Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Change Auditor 7.4 - Release Notes

Quest® Change Auditor 7.4

Quest® Change Auditor 7.4
These release notes provide information about the Quest Change Auditor release.
About Quest Change Auditor 7.4
New features
Important information
Resolved issues
Known issues
System requirements
Product licensing
Getting started with Change Auditor 7.4
About us

About Quest Change Auditor 7.4

Change Auditor provides total auditing and security coverage for your enterprise network. Change Auditor audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know who made the change including the IP address of the originating workstation, where and when it occurred along with before and after values. Then automatically turn that information into intelligent, in-depth forensics for auditors and management — and reduce the risks associated with day-to-day modifications.
Audit all critical changes across your enterprise including Active Directory, Azure Active Directory, Office 365 Exchange Online\SharePoint Online\OneDrive For Business, Exchange, Windows File Servers, NetApp, EMC, SQL Server, SharePoint, and Microsoft Skype for Business.
Collect user login and log out activity for regulatory compliance and user activity tracking.
Automate ongoing compliance with tracking and reporting for compliance initiatives including SOX, PCI-DSS, HIPAA, FISMA, GLBA, and more.
Speed troubleshooting through real-time insight into changes with a comprehensive audit library including built-in audit alerts, reports, and powerful searches.
Proactively protect (lock down) critical Active Directory objects, Exchange mailboxes, and Windows files and folders from harmful changes that could open security holes or cause resources to become unavailable.
Modular approach allows separate product deployment and management for key environments including Active Directory, Exchange, Windows File Servers, NetApp, EMC, SQL Server, Active Directory Queries, SharePoint, Logon Activity, and Skype for Business.
Integrate with other Quest products to track, audit, report, and alert on critical changes made using Safeguard Authentication Services and One Identity Defender.
Integrate with On Demand Audit to gain access to rich visualizations of on-premises and cloud events, responsive search across tenants, and long-term storage of audit data.

Change Auditor 7.4 is a major release, with enhanced features and functionality.

New features

The following enhancements and features are available in this release:
Support for modern authentication
Ability to configure email alerts to be sent using Microsoft 365.
Additional associated internal events.
PowerShell enhancements
Ability to manage GPO Protection using PowerShell commands. (New-CAGPOProtectionTemplate, Get-CAGPOProtectionTemplates, Set-CAGPOProtectionTemplates, and Remove-CAGPOProtectionTemplate.)
Internal events are generated when managing Active Directory protection templates using PowerShell commands.
Get-CASearchDefinition command will now export the email addresses configured on the alert and report tabs of a search.
Performance improvements
Event sending for SIEM subscriptions will now fail-over between available coordinators when an allowed coordinator can no longer communicate with the SIEM appliance.
Improved performance when reading agent configuration.
Improved performance when processing Azure events.
Added retry logic to agent installations when an issue, such as a locked file, is encountered.
Integration with Quest Security Guardian
Security Guardian is an integrated On Demand solution that enables you to manage Tier Zero assets and identify vulnerabilities in your organization's Active Directory to help you keep it secure. If Change Auditor version 7.4 is integrated with Security Guardian, you can protect Tier Zero objects from unauthorized or accidental modifications or deletions by creating Change Auditor protection templates from the Security Guardian interface.
Additional platform support
The following support has been added:
Windows 11 (Pro and Enterprise for workstation agents and client installations)
Integration with Active Roles 8.1
NetApp 9.13 auditing
Integration with GPOADmin 5.18
Microsoft Exchange Server 2019 CU13
Microsoft SQL Server 2022 for coordinator database and as an auditing target
EMC Common Event Enabler (CEE) Framework 8.9.8.2
The following support has been removed:
Windows 8.1
Windows Server 2012 and 2012 R2
Exchange 2013
SharePoint 2013
Removal of the Change Auditor SCOM management pack
FluidFS auditing
Autorun
Miscellaneous features and enhancements
Ability to allow a Group Managed Service Account (GMSA) as an override account for Group Policy, Exchange Mailbox, and File system protection templates.
Ability to manage and update foreign forest agent credentials from the Deployment tab.
Refresh GPOs list to include "Enterprise" scope GPO protection so that a newly added GPOs are protected.
Updated list of columns published to SQL Reporting Services.

Important information
With Change Auditor database structure, you have access to larger volumes of data online without the need to archive data regularly. Here are a few pointers on auditing and accessing “big data”:
When building custom searches, keep in mind that the new schema organizes its event indexes in “hourly blocks”. The smaller the window of time in the when criteria, the better performance in the client for returning a result set.
While Change Auditor provides efficient event auditing with our agents, it is highly recommended that you maintain “focused” auditing. This ensures high performance when accessing large amounts of data in the Change Auditor client.
If excessive audits are received within the same hour, performance may decrease dramatically depending on the criteria selected.
General Exchange concepts:
Outlook “Show New Mail Desktop Alert” triggers the “Message Read by Owner” event: When this option is enabled, new email that arrives flashes a semi-transparent “alert” near the desktop system tray. Change Auditor captures a Message Read by Owner event when this occurs. The new email alert window opens each new email message as it arrives to build the alert. Note: The “Message Read by Owner” event is disabled by default in Audit Event configuration.
Microsoft Outlook/Exchange add-Ins: Change Auditor may be incompatible with Microsoft Outlook or Exchange “add-ins” (commercial or custom) that interact with Exchange Servers. While Quest makes every effort to ensure proper functionality and performance, we are unable to validate against the many add-ins available for Microsoft Outlook or Exchange Server.
“By Owner” auditing feature: Selecting ‘By Owner’ auditing for many mailboxes can produce many events. This adversely affects Change Auditor auditing and in severe cases the performance of the Exchange Server itself. In extreme cases, Outlook connections may be slowed or dropped. Select owner auditing for at most only a few critical mailboxes.
Auditing mailboxes with many delegates: Auditing normal mailboxes where access permission is granted to many delegates (more than 10), can produce large numbers of non-owner events. This will adversely affect Change Auditor auditing and in severe cases, the performance of the Exchange Server itself. If these mailboxes need to be audited, add them to the Shared Mailbox list (User Defined tab) to reduce unwanted non-owner events and to improve performance.
SMTP alert notifications on owner mailbox “event storm”: It is highly recommended that mailboxes configured to receive SMTP alerts are excluded from auditing “by Owner” events. An “event storm” could occur when a new SMTP alert is received on an audited mailbox by owner, generating a never-ending cycle of “Inbox opened by owner” and “Message read by owner” events.
Upgrading agents on high volume Exchange Servers: It is critical that agent upgrades be scheduled for maintenance intervals or other periods of low user mailbox activity for any configuration of Exchange Server. Change Auditor for Exchange agent upgrades should not be attempted on an active Exchange Server cluster node in any case.
Attempting to upgrade the agent on a busy Exchange Server may result in:
Exchange 2016 or 2019 mailbox role: failed agent upgrade, unwanted RpcClientAccess or IIS application pool restarts, or unscheduled Exchange cluster node failover.
To eliminate the possibility of unscheduled Exchange Server downtime, perform agent upgrades to Exchange Servers during periods of low or no mailbox activity.
General EMC concepts:
Control Stations: The Control Station is a dedicated management computer that monitors and controls cabinet components and allows access to the full functionality of the Celerra or VNX Network Server software. It contains utilities for installing and configuring the Celerra or VNX Network Server, maintaining the system, and monitoring system performance. The Control Station runs a set of programs that are collectively referred to as the Control Station software. The Control Station itself uses an EMC-customized version of Linux as its operating system.
Data Movers: Data Movers are the Celerra or VNX components that transfer data between the storage system and the network client. Data Movers are managed by using a Control Station. By default, Data Movers are named server_n, where n is the slot number of the Data Mover. For example, server_2 is the Data Mover in slot 2.
Troubleshooting EMC events: If EMC events are not being audited by the Change Auditor agent, first check to see if the EMC CAVA agent service is running on your Windows Server where the EMC events are being collected. Second, check to see if the CEPP service on the EMC Data Mover is running or if the state is offline, by using the command:
server_cepp {mover_name} -p -i
Resulting output of this command should be similar to the following:
IP = {mover IP}, state = ONLINE... etc
If the CEPP service is OFFLINE, you can fix this by first restarting the EMC CAVA service on the Windows Server. If that does not work, restart the EMC CEPP services on the Data Mover by using the following command:
server_cepp {mover_name} -service -start
Change Auditor agent requires File and Printer Sharing on Windows Servers: By default, File and Printer sharing are not enabled on Windows Server installations. To remotely install agents to Windows Servers (Full UI and Server Core), enable the File and Printer Sharing (SMB-in) Inbound rule in the Windows Firewall (Port 445) on the target host machine.
The File and Printer Sharing for Microsoft Networks service on the network adapter is also required to be enabled for remote deployment.
File System auditing for NAS and mapped network drives: Change Auditor does not support File System auditing on NAS devices or mapped network drives other than EMC Celerra/VNX/Isilon or NetApp Data ONTAP filers.
Microsoft Office files: Since the Change Auditor for Windows File Servers, NetApp, and EMC drivers capture events related to file activity, it is possible that a folder containing files being opened and edited by Microsoft Office products (Word, Excel, PowerPoint, and so on) will generate unexpected results. Understanding how MS Office products interact with the file system might help explain some of the audit events captured. See http://support.microsoft.com/kb/211632 for more details.
File System Auditing for SAN: Support and engineering will attempt to troubleshoot and resolve issues to the best of their ability when the SAN is attached to a Windows-based file server such that it appears as a local drive on that host. In this configuration, the SAN generally behaves as an extra disk drive on the server which can be audited by a Change Auditor agent on that server. Success in this configuration depends on many factors and is not guaranteed.
File System auditing: Change Auditor does not audit files with a size of zero (0) bytes.
Recompiling the Change Auditor MOF file: Change Auditor no longer ships with a MOF file as part of the coordinator installer. Should the CA WMI namespace become corrupt, or should there be an installation failure, the file can be recompiled using the following command line:
ChangeAuditor.Service.exe --install
Changes to domain administration level security objects may generate subsequent DACL changes reported with Changed By information as “NT AUTHORITY\ANONYMOUS LOGON” up to an hour after the original change. According to Microsoft, an Active Directory domain controller that holds the primary domain controller (PDC) operations master role runs a thread every hour to check the access control lists of members of several built-in administrative groups. If a user account is a member of one of these administrative groups, even if only because of its membership with a distribution group, the user account's ACL is checked when the thread is run and may be reset to the ACL of the CN=AdminSDHolder,CN=System,DC=<domain> object.
Exclude Change Auditor components and monitored processes from antivirus software: Quest recommends excluding the following Change Auditor components and monitored processes from any antivirus software that uses technology similar to “Buffer Overrun Protection” or “On Access Scanner”:
DSAMain.exe
Lsass.EXE
NPSRVhost.exe
Services.exe
‘Server’ service
Microsoft.Exchange.RpcClientAccess.Service.exe (Exchange Server)
Change Auditor coordinator service running under a service account (instead of Local System):
If the coordinator service is running under a service account (instead of Local System):
The user must re-save existing Forest or GC profiles using the Change Auditor client's connection wizard. This updates the SPN with the correct information.
The user must enter the coordinator’s IP address instead of its DNS name in the connection settings in:
The web.config for the Change Auditor web client
The manual option in the Change Auditor client's connection wizard
Outils libre-service
Base de connaissances
Notifications et alertes
Support produits
Téléchargements de logiciels
Documentation technique
Forums utilisateurs
Didacticiels vidéo
Flux RSS
Nous contacter
Obtenir une assistance en matière de licence
Support Technique
Afficher tout
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation