立即与支持人员聊天
与支持团队交流

Change Auditor - For Advanced Users 7.2 - Technical Insight Guide

Change Auditor Services Change Auditor licensing processes Component Start-up Considerations Change Auditor network communications Coordinator internal tasks Registry Settings Change Auditor built-in fault tolerance Change Auditor protection Database Considerations Account exclusions best practices

SMB protocol and share encryption

Change Auditor uses the SMB protocol for file transfer for agent deployment and when the 'Get All Logs' feature is used. In these cases, the SMB protocol version configured on the agent computer is used. To ensure the SMB traffic is encrypted:
For agent deployments, ensure that SMB3 is enabled on the agent computer or specify a custom file share which is configured to encrypt data access to use instead of the $ADMIN share. This can be configured in the Change Auditor client under the “Advanced Deployment” section.
For the 'Get All Logs' feature, there is no workaround available. To encrypt the connection, users must ensure that SMB3 is enabled on the agent computer.

Secure password storage

Certain aspects of Change Auditor auditing require storing passwords and other confidential data. Examples of such data include access credentials to NetApp, EMC, SharePoint, Office 365, Skype for Business, FluidFS and SQL DLA. To safeguard this data, Change Auditor uses RSA encryption.

* 
NOTE: The password storage is FIPS-compliant from version 7.0.2, using only Microsoft-certified APIs compliant with FIPS 140-2 and it’s annexes. Change Auditor is compatible with the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” group policy enabled.
NOTE: If FIPS compliance is required, Change Auditor coordinators, agents and clients must all be version 7.0.2 or greater.

On startup, the agent generates a private/public key pair and stores the public key in the database. When the agent is configured to audit another network device using the supplied credentials, these credentials are encrypted using the agent’s public key. This way, it is impossible for anyone but the agent itself to decrypt them.

The coordinators also store public keys in the database which are used to decrypt SMTP passwords to send alerts.

1
For user authentication and local password storage of user identities, Change Auditor uses CryptProtectData from http://msdn.microsoft.com/en-us/library/aa380261.aspx.
Change Auditor uses CryptProtectData with a key length that is variable-dependent upon input phrase. This encryption is symmetric. This encryption is automatically enabled. This encryption cannot be used outside of Change Auditor.
2
For user authentication and database password database storage, Change Auditor uses the “Microsoft Enhanced Cryptographic Provider v1.0” (CNG or Crypto Next Generation) provider with provider type of PROV_RSA_FULL. Secrets are symmetrically encrypted with AES using a 256-bit key, and the AES key is then encrypted with RSA using a 4096-bit key before being stored with the encrypted secret.
When upgrading the Change Auditor coordinator to version 7.0.2 or above from version 7.0.1 or less, passwords and other data protected by coordinator public keys are updated to the new, stronger encryption scheme during database upgrade at the first startup after upgrade. Passwords and other data protected by agent public keys are updated to the new encryption scheme for all connected agent versions when they connect to the upgraded coordinator. Any additional older coordinators will need to be updated to the version of the first coordinator before they will connect to the updated database.

Client to coordinator connection

Client to coordinator connection
1
When the client is started, it searches Active Directory for the Service Connection Point (SCP) objects to retrieve connection information for the coordinator such as host name, listening port, and other authentication information.
2
The client connects to the coordinator using Windows Communication Foundation (WCF) using Kerberos authenticated connections.Ports are dynamically assigned, but can be statically set.
3
The coordinator encrypts protected data using Microsoft RSACryptoServiceProvider (PROV_RSA_FULL) APIs.
4
The client decrypts the protected data using Microsoft RSACryptoServiceProvider (PROV_RSA_FULL) APIs.

Agent to coordinator connection (version 6.x and 7.0.1)

Change Auditor 6.x (and above) agents also search Active Directory for the SCP for connection information to the coordinator; however, they now connect to the coordinator using WCF as described here.

1
The Change Auditor 6.x (and above) agent connects to a coordinator using WCF using Kerberos authenticated connections. Ports are dynamically assigned, but can be statically set.
2
The coordinator encrypts protected data using Microsoft RSACryptoServiceProvider (PROV_RSA_FULL) APIs.
3
The agent decrypts the protected data using Microsoft RSACryptoServiceProvider (PROV_RSA_FULL) APIs.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级