サポートと今すぐチャット
サポートとのチャット

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

ADAM (AD LDS) protection page

Previous Next

ADAM (AD LDS) protection page

The ADAM (AD LDS) protection page displays when you select ADAM (AD LDS) from the Protection task list in the navigation pane of the Administration Tasks tab. From here, you can start the ADAM (AD LDS) Protection wizard to define critical objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are not longer being used.

The ADAM (AD LDS) Protection page contains an expandable view of all previously defined ADAM (AD LDS) protection templates. To add new ADAM (AD LDS) protection template, use the Add button. Once added, the following information is provided for each template:

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.
Template

Displays the name assigned to the template when it was created.

Status

Indicates whether the template is enabled or disabled. To enable/disable the template, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.

Override Accounts

Indicates whether the override accounts listed are excluded from protection or included in protection. This setting corresponds to the option used at the top of the last page of the ADAM Protection wizard:
Excluded from Protection - indicates you selected the Allow option to allow only the selected accounts to change the protected objects.
Included in Protection - indicates you selected the Deny option to allow all accounts to change the protected objects except for those selected.
Objects

This field is used for filtering data.

Override Account Filter

This field is used for filtering data.

Attributes

This field is used for filtering data.

Click the expansion box to the left of the template to expand this view and display the following details for each template:

Object Canonical

Displays the canonical name of the object being protected.

Status

Indicates whether protection for the object is enabled or disabled.

Agents

Displays the name of the agent where the associated ADAM (AD LDS) instances reside. If there are many instances that have replicated partitions, the name of each agent hosting an instance is displayed.

Configuration Set ID

Displays the unique identifier of the configuration set shared between all ADAM (AD LDS) instances that are replicating their application partitions.

Object Class

Displays the type of object being protected (such as computer, group, or user).

Operations

Displays the type of operations to be denied for the selected object:
Create
Delete
Modify Attribute
Move
Scope

Displays the scope of coverage for the protected object:
This object only
This object and child objects only
This object and all child objects
Attribute Protection

Displays the attribute setting specified in the wizard:
Protect All
Protect Only
Protect Except

For Protect Only and Protect Except, click the expansion box to the left of the field to display the individual attributes included in the protection template.

Override Account

If applicable, this section displays the user and group accounts that are allowed (or not allowed) to change the protected objects.

* 
NOTE: This field is not displayed when there are no override accounts specified in the protection wizard.

ADAM (AD LDS) protection templates

Previous Next

ADAM (AD LDS) protection templates

* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

The ADAM (AD LDS) protection templates defined are global settings and apply to all ADAM instances associated with a Change Auditor agent.

* 
NOTE: If you are planning to use multiple ADAM (AD LDS) Protection templates, see the Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.
To create an ADAM Protection template:
1
Open the Administration Tasks tab.
2
Click Protection.
3
Select ADAM (AD LDS) in the Protection task list to open the ADAM (AD LDS) protection page.
4
Click Add to open the ADAM (AD LDS) Protection wizard to specify the objects to protect.
5
On the first page of the wizard, select the ADAM (AD LDS) instance from which to choose protected objects. The list displays the ADAM (AD LDS) instances in your environment. It only shows instances running on computers with a Change Auditor agent installed.
* 
NOTE: If credentials are needed to connect to the selected ADAM (AD LDS) instance, a credentials required dialog is displayed prompting you to enter the appropriate credentials.
6
On the next page of the wizard, enter a name for the template.

Use the Browse or Search pages to locate and select the object to protect. Click Add to add the selected object to the list. Repeat this step to add additional objects.

By default, the create, modify attributes, and delete operations are selected; however, you can change this by using the drop-down arrow in the Denied Operations cell in the list box and selecting or clearing the different operations.

By default, the scope of coverage is for This object only; however, you can change this by using the drop-down arrow in the Scope cell of the list box and selecting one of the other two options:
This object and child objects only
This object and all child objects
7
On the next page of the wizard, select the attributes to be protected. By default, all attributes for the object will be protected. However, if you want to protect individual attributes instead, select one of the following options to activate the attributes list:
Only Selected
All EXCEPT Selected

From the attributes list box on the left, select the individual attributes to be included in this protection template and click Add to move them to the Selected Attributes list.

8
If you want to specify individual users or groups that are to be allowed to make changes to the protected object, click Next to display the Select Accounts Allowed (Not Allowed) to Access Protected Objects page.

Use the Browse or Search pages to locate and select the user or group accounts to exclude from this protection template. Click Add to add the accounts.

9
Click Finish to save the protection template, close the wizard and return to the ADAM (AD LDS) Protection page.
* 
NOTE: The Allow option is selected by default indicating that the selected users or groups will be allowed to change the protected objects. However, you can select the Deny option at the top of this page and select individual users or groups that are NOT allowed to change the protected objects. When using the Deny option, you are allowing all users and groups to change the protected objects except for those selected on this page.
To modify a protection template:
1
On the ADAM (AD LDS) protection page, select the template and click Edit.

The ADAM (AD LDS) Protection wizard opens where you can modify the current list of objects, and the attribute selection and the override accounts selected.

2
Click Finish to save your changes and return to the ADAM (AD LDS) protection page.
To disable a protection template:

Disabling a template allows you to temporarily stop protection for the specified objects without having to remove the protection template.

1
On the ADAM (AD LDS) protection page, place your cursor in the Status cell for the protection template, click the arrow control, and select Disabled.

The entry in the Status column for the template changes to ‘Disabled’.

2
To re-enable the protection template, use the Enable option in the Status cell.
To disable an object’s protection within a protection template:
1
On the ADAM (AD LDS) protection page, place your cursor in the Status cell for the object to be disabled, click the arrow control and select Disabled

The entry in the Status column for the object changes to ‘Disabled’.

2
To re-enable an object’s protection, use the Enable option in the Status cell.
* 
NOTE: If you disable all the objects in a protection template, the template itself will become disabled. Similarly, when you re-enable an object in the protection template, the template will automatically be re-enabled.
To delete a protection template:
1
On the ADAM (AD LDS) protection page, select the template and click Delete | Delete Template.
Right-click the template and click Delete.
2
Click Yes to confirm.
To delete an object from a protection template:
1
On the ADAM (AD LDS) Protection page, select the object and click Delete | Delete Object.

ADAM Protection Wizard

Previous Next

ADAM Protection Wizard

* 
NOTE: When you delete the last object in a protect template, the entire protection template will be deleted.

The ADAM (AD LDS) Protection wizard displays when you click Add or Edit on the ADAM (AD LDS) protection page. From the wizard, you can define the ADAM objects and attributes to protect from unauthorized modifications.

* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.

The following table provides a description of the available fields and controls:

 

Table 9. ADAM (AD LDS) Protection wizard

Select ADAM (AD LDS) instance page: The first page of the wizard displays a list of ADAM (AD LDS) instances running a Change Auditor agent in your environment.

ADAM (AD LDS) Instances

This list includes the following information about each ADAM (AD LDS) instance listed:
Agent - this column displays the name of the agent where each ADAM (AD LDS) instance resides.
Instance Name - this column displays the name of the ADAM (AD LDS) instances displayed.
Instance Port - this column displays the port number assigned to each of the ADAM (AD LDS) instances displayed.

Select an instance from this list. When prompted, enter the user credentials to be used to access the selected instance.

NOTE: If you have multiple ADAM (AD LDS) instances with replicating application partitions, there is no need to configure a protection template for each instance. Change Auditor will automatically send the protection configuration to each machine that is hosting an instance. You must have an agent installed on each instance host.

Select ADAM (AD LDS) Objects to Protect page: On this page, enter a name for the template and select the objects to be protected.

Template Name

Enter a descriptive name for the protection template.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the Active Directory object(s) to be protected.

After you have selected an object, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to search your environment to locate an Active Directory object to be protected.

After you have selected an object, click Add to add it to the list.

Options page

Use the Options page to modify the search options or ADAM instance used to retrieve directory objects.

Object list

The list box across the bottom of the page displays the objects selected for protection. Use the buttons located above this list box to add and remove objects.
Add - Select an object in the Browse or Search page and add it to the Object list.
Remove - Select an entry in the Object list and remove it from the template.

Denied Operations

By default, the create, modify attributes and delete operations are selected. To change this setting, use the drop-down arrow in the Denied Operations cell and select or clear operations.

Scope

By default, the scope of coverage is set to This object only. To change this setting, use the drop-down menu in the Scope cell to select a different scope.
This object only
This object and child objects only
This object and all child objects
NOTE: Child objects do not refer to nested groups when protecting a group object.

(Optional) Select Attributes to Protect page: By default all attributes for the selected objects will be protected. However, you can use this page to protect individual attributes or to exclude individual attributes from protection.

All Attributes

This option is selected by default indicating that all attributes will be protected from unauthorized access.

Only Selected

Select this option to protect individual attributes. Selecting this option will activate the list boxes on this page allowing you to select the individual attributes to be protected.

All EXCEPT Selected

Select this option to protect all attributes EXCEPT those selected. Selecting this option will activate the list boxes on this page allowing you to select the individual attributes that are not to be protected.

Attributes list

The list box to the left displays all of the available attributes which may be selected for inclusion in the protection template.

NOTE: This list box is not enabled when the All Attributes option is selected.

Add

Use to move the attributes selected in the Attributes list over to the Selected Attributes list.

Remove

Use to move the attributes selected in the Selected Attributes list back over to the Attributes list.

Selected Attributes list

The list box to the right displays the attributes to be included in the protection template.

NOTE: This list box is not enabled when All Attributes are selected.

(Optional) Select Accounts Allowed (Not Allowed) to Access Protected Objects page

By default all users and groups are prevented from changing the ADAM (AD LDS) objects selected for protection. However, you can specify individual users or groups that are allowed (not allowed) to change the protected objects.

NOTE: Management actions performed by excluded accounts are audited but not prevented.

Allow (Default)

Indicates that the users and groups selected on this page ate the only accounts allowed to change the protected objects.

Use the Browse or Search page to select the user or group accounts.

Deny

Select this if you want to allow all users and groups to change the protected objects except for those selected on this page.

Use the Browse or Search page to select the user or group accounts.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the users or groups that will be allowed (not allowed) to change the protected objects.

After you have selected an account, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to locate the users or groups that will be allowed (not allowed) to change the protected objects.

After you have selected an account, click Add to add it to the list.

Options page

Use to modify the search options used to retrieve directory objects.

Override Accounts list

The list box across the bottom of the page displays the user and group account(s) that will be allowed (not allowed) to make changes to the protected objects selected on the previous page of the wizard. Use the buttons located above this list box to add and remove accounts.
Add - Select an account in the Browse or Search page to add it to the Override Accounts list.
Remove - Select an entry in the Override Accounts list to remove it.

Active Directory Database protection

Previous Next

Active Directory Database protection

When configured, Change Auditor prevents copying and other tampering attempts on the Active Directory database (NTDS.dit) file. Extraction of this file could lead to parsing of usernames and passwords resulting in a security breach.

This section includes a description of the Active Directory Database protection pages in the Administration Tasks tab, the procedure for creating an Active Directory Database protection template and description of the protection wizard used to define Active Directory Database protection template.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択