Quest® Change Auditor 7.2
Quest® Change Auditor 7.2
About Quest Change Auditor 7.2
Change Auditor provides total auditing and security coverage for your enterprise network. Change Auditor audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know who made the change including the IP address of the originating workstation, where and when it occurred along with before and after values. Then automatically turn that information into intelligent, in-depth forensics for auditors and management — and reduce the risks associated with day-to-day modifications.
Change Auditor 7.2 is a major release, with enhanced features and functionality.
New features
The following enhancements and features are available in this release:
Certificate authentication for Office 365
Due to the fact that basic authentication has been deprecated by Microsoft for Office 365 Exchange Online, certificate authentication is now required for Office 365 auditing. Newly created auditing templates and the associated web application will have the required permissions and certificate. However, If you are using an existing web application, you will need to provide a certificate and ensure that it has the required permissions.
See the Office 365 and Azure Active Directory Auditing User Guide for details.
The following events have also been added:
Cyber security enhancements
Additional Active Directory events and built-in searches have been added that can be used as indicators of possible cyber security attacks.
Active Directory Federation Services auditing enhancements
Additional foreign forest support
The following is supported in environments where a coordinator does not exist in the foreign forest where agents are deployed:
Additional events
Events to audit when a change is made to the coordinators selected for purge, archive or report jobs:
Events to audit failed client logons:
Events to audit changes to the “Inheritance” option on the security tab for Active Directory objects:
Internal events are now generated when changes are made to file system templates through PowerShell commands. Previously these events were only generated when changes were made through the Windows client.
Additional platform support
The following support has been added:
The following support has been removed:
Miscellaneous features and enhancements
Important information
Outlook “Show New Mail Desktop Alert” triggers the “Message Read by Owner” event: When this option is enabled, new email that arrives flashes a semi-transparent “alert” near the desktop system tray. Change Auditor captures a Message Read by Owner event when this occurs. The new email alert window opens each new email message as it arrives to build the alert. Note: The “Message Read by Owner” event is disabled by default in Audit Event configuration.
Microsoft Outlook/Exchange add-Ins: Change Auditor may be incompatible with Microsoft Outlook or Exchange “add-ins” (commercial or custom) that interact with Exchange Servers. While Quest makes every effort to ensure proper functionality and performance, we are unable to validate against the many add-ins available for Microsoft Outlook or Exchange Server.
“By Owner” auditing feature: Selecting ‘By Owner’ auditing for many mailboxes can produce many events. This adversely affects Change Auditor auditing and in severe cases the performance of the Exchange Server itself. In extreme cases, Outlook connections may be slowed or dropped. Select owner auditing for at most only a few critical mailboxes.
Auditing mailboxes with many delegates: Auditing normal mailboxes where access permission is granted to many delegates (more than 10), can produce large numbers of non-owner events. This will adversely affect Change Auditor auditing and in severe cases, the performance of the Exchange Server itself. If these mailboxes need to be audited, add them to the Shared Mailbox list (User Defined tab) to reduce unwanted non-owner events and to improve performance.
SMTP alert notifications on owner mailbox “event storm”: It is highly recommended that mailboxes configured to receive SMTP alerts are excluded from auditing “by Owner” events. An “event storm” could occur when a new SMTP alert is received on an audited mailbox by owner, generating a never-ending cycle of “Inbox opened by owner” and “Message read by owner” events.
Upgrading agents on high volume Exchange Servers: It is critical that agent upgrades be scheduled for maintenance intervals or other periods of low user mailbox activity for any configuration of Exchange Server. Change Auditor for Exchange agent upgrades should not be attempted on an active Exchange Server cluster node in any case.
Control Stations: The Control Station is a dedicated management computer that monitors and controls cabinet components and allows access to the full functionality of the Celerra or VNX Network Server software. It contains utilities for installing and configuring the Celerra or VNX Network Server, maintaining the system, and monitoring system performance. The Control Station runs a set of programs that are collectively referred to as the Control Station software. The Control Station itself uses an EMC-customized version of Linux as its operating system.
Data Movers: Data Movers are the Celerra or VNX components that transfer data between the storage system and the network client. Data Movers are managed by using a Control Station. By default, Data Movers are named server_n, where n is the slot number of the Data Mover. For example, server_2 is the Data Mover in slot 2.
|
• |
Troubleshooting EMC events: If EMC events are not being audited by the Change Auditor agent, first check to see if the EMC CAVA agent service is running on your Windows Server where the EMC events are being collected. Second, check to see if the CEPP service on the EMC Data Mover is running or if the state is offline, by using the command: |
|
• |
Microsoft Office files: Since the Change Auditor for Windows File Servers, NetApp, and EMC drivers capture events related to file activity, it is possible that a folder containing files being opened and edited by Microsoft Office products (Word, Excel, PowerPoint, and so on) will generate unexpected results. Understanding how MS Office products interact with the file system might help explain some of the audit events captured. See http://support.microsoft.com/kb/211632 for more details. |
|
• |
File System Auditing for SAN: Support and engineering will attempt to troubleshoot and resolve issues to the best of their ability when the SAN is attached to a Windows-based file server such that it appears as a local drive on that host. In this configuration, the SAN generally behaves as an extra disk drive on the server which can be audited by a Change Auditor agent on that server. Success in this configuration depends on many factors and is not guaranteed. |
|
• |
Recompiling the Change Auditor MOF file: Change Auditor no longer ships with a MOF file as part of the coordinator installer. Should the CA WMI namespace become corrupt, or should there be an installation failure, the file can be recompiled using the following command line: |
|
• |
Blackberry Enterprise Server (or similar) services: To eliminate auditing of automated tasks, the Change Auditor agent attempts to automatically exclude auditing of mailbox accesses by Blackberry Enterprise Server (BES) or similar service accounts. These accounts have both ‘Receive All’ and ‘Administer Information Setup’ rights on the mailbox database. If these explicit rights are granted to user accounts, those accounts are also excluded from mailbox auditing, which may not be wanted. If necessary, this automated exclusion can be disabled on a server-by-server basis. |
