Embed Size (px)
Citation preview
Copyright @ CionSystems Inc., All Rights Reserved Page 1
Active Directory Reporter & Notifier Best Practices
General Information: [email protected] Online Support: [email protected]
CionSystems Inc. 16625 Redmond Way, Ste M106 Redmond, WA. 98052 http://www.CionSystems.com Phone: +1.425.605.5235 Trademarks CionSystems, CionSystems Inc., the CionSystems Inc. logo, CionSystems Active Directory Manager Pro are trademarks of CionSystems. Other trademarks and registered trademarks used in this guide are property of their respective owners.
Copyright @ CionSystems Inc., All Rights Reserved Page 2
Table of Contents
1. General Information ............................................................................. 3
2. System Requirements ......................................................................... 4
2.1. CionSystems Active Directory Reporter Requirements: ............................................. 4 2.2. CionSystems Active Directory Change Notifier Requirements: .................................. 4
3. Deployment Architecture ..................................................................... 5
4. Report Categories ............................................................................... 7
5. Administrator ....................................................................................... 8
6. Notifier ............................................................................................ 9
7. Data Collection .................................................................................. 10
8. Configure an Audit Policy Setting for a Domain Controller ................. 11
9. Configure Auditing for Specific Active Directory Objects.................... 12
10. Filtering .......................................................................................... 13
11. Report Types and Descriptions ......................................................... 14
Copyright @ CionSystems Inc., All Rights Reserved Page 3
1. General Information
CionSystems Active Directory Reporter & Notifier provides the best solution to meet Active Directory Reporting requirements. Active Directory Reporter retrieves and reports information efficiently from the active directory while hiding the complexities of the native Active Directory reporting tools and eliminating the need to write scripts. Active Directory Reporter contains 155 out of the box reports and as well as customizable reports. Active Directory Reporter can generate reports to help organizations gather information for regulatory audits including SOX/PCI audits.
Complex tasks are simplified (no scripting needed).
100% web based - manage Active Directory from anywhere and any PC running a browser.
Search - The search facility retrieves data for the Active Directory object. A search can be made on a specific Active Directory object for a specific user quickly and accurately.
Dashboard –The dashboard view helps to quickly check the Active Directory object status. Each user can customize their dashboard view.
Email Reports – Reports can be configured and scheduled for automatic delivery to an email address at a prescheduled time.
Web Access - After Active Directory reporter is installed on a system, it can be accessed from anywhere using Internet Explorer.
Print/Export Reports - Reports can be printed or exported to CSV, DOC and PDF.
Delegation - The role based delegation allows administrators to create roles with specific privileges. This allows managers to assign these roles and delegate work to the users.
Audit Reports – Audit reports are changes that Notifier application stores into
the database. The reporter has the ability to apply filters to this data and generate reports for changes that were made to the active directory.
Change notification is a critical procedure for managing and limiting authorized and unauthorized changes and errors to the Active Directory configuration. A single unauthorized change can put your organization at risk, introducing security breaches and compliance issues. The built-in Active Directory auditing (if you enable auditing) lacks real time notification capabilities for authorized and unauthorized changes. Security logs can take up enormous space and resources, and taken alone will never paint the whole picture. CionSystems Active Directory Change Notifier is an easy to use, flexible application that notifies you of the changes made to Active Directory in REAL TIME. Notifications contain the 4 W's — Who, What, When, and Where for all changes to made to Active Directory as well as Exchange configurations- for example: mailboxes, Group Policy, Active Directory schema, and other Active Directory objects. You can additionally limit noise by choosing to monitor only the objects you care about, and limit the number of notifications. Additionally, these notifications are archived in a log file allowing organizations to analyze any policy violations, adhere to security best practices and maintain established internal policies.
Copyright @ CionSystems Inc., All Rights Reserved Page 4
2. System Requirements
2.1. CionSystems Active Directory Reporter Requirements:
CionSystems Active Directory Reporter needs: • 4GB RAM (8GB Recommended) • 50 MB of disk space • Web Browser IE 7.0 or higher • Windows Server 2003, 2008, 2012 • IIS server 6.0 or higher. • Microsoft Exchange management pack for Exchange 2007+ • Microsoft .NET 4.0 Framework • Access to Exchange Server 2007, or 2010 or higher • Access to Windows Active Directory (2000, 2003, 2008, 2008R2, 2012) • SQL Server 2008 or higher Full or Express Edition. • GPMC
2.2. CionSystems Active Directory Change Notifier Requirements:
4GB RAM
16 MB of disk space
Windows Domain Server 2000, 2003, 2008, 2012
Microsoft .NET 2.0 Framework CionSystems Active Directory Change Notifier can be installed from a CD or a web link. This application does not have to be installed on a Domain Controller- it can be installed on a regular workstation by someone with privileges high enough to allow connection to the Active Directory for the configuration process. We recommend installing it on a domain controller if you desire to access ‘who changed attribute, otherwise you can install on any system but connect to domain using an admin level account. Depending on how often and how many users will concurrently connect to the system, ensure that the network pipe is big enough (at least 100MB from Domain to Active Directory). It is recommended that ADR is installed on a standalone server or standalone virtual PC with above memory and free disk space requirements.
Copyright @ CionSystems Inc., All Rights Reserved Page 5
3. Deployment Architecture
Active Directory Reporter (ADR) is a read only, non intrusive web based application that provides 200+ out of the box reports on the state of active directory. It communicates with active directory in the backend via a high privilege account. Administrators connect to the application through exposed URL. Application can be configured for http or https depending on the security needs. Configuring ADR to use https requires a certificate and configuration changes in IIS. Since the application is hosted in IIS version 5.1+, it is mandatory that IIS must be running all the time for ADR to function. ADR uses SQL database as a configuration repository. Very little data is stored. Application super admin password and active directory backend connections are encrypted before storing the database. ADR will work with SQL Express 2005 or 2008. In addition AD Notifier communicates with ADR through the database. AD Notifier can be configured to store all changes in the ADR database. From ADR application you can generate on demand or scheduled reports for change history. The change tracking data can be huge and it is recommended that you cleanup the change tracking after every 6 months otherwise use full SQL database as the repository. Following picture illustrate system architecture of the ADR and notifier installation together.
Domain_1Domain_2
Domain_controllers
Notifier NotifierNotifier
Domain_Controllers
Server Server Server
Notifier NotifierNotifier
Server Server Server
SQL DB
IIS Server 5.1 or above
Active Directory Reporter
Exposed URL for administrator and
other users
IIS Server
Active Directory
Reporter
connection to
domain and
domain
controllers
Active
Directory
Notifier
changes
managed
changes
unmanaged
changes
<Malicious>
Stores in
SQL DB
Stores in log
files
Notifies
administrator of
changes via
Figure 1 - Active Directory Reporter and Notifier deployment
Copyright @ CionSystems Inc., All Rights Reserved Page 6
Active Directory
Change Notifier +
Reporter
Helpdesk users
IT Admin
Malicious user access
Users
AD
Notifier
Domain 1
Domain 2
SecureLDAP
Active Directory DC
HR System (DB)
Admission System(DB)
Users
Real-time notification of Active Directory changes
managed changes
unmanaged changes <Malicious>
Function-based filtering
Proactive Security
Reduce troubleshooting time
Active Directory changes
managed changes
unmanaged changes <Malicious>
Stores in SQL DB
Stores in log files
Change History
SQL DB
Figure 2 - Overview of Notifier to Receive Email messages
Copyright @ CionSystems Inc., All Rights Reserved Page 7
Active Directory Reporter
Confidential
Domain 1 Domain 2
Secure LDAP connection
Super Admin
XP/Server 2000/2003/2008
...
AD Reporter
IIS 5.1+
IE 5+
User 5- Role D
IE 5+ IE 5+
URL
RepositoryMgmt UI
Authorize
LDAP Connect
Web Application A
Web Application B
AD Reporter Web Pages
AD Reporter Scheduler
Configuration
Active Directory
Active Directory ReporterApplication Server
DB
User 1- Role A
}AD Reporter Business
Logic
AD Reporter DataAccessLayer
All Reports +
configuration
Reports based
on the role
Active Directory Notifier changes
managed changes
unmanaged changes
<Malicious>
Stores in SQL DB
Stores in log files
Figure 3 - Active Directory Reporter - Report Categories
4. Report Categories
Active Directory Reporter’s out of the box reports are divided into the following categories. Active Directory User Reports Active Directory Security Reports Active Directory Logon Reports Active Directory Exchange Reports Active Directory Password Reports Active Directory GPO Reports Active Directory Computer and Contact Reports
Active Directory File and Printer Reports
Active Directory Schema and Site Reports Active Directory Forest Info (Other) Reports
Active Directory Replication Reports Active Directory Terminal Server Reports Active Directory OU Reports Active Directory Advanced LDAP Reports
Copyright @ CionSystems Inc., All Rights Reserved Page 8
Active Directory Group Reports Active Directory Compliance reports Audit Reports
5. Administrator
The default password for super administrator is “admin” and “admin” without quote. You can change this password to your desired password by logging into the application as administrator. Note: Make sure you keep the password at a safe place. Active Directory Reporter encrypts the password before storing it. Should you forget the password then the application will not let you login. After installation, ADR will ask you to configure the domain, domain controller along with a privilege account. Once this configured, it will bring up the default dashboard that you can customize to meet your need. ADR supports multiple domains, after the first domain configuration, from the administrator page, add more domains if you wish to. In addition you can configure the mail server to receive the following
1. Email notification for password, locked out user and inbox size limit 2. Reports in email at your desired time with desired reports
It is recommended that you change the report formats and the fields of each report to meet your need. ADR selected defaults based on majority of the customer feedback. Each IT requirements are different so the default may not be the right fields in the report. The application also supports delegation through which you can give access to different reports to different users while restricting some reports from their view.
Figure 4 - Active Directory Reporter - Sample Report
Copyright @ CionSystems Inc., All Rights Reserved Page 9
6. Notifier
CionSystems Active Directory Change Notifier is an easy to use, flexible application that notifies you of the changes made to Active Directory in REAL TIME. Notifications contain the 4 W's — Who, What, When, and Where for all changes to made to Active Directory as well as Exchange configurations- for example: mailboxes, Group Policy, Active Directory schema, and other Active Directory objects. You can additionally limit noise by choosing to monitor only the objects you care about, and limit the number of notifications. If you wish to receive only email notifications then do not configure SQL Server. You will get change notifications in email and additionally it logs the changes to the following locations: %program files%\ CionSystems Inc\AD Change Notifier\auditlog You can install notifier on all domain controller or only on one domain controller. We recommend installing notifier on the primary domain controller as we suppress login notifications as they are normal events. Enabling login events will generate lot of noisy data. NOTE: Ensure the security eventlog size is set to 10MB and to roll over. Otherwise you might experience slow on the domain controller where notifier is installed. In case of audit needs you may want to consider storing events in the SQL database for later historical reports. Follow the below procedure to configure SQL database with notifier From Notifier application, Click on Configuration, choose “Sql Server Configuration”
Figure 5 - Active Directory Change Notifier - SQL Server Configuration
Copyright @ CionSystems Inc., All Rights Reserved Page 10
Enter the SQL Server, User Name and password, Provide interval in hours. To save change history in the database then please select ‘Yes’ save changes into Database radio button and then click on “Save”. The database that provide here is the same database at Active Directory Reporter will create at the time of installation. You can use Active Directory Reporter application’s Audit reports tab to generate different auditing reports. NOTE: The configured database must be same as the one that is used by Active Directory Reporter. Please follow the below section to enable audit on the domain otherwise you might not get “who” for change notifications. Another caveat is, not every change will have “who” associated with it. For some of the changes you may see “system” as the name of the person who effected the change. This is a normal as active directory reports who for certain type of changes only.
7. Data Collection
• Auditing of the Directory Service Access | Success category must be turned on for all domain controllers. To centrally enable this setting, go to the Domain Controller Security Policy (available from the Administrative Tools menu on any DC), navigate to Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policy node and make sure that Audit directory service access setting is set to Success (or Success and Failure). DC policy (not a domain policy) must be used to enable this setting, because domain controllers don’t inherit domain policy settings by default. Similar to Directory Service Access, auditing of the Account Management | Success category must be turned on if you want to report on password resets. Configuration instructions are the same (see above). If you get errors about Group Policy Management Console (GPMC) not installed when it is actually installed, try to repair the GPMC installation by running the following: regsvr32.exe C:\Program Files\GPMC\gpmgmt.dll If you get incorrect values in the “Who changed” fields: Please remember that the size of Security Event Logs on your Domain Controllers must be large enough to hold events. Also ensure that “Overwrite events as needed” option is selected
Copyright @ CionSystems Inc., All Rights Reserved Page 11
8. Configure an Audit Policy Setting for a Domain Controller
1. Click Start | Programs | Administrative Tools, and then click Active Directory Users and
Computers. 2. View Menu, click Advanced Features. 3. Right-click Domain Controllers | Properties. 4. Click the Group Policy tab | Default Domain Controller Policy | Edit. 5. Click Computer Configuration | Windows Settings | Security Settings| Local Policies |
Audit Policy. 6. In the right pane, right-click Audit Directory Services Access, and then click Properties. 7. Click Define These Policy Settings, and then click to select one or both of the following
check boxes: Success: Select this box to audit successful attempts for the event category. Failure: Select this box to audit failed attempts for the event category.
8. Right-click any other event category that you want to audit, click Properties. 9. Click OK.
Figure 6 - Active Directory Change Notifier - Security Properties
Copyright @ CionSystems Inc., All Rights Reserved Page 12
Because the changes that you make to your computer's audit policy setting take effect only when the policy setting is propagated or applied to your computer, complete either of the following steps to initiate policy propagation. Wait for automatic policy propagation that occurs at regular intervals that you can configure. By default, policy propagation occurs every five minutes.
10. Open the Security log to view logged events. If you are either a domain or an enterprise administrator, you can enable security auditing for workstations, member servers, and domain controllers remotely.
9. Configure Auditing for Specific Active Directory Objects
After you configure the audit policy setting, you can configure auditing for specific objects such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access you want to audit. To configure auditing for specific Active Directory objects:
1. Click Start | Programs | Administrative Tools | Active Directory Users and Computers.
2. Make sure that Advanced Features is selected on the View Menu by making sure that the command has a check mark next to it.
3. Right-click the Active Directory object that you want to audit | Properties. 4. Click the Security tab | Advanced. 5. Click the Auditing tab | Add. 6. Complete one of the following:
1. Type the name of either the user or the group whose access you
2. In the list of names, double-click either the user or the group whose access you want to audit.
7. Click to select either Successful or Failed check box, then click OK.
8. Click OK twice.
If you want to monitor changes to domain configuration or Exchange configuration, please follow these steps to enable object-level auditing for Configuration and Schema containers:
1. Run ADSI Edit utility (a part of the Windows Support Tools package) 2. Right-click the root node, select Connect to, and connect to the
Configuration naming context of your domain. 3. Right-click the Configuration node for properties and go to the Security tab. 4. Click Advanced and select the Auditing tab. 5. Click Add and type Everyone, click OK. 6. In the Apply onto list select This object and all child objects.
Copyright @ CionSystems Inc., All Rights Reserved Page 13
7. Select all Successful Audit items except for the following: Full Control, List Contents, Read Permissions, Read All Properties
DO NOT click the checkbox named “Apply these auditing to objects and/or containers within this container only”.
8. Click OK
Repeat all steps above for the Schema container.
10. Filtering
You can configure notifier to trap only the desired changes from the following screen. Should you start to see to many notifications and the information is uninteresting for your environment then please set the appropriate filters from the below screen.
Figure 7 - Active Directory Change Notifier - Audit Settings
Copyright @ CionSystems Inc., All Rights Reserved Page 14
11. Report Types and Descriptions
The 3 different types of reports are ADD, MODIFY and DELETE:
Figure 8 - Add Notification
Figure 9 - Modify Notification
Copyright @ CionSystems Inc., All Rights Reserved Page 15
Figure 10 – Delete Notification
Figure 11 - Group of Change Notifications
Copyright @ CionSystems Inc., All Rights Reserved Page 16
Contact Notes:
For technical support or feature requests, please contact us at [email protected] or 425.605.5325. For sales or other business inquiries, we can be reached at [email protected] or 425.605.5325. If you’d like to view a complete list of our Active Directory Management solutions, please visit us online at www.CionSystems.com .
Disclaimer The information in this document is provided in connection with CionSystems products. No license, express or implied, to any intellectual property right is granted by this document or in connection with the sale of CionSystems products. EXCEPT AS SET FORTH IN CIONSYSTEMS’LICENSE AGREEMENT FOR THIS PRODUCT, CIONSYSTEMS INC. ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL CIONSYSTEMS INC. BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL,PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF CIONSYSTEMS INC. HAS BEEN ADVISED IN WRITING OF THE POSSIBILITY OF SUCH DAMAGES. CionSystems may update this document or the software application without notice.
CionSystems Inc 16625 Redmond Way, Ste M106 Redmond, WA 98052 425.605.5325
This guide is provided for informational purposes only, and the contents may not be reproduced or transmitted in any form or by any means without our written permission.
