Chat now with support
Chat with Support

Change Auditor 7.0.2 - Web Client User Guide

Install Change Auditor Web Client Web Client Overview Overview Page Shared Overviews Administration Page Searches Page Search Results Page Administration Tasks Page Configuration Tasks (Administration Tasks Page) Auditing Tasks (Administration Tasks Page) Protection Tasks (Administration Tasks Page) Change Auditor Client Comparison

Protection Tasks (Administration Tasks Page)

Introduction

Protection enables administrators to lock down critical objects and attributes to prevent accidental or unauthorized creations, modifications, deletions, and access. This allows you to protect the environment from harmful changes that could open security holes or cause resources to become unavailable.

The protection task list is divided into the following separate task lists:

Forest

With Change Auditor for Active Directory, you can protect any Active Directory, Group Policy, or ADAM (AD LDS) objects that you consider critical. Examples of such objects may include Organizational Units, Group Policy Objects, and service accounts.

See the following administration task descriptions for more information:

Active Directory object protection

When configured, Change Auditor prevents changes from occurring to a protected object regardless of who attempts to change the object and the tool or method used. Attempts to change or delete a protected object fail and an event is generated. These ‘failed’ events are identified by displaying ‘Protected’ in the Result column on the Search Results page and Result field in an event’s detail pane.

NOTE: See the Quest Change Auditor User Guide for information about defining the events to capture based on result.

The Active Directory Protection page is displayed when Active Directory is selected from the Protection task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the Active Directory Protection templates that have been previously defined. From this page, you can open the Active Directory Protection wizard to define critical Active Directory objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer required.

The Active Directory protection templates defined on the Active Directory Protection page are global settings and apply to all agents.

NOTE: If you are planning to use multiple Active Directory Protection templates, see the Quest Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
2
Click Protection.
3
Select Active Directory in the Protection task list to open the Active Directory Protection page.
4
Click Add to open the Active Directory Protection wizard which allows you to specify the Active Directory objects to be protected.

Welcome

Name your template.

2
Click Next.

Object Selection

Use the Browse or Search page to locate and select the directory objects to protect.

See Directory object picker for a detailed description of this wizard page.

1
From the Browse or Search page, select an object and click Add to add it to the selection list at the bottom of the page.
2
To change the default operations, click the entry in the Operations cell and select or clear operations.
3
To change the default scope, click the entry in the Scope cell and select a different scope.
4
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Attribute Protection

(Optional) Specify the attributes to include and exclude.

By default, all attributes for the selected objects are protected.

2
From the attribute list on the left, select the individual attributes to included and click Add to move them to the Selected Attributes list on the right.
3
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Schedule when protection is enabled

(Optional) Schedule when the protection is enforced. You can either select to have the protection always run or have it run only during specific times. The times selected are the local agent time where the template is applied.

When the schedule is disabled, all options are disabled with it, including any denied access to the specified users.

The scheduling options override all other protection settings.

2
Click Next.

Enable or disable protection for specific location

(Optional) Control when the protection is enabled based on the location.

Location refers to the computer that is attempting to access the resource that is protected.

The location options override all other protection settings.

Protect access from all locations: Protection is always enabled regardless of the location.
Protect access only from select locations: Protection is only enabled for the locations specified in the list box.
Allow access only from select locations: Protection is disabled for the select locations. Enabled everywhere else.
Protect access from all unknown locations: All file system requests from locations that cannot be determined by the agent will be protected.
2
Click Next.

Account Access

(Optional) Specify the accounts that are allowed to change the protected objects.

By default all users and groups are prevented from changing the Active Directory objects selected for protection.

1
Select whether to Allow or Deny access for the selected users or groups. Keep in mind that by selecting Deny, you are allowing all users to change the protected object EXCEPT for those selected on this page.
2
From the Browse or Search page, select an object and click Add to add it to the selection list at the bottom of the page.
3
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Template Management

(Optional) Specify individual users or groups who are authorized to manage this protection template.

1
From the Browse or Search page, select an account and click Add to add it to the selection list at the bottom of the page.
2
Click Finish to save the protection template and close the wizard.

If you are in the authorized accounts list at template creation time, you may be locked out later if someone else in the authorized accounts list edits the template and removes you.

Related Documents