Chatta subito con l'assistenza
Chat con il supporto

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Active Directory Database protection page

Previous Next

Active Directory Database protection page

This page displays when you select Active Directory Database from the Protection task list in the navigation pane of the Administration Tasks tab. From here, you can start the Active Directory Database protection wizard to define your Active Directory Database protection template to protect your Active Directory database from unauthorized access. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The Active Directory Database protection page contains an expandable view of all previously defined Active Directory Database protection templates. To add new template, use the Add button.

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

Once added, the following information is provided for each template:

Template

Displays the name assigned to the template when it was created.

Status

Indicates whether the template is enabled or disabled. To enable and disable the template, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.

Exempt Process Filter

Displays a list of processes which bypass Active Directory database protection.

Active Directory Database protection templates

Previous Next

Active Directory Database protection templates

To create an Active Directory Database protection template:
1
Open the Administration Tasks tab.
2
Click Protection.
3
Select Active Directory Database in the Protection task list.
4
Click Add to open the Active Directory Database Protection wizard.
5
Enter a name for the Active Directory database protection template.
6
(Optional) Select processes to exclude from protection (for example, changes made by the processes specified on this page will be excluded from protection).
7
Select one or more processes from the process list and click Add to move these processes to the exclusion list. By default, all processes (except lsass.exe) will be protected from accessing the Active Directory database.
* 
NOTE: You can also view processes on a different server or enter a process not listed in the process list.
8
Click Finish or Finish and Assign to Agent Configuration to assign the template to an Agent Configuration immediately.
9
On the Configuration Setup dialog, use one of the following methods to assign this template to an agent configuration:
Select the newly created template and drag and drop it onto a configuration in the Configuration list.
Select a configuration from the Configuration list and ‘drag and drop’ it onto the newly created template.
Select a configuration, then select the newly created template, right-click and select Assign.
Select a configuration, then select the newly created template, click in the corresponding Assigned cell and click Yes.
10
If this configuration is not assigned to any agents, you will need to assign it to agents installed on your Domain Controllers to apply the Active Directory database protection.
* 
NOTE:  
Agents should be installed on all Domain Controllers to ensure auditing has complete coverage.
The auditing should be applied on all Domain Controllers to ensure complete coverage.
On the Agent Configuration page, select one or more agents from the agent list and click Assign.
On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agents and click OK.
On the Agent Configuration page, select the agents assigned to use the modified agent configuration and click Refresh Configuration to ensure the agents are using the latest configuration.
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
* 
NOTE: Active Directory database protection templates will not record audit events when access to the Active Directory database file is protected unless an Active Directory database auditing template is also assigned to the Change Auditor agent. See Active Directory Database Auditing for additional information.
To modify an Active Directory Database protection template:
1
On the Active Directory Database Protection page, select the required template and click Edit. This opens the Active Directory Database Protection wizard where you can modify the current settings.
2
Click Finish to save your changes and return to the Active Directory Database Protection page.
To disable an Active Directory Database protection template:

Disabling a template temporarily stops protection without having to remove the protection template.

1
On the Active Directory Database protection page, place your cursor in the Status cell for the auditing template to disable, click the arrow control, and select Disabled.

-OR-

Right-click the template to disable and select Disable.

The entry in the Status column for the template changes to ‘Disabled’.

2
To enable the protection template, select Enable in the Status cell.
To delete an Active Directory Database protection template:
1
On the Active Directory Database Protection page, select the required template and click Delete | Delete Template.
2
Click Yes to confirm.

Active Directory Database Protection wizard

Previous Next

Active Directory Database Protection wizard

The Active Directory Database Protection wizard opens when you click Add or Edit on the Active Directory Database Protection page. Using this wizard you can define the Active Directory Database processes to protect from unauthorized modifications.

* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.
The following table provides a description of the available fields and controls:

Table 10. Active Directory Database Protection wizard

Select Active Directory Database processes to protect: On the first page of the wizard, enter a name for the template and select the Active Directory database processes that are exempt from protection.

Template Name

Enter a descriptive name for the protection template.

(Optional) Select processes exempt from protection: Select processes to exclude from protection (for example, changes made by the processes specified on this page will be excluded from protection).

Add

Select one or more processes from the process list and click Add to move these processes to the exclusion list. By default, all processes (except lsass.exe) will be audited.

You can also view processes on a different server or enter a process not listed in the process list.

Remove

The list box across the bottom of the page displays the objects that are exempt from auditing. Click Remove to remove a process from the exemption list.

Setting extra security on protected objects

Previous Next

Setting extra security on protected objects

* 
NOTE: The Security feature is only available if you have selected to save your Active Directory and Group Policy protection templates in Active Directory instead of SQL (using the Protection tab in the Coordinator Configuration tool). See the Change Auditor User Guide or online help for more information about the Coordinator Configuration tool.

By default, Change Auditor settings are accessible by all domain administrators. In some environments, there are many individuals assigned domain administrator privileges. You can use the Security feature to provide an extra layer of security for your protected objects. You can delegate the right to manage protected objects to trusted administrators, limiting the number of administrators that can change settings.

When you change the security settings on a protected object through the Active Directory Protection page (or Group Policy Protection page) in Change Auditor, you are not changing the permissions assigned to the object. You are changing the access rights on who can change the Change Auditor settings.

If you do not want to use the default global catalog to apply the ACLs to the protected object, click Connect To and enter the domain controller to use.

To set extra security on a protection template:
1
On the Active Directory Protection page (or Group Policy Protection page), right-click the protection template and click Security.

The Access Control editor is displayed for the selected object.

2
Select the permissions then click OK.
* 
NOTE: Selecting access rights is similar to selecting access rights in Active Directory Users and Computers.

Each entry for the objects listed in the Protection template has it's individual security settings.

To set individual settings:
1
On the Active Directory Protection page (or Group Policy Protection page), click the + icon next to the protection template.
2
Right-click the entry in the template that want to set the security on and select Security.
3
Select the permissions and click OK.
* 
NOTE: Selecting access rights is similar to selecting access rights in Active Directory Users and Computers.

 

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione