storage resources.
  • Auditor-ready reporting – Generate comprehensive reports for best practices and regulatory compliance mandates for SOX, PCI-DSS, HIPAA, FISMA, GLBA and more.
  • Web-based access and dashboard reporting– Search from anywhere using a web browser and create targeted dashboard reports to provide upper management and auditors with access to the information they need without having to understand architecture or administration.

Specifications

Before installing ChangeAuditor, ensure your system meets the following minimum hardware and software requirements:

ChangeAuditor Client (Client-side Component)

The ChangeAuditor Client connects to a ChangeAuditor Coordinator and queries the audited event database for the desired results.

Client Hardware
Minimum:Dual Core 2.0 GHz or better; 4 GB RAM or better
Recommended:Quad Core 3.0 GHz or better; 8 GB RAM or better

 

A machine running on the following minimum platforms:

Microsoft Data Access Components (MDAC) must be enabled.(MDAC is part of the operating system and enabled by default.)

Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

Microsoft's Windows Server 2012 Foundation edition is NOT supported

Screen resolution of at least 1024 x 768 with at least 256 colors

  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012 (Standard, Essentials and Datacenter)
  • Windows Vista
  • Windows 7 (Pro, Enterprise and Ultimate)
  • Windows 8 (Pro and Enterprise)
Client Software and Configuration
  • x86 or x64 versions of Microsoft's .NET Framework 4.0 or higher
    NOTE: To verify that you are running the appropriate version of Microsoft's .NET Framework use Add/Remove Programs (Start | Control Panel | Add or Remove Programs).
  • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • x86 or x64 versions of Microsoft SQLXML 4.0
Client Footprint
  • Estimated hard disk space usage of 120 MB
  • Estimated RAM physical memory of 150 MB

    NOTE: Queries that return a lot of data can cause the client to use as much memory as required to store the results in RAM.

ChangeAuditor Coordinator (Server-side component)

The ChangeAuditor Coordinator is responsible for fulfilling client and agent requests and generating alerts.

Coordinator Hardware
Minimum:Quad Core 2.0 GHz or better; 8 GB RAM or better
Recommended:Quad Core 3.0 GHz or better; 32 GB RAM or better

 

Member server running on the following minimum platforms:

  • Windows Server 2003 SP2
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012 (Standard, Essentials and Datacenter)

Microsoft Data Access Components (MDAC) must be enabled.(MDAC is part of the operating system and enabled by default.)

Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

Microsoft's Windows Server 2012 Foundation edition is NOT supported.

Coordinator Software and Configuration
  • For the best performance Quest recommends:

    • The ChangeAuditor Coordinator must be installed on a dedicated member server.
    • The ChangeAuditor database must be configured on a separate, dedicated SQL server instance.
  • Supported SQL Server versions:
    • Microsoft SQL Server 2008
    • Microsoft SQL Server 2008 R2
    • Microsoft SQL Server 2012
  • The Coordinator must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
  • x86 or x64 versions of Microsoft's .NET Framework 4.0 or higher
  • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • x86 or x64 versions of Microsoft SQLXML 4.0
Coordinator Footprint
  • Estimated hard disk space used: 115 MB
  • Estimated RAM physical memory of 100 MB
  • Additional 80 MB disk space used by Agent MSI's
  • Estimated database size will vary depending on the number of agents deployed and audited events captured.
Minimum Permissions

User account performing the coordinator installation:


The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server:

  • Windows permissions to create and modify registry values.
  • Windows administrative permissions to install software and stop/start services.

* It is recommended that the user account performing the installation, be a member of the Domain Admins group in the domain where the coordinator is being installed.


Service account running the coordinator service (LocalSystem by default):

  • Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running a ChangeAuditor Coordinator.
  • Local Administrator permissions on the coordinator server.

If you are running the coordinator under a service account (instead of LocalSystem), use a Manual connection profile that specifies the IP address of the server hosting the ChangeAuditor Coordinator whenever you launch the ChangeAuditor Client. See the ChangeAuditor User Guide or online help for more information on defining and selecting a connection profile.

SQL Server database access account specified during installation:
An account must be created to be used by the Coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions:

  • Must be assigned the db_owner role on the ChangeAuditor database
  • Must be assigned the SQL Server role of dbcreator

ChangeAuditor Agent (Server-side component)

A ChangeAuditor Agent can be deployed to domain controllers (DCs) and member servers to monitor the configuration changes made on these servers. These agents will then report these audit events to the ChangeAuditor Coordinator which will insert the event details into the ChangeAuditor database.

Agent Hardware

Minimum:Dual Core 2.0 GHz or better; 4 GB RAM or better
Recommended:Quad Core 3.0 GHz or better; 8 GB RAM or better

  • Server running on the following minimum platforms:
    • Windows Server 2003 SP1
    • Windows Server 2003 R2
    • Windows Server 2008
    • Windows Server 2008 Core
    • Windows Server 2008 R2
    • Windows Server 2008 R2 Core
    • Windows Server 2012 (Standard, Essentials and Datacenter)
    • Windows Server 2012 Core (Standard, Essentials and Datacenter)

Microsoft Data Access Components (MDAC) must be enabled.(MDAC is part of the operating system and enabled by default.)

Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

Microsoft's Windows Server 2012 Foundation edition is NOT supported.

  • ChangeAuditor Agent requires File and Printer Sharing on Windows Server 2008. By default, File and Printer sharing is not enabled on Windows Server 2008 installations. In order to remotely deploy agents to Windows Server 2008 (Full UI and Server Core), enable the File and Printer sharing (SMB-in) Inbound rule in the Windows Firewall (Port 445) on the target host machine.
  • The File and Printer Sharing for Microsoft Networks service on the network adapter must also be enabled for remote deployment.
  • Auditing of some Exchange events require the latest Exchange service pack to be installed. Please refer to the ChangeAuditor for Exchange Events Reference Guide for the minimum service packs required for Exchange events.
  • Exchange 2003:The ChangeAuditor Agent uses the COM+ and Distributed Transaction Coordinator (DTC) services locally on the host server for detecting Exchange Server message created, moved, copied and deleted events. If the COM+ or DTC services are disabled or inoperative, these events will not be detected but the Agent will otherwise run normally. Network access to DTC is not required. When enabling the COM+ service, a ChangeAuditor Agent restart is required, because COM+ service registration occurs at agent startup time.
Agent Software and Configuration
  • Microsoft .NET Framework:
    • .NET 2.0 (or higher)
    • Additional .NET requirements are dictated by the audited software such as Exchange, SharePoint or VMware.
  • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
  • The ChangeAuditor Agent service depends on the following Windows services to be running:
    • DNS Client
    • Remote Procedure Call (RPC)
    • Windows Event Log
Minimum Permissions
  • ChangeAuditor Agent must run as localsystem.
Agent Footprint
Estimated hard disk space used: 120 MB + local database size

Estimated RAM used: 60MB

Agent Installation Incompatibilities
  • Pre-5.6versions of ChangeAuditor
  • SecurityManager
  • InTrust plug-ins:
    • ITAD
    • ITADAM
    • ITFA
    • ITEX
  • ScriptLogic Active Administrator
  • DirectoryLockdown
  • EMC’s EmailXtender
Exchange Monitoring Minimum Service Pack Requirements
  • Windows Server 2003 and 2003 R2:
    • Microsoft Exchange Server 2003 Service Pack 2
    • Microsoft Exchange Server 2007 x64 Service Pack 1
  • Windows Server 2008 and 2008 R2:
    • Microsoft Exchange Server 2007 x64 Service Pack 1
    • Microsoft Exchange Server 2010 RTM
  • Windows Server 2008 R2 SP1:
    • Microsoft Exchange Server 2007 x64 Service Pack 1
    • Microsoft Exchange Server 2010 RTM
    • Microsoft Exchange Server 2013 CU1
  • Windows Server 2012:
    • Microsoft Exchange Server 2010 Service Pack 3
    • Microsoft Exchange Server 2013 RTM

Remote Auditing Requirements (NAS Devices)

EMC Monitoring Requirements
  • ChangeAuditor 5.6 (or higher)
  • EMC Celerra Event Enabler (CEE) Framework 4.6.7
  • EMC VNX Event Enabler (VEE) Framework 4.8.5 (through 5.1)
    • NOTE: EMC Celerra Event Enabler (CEE) Framework 6.x (or higher) is not supported in ChangeAuditor 6.0

See the ChangeAuditor for EMC User Guide for more information on the requirements, as well as how to install, configure and use ChangeAuditor for EMC.

NOTE: VNXe is NOT supported. VNXe does not support CEPA at this time and therefore ChangeAuditor for EMC will NOT run successfully in VNXe environments.

NetApp Monitoring Requirements
  • ChangeAuditor 5.6 ( or higher)
  • NetApp Filer with Data OnTap 7.2 (or higher)

See the ChangeAuditor for NetApp User Guide for more information on the requirements, as well as how to install, configure and use ChangeAuditor for NetApp.

Remote Auditing Requirements (Applications)

VMware Monitoring Requirements
  • ChangeAuditor 5.7 (or higher)
  • ESX/ESXi 4.0, 4.1 and 5.0
  • vCenter 4.0, 4.1 and 5.0
strong>SharePoint Monitoring Requirements
  • ChangeAuditor 5.7 (or higher)
  • SharePoint Server 2010 or 2013
  • SharePoint Foundation 2010 or 2013

See the ChangeAuditor for SharePoint User Guide for detailed information on installing, configuring and using ChangeAuditor for SharePoint.

At the time of this ChangeAuditor release, Microsoft does not support SharePoint 2010 on machines running Windows Server 2012.

Logon Event Retrieval Requirements

User Logon Activity Auditing Requirements
  • ChangeAuditor 5.8 (or higher)
  • ChangeAuditor Data Gateway Service 5.8 (or higher)
  • InTrust 10.6(or higher)
  • InTrust Repository Viewer 10.6(or higher)

See the ChangeAuditor InTrust Integration Guide for more information on the requirements, as well as how to configure ChangeAuditor to retrieve user logon activity events from InTrust.

ChangeAuditor Web Client (Optional Component

The ChangeAuditor web client is an optional component that is installed on the IIS web server to provide users access to ChangeAuditor data through a standard or mobile web browser.

Supported Browser Versions

Minimum Standard Browser Versions Supported:

  • Internet Explorer 9 (or higher) NOT running in Compatibility View mode
  • Firefox 10 (or higher)
  • Chrome 17 (or higher)
  • Safari 5.x
Supported IIS Versions

Application server running on the following minimum platforms:


• Windows Server 2008 (with IIS 7 or above)
• Windows Server 2012 (with IIS 8 or above)

ChangeAuditor Data Gateway Service (Optional Component)

The ChangeAuditor Data Gateway is an optional component that integrates with InTrust 10.5 (or higher) to gather logon events and display them in the ChangeAuditor client.

Data Gateway Hardware

Minimum:Dual Core 2.0 GHz or better; 4 GB RAM or better
Recommended:Quad Core 3.0 GHz or better; 8 GB RAM or better

The more processor cores available means that more threads can be used for querying results from the InTrust Repository, thus reducing the overall processor usage.

  • Member server running on the following minimum platforms:
    • Windows Server 2012 (Standard, Essentials and Datacenter)
    • Windows Server 2008 R2
    • Windows Server 2008
    • Windows Server 2003 R2
    • Windows Server 2003 SP2
    • x86 or x64 versions of Microsoft’s .NET Framework 4.0 (or higher)
    • x86 or x64 versions of Microsoft XMP Parser (MSXML) 6.0
    • Estimated physical memory (RAM) of 100 MB

      Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

      Microsoft's Windows Server 2012 Foundation edition is NOT supported.

Data Gateway Software Configuration

 

In addition to having access to the InTrust repository, the service account that will be used to run the Data Gateway Service must also be assigned the ’Log on as a service’ user rights assignment setting.

  • ChangeAuditor Data Gateway requires InTrust 10.6 (or higher) Repository Viewer to be installed on the same member server.

    The Data Gateway Service relies on the InTrust Repository Viewer; therefore, Quest recommends that you create two Domain accounts with interactive logon rights on the Data Gateway Service server and that have InTrust repository access privileges (i.e., an account that can be used to run a search using the InTrust Repository Viewer) BEFORE you install the Data Gateway Service:

    • An account which has elevated privileges to install and configure the Data Gateway Service.
    • A service account to be used to run the Data Gateway Service.

    To ensure that the repository access privileges are sufficient, you can use the same account that was used to install the basic InTrust components. If you use this same account, you must ensure that the following requirements are also met:

  • Account used to install and configure Data Gateway Service:

    In addition to having access to the InTrust repository, the user account that will be performing the Data Gateway Service installation and configuration must have the appropriate permissions to perform the following tasks on the target server:

    • Windows permissions to create and modify registry values.
    • Windows administrative permissions to install software and stop/start services.

    It is recommended that the user account performing the installation be a member of the Domain Admins group in the domain where the Data Gateway Service is being installed.

  • Service Account running Data Gateway Service.