サポートと今すぐチャット
サポートとのチャット

Change Auditor - For Advanced Users 7.1.1 - Technical Insight Guide

Change Auditor Services Change Auditor licensing processes Component Start-up Considerations Change Auditor network communications Coordinator internal tasks Registry Settings Change Auditor built-in fault tolerance Change Auditor protection Database Considerations Account exclusions best practices

Secure password storage

Certain aspects of Change Auditor auditing require storing passwords and other confidential data. Examples of such data include access credentials to NetApp, EMC, VMware, SharePoint, Office 365, Skype for Business, FluidFS and SQL DLA. To safeguard this data, Change Auditor uses RSA encryption.

* 
NOTE: The password storage is FIPS-compliant from version 7.0.2, using only Microsoft-certified APIs compliant with FIPS 140-2 and it’s annexes. Change Auditor is compatible with the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” group policy enabled.
NOTE: If FIPS compliance is required, Change Auditor coordinators, agents and clients must all be version 7.0.2 or greater.

On startup, the agent generates a private/public key pair and stores the public key in the database. When the agent is configured to audit another network device using the supplied credentials, these credentials are encrypted using the agent’s public key. This way, it is impossible for anyone but the agent itself to decrypt them.

The coordinators also store public keys in the database which are used to decrypt SMTP passwords to send alerts.

1
For user authentication and local password storage of user identities, Change Auditor uses CryptProtectData from http://msdn.microsoft.com/en-us/library/aa380261.aspx.
Change Auditor uses CryptProtectData with a key length that is variable-dependent upon input phrase. This encryption is symmetric. This encryption is automatically enabled. This encryption cannot be used outside of Change Auditor.
2
For user authentication and database password database storage, Change Auditor uses the “Microsoft Enhanced Cryptographic Provider v1.0” (CNG or Crypto Next Generation) provider with provider type of PROV_RSA_FULL. Secrets are symmetrically encrypted with AES using a 256-bit key, and the AES key is then encrypted with RSA using a 4096-bit key before being stored with the encrypted secret.
When upgrading the Change Auditor coordinator to version 7.0.2 or above from version 7.0.1 or less, passwords and other data protected by coordinator public keys are updated to the new, stronger encryption scheme during database upgrade at the first startup after upgrade. Passwords and other data protected by agent public keys are updated to the new encryption scheme for all connected agent versions when they connect to the upgraded coordinator. Any additional older coordinators will need to be updated to the version of the first coordinator before they will connect to the updated database.

Client to coordinator connection

Client to coordinator connection
1
When the client is started, it searches Active Directory for the Service Connection Point (SCP) objects to retrieve connection information for the coordinator such as host name, listening port, and other authentication information.
2
The client connects to the coordinator using Windows Communication Foundation (WCF) using Kerberos authenticated connections.Ports are dynamically assigned, but can be statically set.
3
The coordinator encrypts protected data using Microsoft RSACryptoServiceProvider (PROV_RSA_FULL) APIs.
4
The client decrypts the protected data using Microsoft RSACryptoServiceProvider (PROV_RSA_FULL) APIs.

Agent to coordinator connection (version 6.x and 7.0.1)

Change Auditor 6.x (and above) agents also search Active Directory for the SCP for connection information to the coordinator; however, they now connect to the coordinator using WCF as described here.

1
The Change Auditor 6.x (and above) agent connects to a coordinator using WCF using Kerberos authenticated connections. Ports are dynamically assigned, but can be statically set.
2
The coordinator encrypts protected data using Microsoft RSACryptoServiceProvider (PROV_RSA_FULL) APIs.
3
The agent decrypts the protected data using Microsoft RSACryptoServiceProvider (PROV_RSA_FULL) APIs.

Agent to coordinator connection (version 7.0.2)

Change Auditor 7.0.2 agents connect in the same way as 6.x agents, however encryption and decryption for database storage and communications are upgraded to meet the requirements of FIPS 140-2 and its annexes.

1
The Change Auditor 7.0.2 agent connects to a coordinator using WCF with Windows authentication and TCP transport security, which negotiates Kerberos for both authentication and encryption. Only Kerberos encryption algorithms allowed by the “Network security: Configure encryption types allowed for Kerberos” group policy.
2
The coordinator encrypts and decrypts protected data in database storage using the “Microsoft Enhanced Cryptographic Provider v1.0” (CNG or Crypto Next Generation) provider with a provider type of PROV_RSA_FULL and the new storage scheme described under Secure password storage.
3
The agent decrypts protected data in configuration data from the coordinator using the “Microsoft Enhanced Cryptographic Provider v1.0” (CNG or Crypto Next Generation) provider with a provider type of PROV_RSA_FULL.
4
Security for data sent from the coordinator to the agent and from agent to coordinator is provided by WCF TCP transport security using the “Microsoft Enhanced Cryptographic Provider v1.0”.
5
The Change Auditor 7.0.2 agent cannot connect to a coordinator version 7.0.1 or earlier.
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択