Converse agora com nosso suporte
Chat com o suporte

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

File System Protection page

Previous Next

File System Protection page

The File System Protection page displays when File System is selected from the Protection task list in the navigation pane of the Administration Tasks tab. From this page you can launch the File System Protection wizard to specify a file or folder to be protected from unauthorized access. You can also edit existing templates, disable a template, and remove templates that are no longer being used.

 
* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.

The File System Protection page contains an expandable view of all the File System Protection templates that have been previously defined. To add a new template to this list, click Add. Once added, the following information is provided for each template:

Template

Displays the name assigned to the template when it was created.

Status

Indicates whether the template is enabled or disabled. To enable/disable the template, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.

Override Accounts

Indicates whether the override accounts listed are excluded from protection or included in protection. This setting corresponds to the option used at the top of the last page of the File System Protection wizard:
Excluded from Protection - indicates you selected the Allow option to allow only the selected accounts to change the protected objects.
Included in Protection - indicates you selected the Deny option to allow all accounts to change the protected objects EXCEPT for those selected.
Paths

This field is used for filtering data.

Override Account Filter

This field is used for filtering data.

 

Click the expansion box to the left of the Template name to expand this view and display the following details for each template:

Path

Displays the name of the file system included in the File System Protection template.

Status

Indicates whether the protection for the file path is enabled or disabled.

Subfolders

Indicates whether subfolders under the file system path are also being protected.

Protect

Indicates whether a file system path is to be protected (Yes) or excluded from protection (No).

File Masks

Displays the file masks specified on the first page of the wizard.

Applies To

Indicates what is being protected: Files and Folders, Files, Folders, or Shares.

Protection Type

Indicates the type of operation(s) to be prevented as specified on the first page of the wizard.

Override Account

Displays any accounts that are allowed (or not allowed) to change the protected files/folders, as specified on the last page of the wizard.

* 
NOTE: This field is not displayed when there are no override accounts specified in the File System Protection wizard.

File System Protection templates

Previous Next

File System Protection templates

* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

To enable protection, create a File System Protection template which specifies the files/folders to lock down. You can then add this template to an agent configuration, which then needs to be assigned to the appropriate agents.

* 
NOTE: If you are planning to use multiple File System Protection templates, refer to the Change Auditor Technical Insight Guide for more information on how multiple protection templates are evaluated.
* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.
To create a protection template:
1
Open the Administration Tasks tab.
2
Click Protection.
3
Select File System under the Protection task list to open the File System Protection page.
4
Click Add to open the File System Protection wizard which steps you through the process of creating a File System Protection template.
5
In the Template Name field, enter a descriptive name for the template.
6
In the Path field, enter or click the Browse button to specify the file system path to protect. Click Add to move the specified file system path to the selection list.
* 
NOTE: This must be a local path. Auditing and/or protecting network shares is not supported. To audit or protect those files/folders, an agent must be deployed on the share's hosting server.
7
By default, protection includes the subfolders in the selected file system path. However, to exclude the subfolders, click the arrow control in the Subfolders cell and select No.
8
By default, the specified system file path will be protected. However, to exclude the selected file system path from protection, click the arrow control in the Protect cell and select No.
9
By default, protection will be applied to both files and folders in the selected file system path. To protect just files, folders or shares, click the arrow control in the Applies To cell and select one of the following options:
Files
Folders
Files and Folders (default)
Shares
10
By default, protection will prevent ‘all’ operations from occurring. However, to protect against specific operations, click the arrow control in the Protection Type cell and select one or more of the following operations:
[All] (default)
Read
Write
Create
Delete
Rename
Move
Dacl Change
Owner Change
Sacl Change
Attribute Change
CAP Change
Classification Change
11
Use the File Mask field to optionally specify a file mask to protect a group of files in the selected file system path. Once you have specified a file mask, click Add to add it to the list at the bottom of the page.
12
On the next page of the wizard, use the Browse or Search page to optionally select user or group accounts which will be allowed to make changes to the protected objects selected on the previous page. Click Add to add the selected user or group to the Override Account list.
* 
NOTE: The Allow option is selected by default indicating that the selected users or groups will be allowed to change the protected objects. However, you can select the Deny option at the top of this page and select individual users or groups that are NOT allowed to change the protected objects. When using the Deny option, you are allowing all users and groups to change the protected objects except for those selected on this page.
13
On the next page of the wizard, you have the option to schedule when the protection will be enforced. You can either select to have the protection always run or have it run only during specific times. To enable the protection only during specific times, select the Protection is scheduled option, and define when it should be enabled (hour blocks on a weekly basis). The times selected are the local agent time where the template is applied.
* 
NOTE: If you have denied specific users or groups the ability to change the protected objects and you have enabled a protection schedule, those users or groups will be denied access ONLY during this time. Anytime outside of when the schedule is set to enabled, these denied accounts WILL be able to access the protected object.

When the schedule is disabled, ALL options are disabled with it, including any denied access to the specified users. The scheduling options override all other protection settings.
14
On the next page of the wizard, you have the option to control when the protection is enabled based on the location. Location refers to the computer that is attempting to access the resource that is protected.
Protect access from all locations: Protection is always enabled regardless of the location.
Protect access only from select locations: Protection is only enabled for the specified locations.
Disable protection only for select locations: Protection is disabled for the selected locations. Enabled everywhere else.
Protect access from all unknown locations: All file system requests from locations that cannot be determined by the agent will be protected.
* 
NOTE: If you have denied specific users or groups access to protected objects, but you have specified locations that CAN access the protected object, the denied user or group WILL be able to access the protected objects from these locations.

The location options override all other protection settings.
15
To create the template without assigning it to an agent configuration, click Finish.

Clicking Finish creates the template, closes the wizard, and returns you to the File System Protection page where the newly created template is now listed.

16
To create the template and assign it to an agent configuration, expand Finish and select Finish and Assign to Agent Configuration.

On the Configuration Setup dialog, use one of the following methods to assign this template to an agent configuration:
Select the newly created template and ‘drag and drop’ it onto a configuration in the Configuration list.
Select a configuration from the Configuration list and ‘drag and drop’ it onto the newly created template.
Select a configuration, then select the newly created template, right-click and select Assign.
Select a configuration, then select the newly created template, click in the corresponding Assigned cell and click Yes.
17
If this configuration is not assigned to any agents, you will need to assign it to one or more installed agents to capture the specified file system events.
On the Agent Configuration page, select one or more agents from the agent list and click the Assign tool bar button.
On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agents and click OK.
On the Agent Configuration page, select the agents assigned to use the modified agent configuration and click Refresh Configuration to ensure the agents are using the latest configuration.
 
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
To modify a template:
1
On the File System Protection page, select the template to be modified and click Edit.

This displays the File System Protection wizard, where you can modify the files or folders to be protected.

2
Click Finish or expand Finish and select Finish and Assign to Agent Configuration.
To disable a template:

The disable feature allows you to temporarily stop protecting the specified file path without having to remove the protection template or individual file path from an active template.

1
On the File System Protection page, use one of the following methods to disable a template:
Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.
Right-click the template to be disabled and select Disable.

The entry in the Status column for the template will change to ‘Disabled’.

2
To re-enable the protection template, use the Enable option in either the Status cell or right-click menu.
To disable the protection of a file path in a template:
1
On the File System Protection page, use one of the following methods to disable a file path in a protection template:
Place your cursor in the Status cell for the file path to be disabled, click the arrow control and select Disabled.
Right-click the file path to be disabled and select Disable.

The entry in the Status column for the selected file path will change to ‘Disabled’.

2
To re-enable protection of a file path, use the Enable option in either the Status cell or right-click menu.
To delete a template:
1
On the File System Protection page, select the template to delete and click Delete | Delete Template.
2
A dialog displays confirming that you want to delete the selected template. Click Yes.
To delete a file path from a template:
1
On the File System Protection page, select the file path to be deleted and click Delete | Delete File Path.
2
A dialog displays confirming that you want to delete the selected file path from the template. Click Yes.
* 
NOTE: If the file path is the last one in the template, deleting this file path will also delete the template.

File System Protection wizard

Previous Next

File System Protection wizard

The File System Protection wizard displays when you click Add or Edit on the File System Protection page. This wizard steps you through the process of creating a new file system protection template, identifying the files and/or folders to be included in the template.

* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.

The following table provides a description of the fields and controls in the File System Protection wizard:

 
* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered.
 

Table 3. File System Protection wizard

Create or modify a File System Protection Template page

Use the first page of the wizard to enter a name for the template and specify the file system path to be protected.

Template Name

Enter a descriptive name for the template being created.

Path

Enter or use the browse button to specify the file system path to be protected.

After entering or selecting the files system path to be protected, click the Add button to add it to the File System Path list.

NOTE: This must be a local path. Auditing and/or protecting network shares is not supported. To audit or protect those files/folders, an agent must be deployed on the share's hosting server.

Selecting the browse button displays the Browse For Folder dialog allowing you to browse for and select the file system path which is to be protected by Change Auditor.

File System Path list

The file system paths selected for protection are displayed in the list box located in the middle of the page. Use the buttons to the right of the Path field to add and remove file system paths.
Add - Click to move the entry in the Path text box to the File System Path list.
Remove - Select an entry in the File System Path list and click Remove to remove it.

Subfolders

By default, protection will include the subfolders in the selected file system path. However, if you want to exclude subfolders from protection, click the arrow control in the Subfolders cell and click No.

Protect

By default, the specified file system path will be protected. However, to exclude the selected file system path from protection, click the arrow control in the Protect cell and click No.

Applies To

By default, protection will be applied to both files and folders in the selected file system path. To protect just files, folders or shares, click the arrow control in the Applies To cell and select one of the following options:
Files
Folders
Files and Folders (default)
Shares

File Mask

If applicable, this cell displays the file mask, which is used to protect a group of files, as specified at the bottom of the page.

Protection Type

By default, protection will prevent ‘all’ operations from occurring. However, to protect against specific operations, click the arrow control in the Protection Type cell and select one or more of the following operations:
[All] (default)
Read
Write
Create
Delete
Rename
Move
Dacl Change
Owner Change
Sacl Change
Attribute Change
CAP Change
Classification Change
NOTE: File classifications are modified by a system process on behalf of a user; therefore, a system/machine account may not be captured for the ‘who’ for file classification changes. As a result, classification operations specified in a File System Protection template may not be affected by the ‘Allow/Deny’ accounts specified on the next page of the protection wizard.

File Mask

Use this field to optionally specify a file mask to protect a group of files. You can use any combination of ? or * wildcard characters.

Once you have specified a file mask, click Add to add it to the list at the bottom of the page and the File Masks cell in the File System Path list (middle of the page).

File Masks list

The list box at the bottom of the page lists the file masks specified for this protection template. Use the buttons to the right of the File Mask field to add and remove masks.
Add - Click to move the entry in the text box to the File Masks list.
Remove - Select an entry in the File Masks list and click Remove to remove it

(Optional) Select Accounts Allowed (Not allowed) to Access Protected Objects page

Use this page to optionally specify user and group accounts that are authorized to make changes to the specified protected objects.

Allow

The Allow option is selected by default indicating that the accounts selected on this page will be the only accounts allowed to make changes to the protected objects.

Use the Browse or Search page to select the user or group accounts.

Deny

Select the Deny option if you would like to allow all users and groups to change the protected objects EXCEPT for those selected on this page.

Use the Browse or Search page to select the user or group accounts.

 

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the users or groups that will be allowed (not allowed) to change the protected objects.

Once you have selected an account, use Add to add it to the list at the bottom of the page.

Search page

Use the controls at the top of the Search page to search your environment to locate the users or groups that will be allowed (not allowed) to change the protected objects.

Once you have selected an account, use Add to add it to the list at the bottom of the page.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Override Account list

The list box across the bottom of the page displays the user and group accounts that are allowed (not allowed) to change the protected objects selected on the previous page of the wizard. Use the buttons located above this list box to add and remove accounts.
Add - Select an account in the Browse or Search page and click Add to add it to the Override Account list.
Remove - Select an account in the Override Account list and click Remove to remove it.

(Optional) Schedule when protection is enabled

 

You can either select to have the protection always run or have it run only during specific times.

To enable the protection only during specific times, select the Protection is scheduled option, and define when it should be enabled (hour blocks on a weekly basis).The times selected are the local agent time where the template is applied.

NOTE: If you have denied specific users or groups the ability to change the protected objects and you have enabled a protection schedule, those users or groups will be denied access ONLY during this time. Anytime outside of when the schedule is set to enabled, these denied accounts WILL be able to access the protected object.

When the schedule is disabled, ALL options are disabled with it, including any denied access to the specified users.

The scheduling options override all other protection settings.

(Optional) Enable or disable protection for specific location

Control when the protection is enabled based on the location. Location refers to the computer that is attempting to access the resource that is protected. Select from the following options:
Protect access from all locations: Protection is always enabled regardless of the location.
Protect access only from select locations: Protection is only enabled for the locations specified in the list box.
Allow access only from select locations: Protection is disabled for the select locations. Enabled everywhere else.
Protect access from all unknown locations: All file system requests from locations that cannot be determined by the agent will be protected.
NOTE: If you have denied specific users or groups access to protected objects, but you have specified locations that CAN access the protected object, the denied user or group WILL be able to access the protected objects from these locations.

The location options override all other protection settings.

File System Events

Previous Next

File System Events

The following events can be selected for auditing from the Events tab on the File System Auditing wizard. The events listed on the Events tab is based on the file/folder specified in the Audit Path and the coverage specified in the Scope cell.

File Events
Failed file access (NTFS permissions)
Failed file access (Change Auditor Protection)
File access rights changed
File attribute changed
File auditing changed
File central access policy changed
File classification changed
File created
File deleted
File last write changed
File moved
File opened
* 
NOTE: This event is not available when This object and all child objects is selected in the Scope cell.
File ownership changed
File renamed
 
Folder Events
Failed folder access (NTFS permissions)
Failed folder access (Change Auditor Protection)
Failed share access (NTFS permissions)
* 
NOTE: The Failed share access (NTFS) event monitors changes made to a share’s properties (such as share permissions and comments). It does NOT monitor failed access to a share from a remote computer. So if a user tries to read or change a share’s property, the event will be triggered.

The Failed share access (Change Auditor Protection) event works similarly. Once you have the share protected, only attempts to change a share's property will generate the 'failed share access' event; not attempts to access the share itself.
Failed share access (Change Auditor Protection)
Folder access rights changed
Folder attribute changed
Folder auditing changed
Folder central access policy changed
Folder classification changed
Folder created
Folder deleted
Folder moved
Folder opened
* 
NOTE: This event is not available when This object and all child objects is selected in the Scope cell.
Folder ownership changed
Folder renamed
Junction point created
Junction point deleted
Local share added
Local share folder path changed
Local share permissions changed
Local share removed
* 
NOTE: The following File System events are not listed on the Events page of the File System Auditing wizard because they are always captured when you have applied a Change Auditor for Windows File Servers license:
Shadow Copy created
Shadow Copy deleted
Shadow Copy rolled back
Transaction Status changed
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação