サポートと今すぐチャット
サポートとのチャット

Change Auditor - For Advanced Users 7.0.3 - Technical Insight Guide

Change Auditor Services Change Auditor licensing processes Change Auditor network communications Coordinator internal tasks Registry Settings Change Auditor built-in fault tolerance Change Auditor protection Database Considerations Account exclusions best practices

Ports and protocols

Change Auditor uses the following incoming communications ports (listening ports) to establish communication:

 
Table 6. Change Auditor incoming communication ports

Change Auditor client

None

Change Auditor agents

None

Change Auditor coordinators

The coordinator uses the following listening ports that can be dynamically or statically assigned.

Client Port
Public SDK Port
Agent WCF Port
NOTE: By default, the incoming ports are dynamically assigned by Windows. However, you can use the Coordinator Configuration Tool to specify static ports for each of these listening ports. To access the Coordinator Configuration Tool, right-click the coordinator system tray icon and select Coordinator Configuration.

The following table describes each segment of communication that occurs in the Change Auditor system along with technical details of each type of communication.

 
Table 7. Change Auditor communication segments
From/To
Description
Originating Port
Protocol
Destination Port

Client to Coordinator Service

WCF (Windows Communication Foundation)

Dynamic

TCP

Dynamic

Client to Agents
(server and workstation agents)

WCF (Windows Communication Foundation) for configuration refresh

If WCF configuration refresh call fails, falls back to WMI (DCOM) and port 135.

Dynamic

TCP

Dynamic

 

Client to Agents
(server and workstation agents)

SCM (ServiceControlManager) for Agent Service Start\Stop

Dynamic

TCP

135

Coordinator to Server Agents

WCF for Azure/Office 365 configuration information

 

 

8373

Client to SQL Server Database

Connection for archive databases only

Dynamic

TCP

1433

Agent to Coordinator Service

WCF (Windows Communication Foundation)

Dynamic

TCP

Dynamic

Agent to SharePoint SQL Server database

OLEDB SQL Client

Dynamic

TCP

1433

Agent to vCenter server or ESX/ESXi host

VMware Web Service

Dynamic

TCP

443

SDK User\Service to Coordinator Service

WCF (Windows Communication Foundation)

Dynamic

TCP

Dynamic

Coordinator to SQL Server Database

.NET SQL

Dynamic

TCP

1433

Coordinator to Agents
(server and workstation agents)

SMB File Share for Agent Deployment

Dynamic

TCP

445

Coordinator to Agents
(server and workstation agents)

Remote Registry for Agent Deployment (RPC)

Dynamic

TCP

135

*Coordinator to Active Directory LDAP

.NET Directory Services

Dynamic

TCP

389

*Coordinator to Active Directory

Kerberos authenticated connections

Dynamic

TCP

88

*Coordinator to Active Directory GC (Global Catalog)

.NET Directory Services

Dynamic

TCP

3268

Coordinator to DNS Server

DNS name resolution for .NET Directory Services

Dynamic

TCP

53

Web Client to Coordinator

WCF (Windows Communication Foundation)

Dynamic

TCP

Dynamic

Internet Browser (for example, Chrome™ and Internet Explorer) to web client

HTTP/HTTPS

Dynamic

TCP

80/443

*The coordinator requires connectivity to domain controllers in the domain that the server is a member of and also the forest root domain.

Network encryption

Change Auditor uses the following different types of network encryption to protect sensitive information.
Secure password storage
Client to coordinator connection
Agent to coordinator connection (version 6.x and 7.0.1)
Coordinator to SQL Server connection

Secure password storage

Certain aspects of Change Auditor auditing require storing passwords and other confidential data. Examples of such data include access credentials to NetApp, EMC, VMware, SharePoint, Office 365, Skype for Business, FluidFS and SQL DLA. To safeguard this data, Change Auditor uses RSA encryption.

* 
NOTE: The password storage is FIPS-compliant from version 7.0.2, using only Microsoft-certified APIs compliant with FIPS 140-2 and it’s annexes. Change Auditor is compatible with the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” group policy enabled.
NOTE: If FIPS compliance is required, Change Auditor coordinators, agents and clients must all be version 7.0.2 or greater.

On startup, the agent generates a private/public key pair and stores the public key in the database. When the agent is configured to audit another network device using the supplied credentials, these credentials are encrypted using the agent’s public key. This way, it is impossible for anyone but the agent itself to decrypt them.

The coordinators also store public keys in the database which are used to decrypt SMTP passwords to send alerts.

1
For user authentication and local password storage of user identities, Change Auditor uses CryptProtectData from http://msdn.microsoft.com/en-us/library/aa380261.aspx.
Change Auditor uses CryptProtectData with a key length that is variable-dependent upon input phrase. This encryption is symmetric. This encryption is automatically enabled. This encryption cannot be used outside of Change Auditor.
2
For user authentication and database password database storage, Change Auditor uses the “Microsoft Enhanced Cryptographic Provider v1.0” (CNG or Crypto Next Generation) provider with provider type of PROV_RSA_FULL. Secrets are symmetrically encrypted with AES using a 256-bit key, and the AES key is then encrypted with RSA using a 4096-bit key before being stored with the encrypted secret.
When upgrading the Change Auditor coordinator to version 7.0.2 or above from version 7.0.1 or less, passwords and other data protected by coordinator public keys are updated to the new, stronger encryption scheme during database upgrade at the first startup after upgrade. Passwords and other data protected by agent public keys are updated to the new encryption scheme for all connected agent versions when they connect to the upgraded coordinator. Any additional older coordinators will need to be updated to the version of the first coordinator before they will connect to the updated database.

Client to coordinator connection

Client to coordinator connection
1
When the client is started, it searches Active Directory for the Service Connection Point (SCP) objects to retrieve connection information for the coordinator such as host name, listening port, and other authentication information.
2
The client connects to the coordinator using Windows Communication Foundation (WCF) using Kerberos authenticated connections.Ports are dynamically assigned, but can be statically set.
3
The coordinator encrypts protected data using Microsoft RSACryptoServiceProvider (PROV_RSA_FULL) APIs.
4
The client decrypts the protected data using Microsoft RSACryptoServiceProvider (PROV_RSA_FULL) APIs.
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択