• No results found

NetWrix Server Configuration Monitor

N/A
N/A
Protected

Academic year: 2021

Share "NetWrix Server Configuration Monitor"

Copied!
18
0
0

Loading.... (view fulltext now)

Full text

(1)

NetWrix Server

Configuration Monitor

Version 2.2

(2)

Contents

1. INTRODUCTION ... 3

1.1 KEY FEATURES ... 3

1.2 LICENSING ... 4

1.3 HOW IT WORKS ... 5

2. GETTING STARTED ... 7

2.1 SYSTEM REQUIREMENTS ... 7

2.2 CONFIGURING SYSTEM AUDITING (APPLICABLE ONLY FOR THE STANDARD EDITION) ... 9

2.2.1 Object Access Auditing ... 9

2.2.2 Object Modifications Auditing ... 9

2.3 PRODUCT INSTALLATION ... 10

3. QUICK SETUP ... 11

3.1 CONFIGURATION ... 11

3.2 DATA COLLECTION AND REPORTING ... 13

3.3 VIEWING ARCHIVED CHANGES ... 15

3.4 ADVANCED REPORTING ... 16

4. ABOUT NETWRIX PRODUCTS ... 18

(3)

1. Introduction

Even minor configuration changes made to servers can potentially impact your users and cause major disruptions to businesses. Every time a change is made, it makes a lot of sense to properly document and communicate it, especially when the servers are maintained by multiple team members. Another example is very common: changes made yesterday broke your systems, and you don't remember the old settings. Logging all changes manually is a time consuming and error-prone task, and requires significant efforts in environments of all sizes, whether you have 1 server or a thousand. Also beware of unauthorized changes, because nobody will ever document them at all.

Server Configuration Monitor (SCM) is a tool for automated auditing and reporting of all changes made to server configurations: general computer settings, software installation, services, hardware and system drivers, local users and groups, windows registry, etc... If your situation requires monitoring of some non-default events, custom monitoring templates are available and may be ordered from NetWrix (*). The tool centrally monitors multiple servers and sends daily summary reports about any changes detected through the last day. New hardware devices, driver upgrades, changes to services and applications - no change will pass behind the scenes, no matter who made it, and how. It is especially easy to track with the Who (*) and When (*) reporting capabilities. You just setup this tool once and start getting daily summary reports about all changes, grouped by server name. Advanced SQL-based reporting is also a feature, with optional custom reports available for ordering from NetWrix (*). Server Configuration Monitor comes in two Editions: Freeware and Standard.

1.1 Key Features

Server Configuration Monitor helps you to carry out the following auditing and reporting tasks:

• Detect and report on changes made to your servers including changes to computer settings, services, device drivers, local users and groups (*), Windows registry (*), software installation, hardware installation**. Reports include information about what changes were made, who (*) made the changes and when (*) were they made. Changes to the following parameters are concerned:

Hardware configuration: Monitors, Display Adapters, Sound Devices, Hard Drives, CD-ROM Drives, Floppy Drives, IDE, SCSI, Keyboards, Pointing Devices, Serial Ports, Parallel Ports, USB Controllers, USB Hubs, Network Adapters, Printers, Infrared Devices, Base Boards, BIOS settings, Buses, Cache Memory, Device Memory, DMA, IRQ, PCMCIA Controllers, Physical Memory, Processors, System Slots;

System configuration: General System Properties, System Restore, Environment Variables**, Startup and Recovery, Network, Port Resources, Local Groups, Local Users, Registry, System Drivers, System Services**, Remote Desktop;

File system configuration: Logical Disks, Disk Partitions.

• Report on previous and current values for every change.

• Generate on-demand Web-based reports. (*)

• Create custom reports (can also be ordered from NetWrix). (*)

• Store collected audit data and enable historical reporting for any period of time. (*)

* - Features are only available in the Standard Edition.

(4)

4

1.2 Licensing

Server Configuration Monitor is available in two editions: Freeware and Standard. The following table compares feature sets of the available product versions:

Feature Freeware Edition Standard Edition

Long-term archiving of audit data No Any period of time

Advanced reporting (SSRS) No Yes, with custom reports available for ordering from NetWrix Monitoring of local users and groups changes No Yes

Windows registry changes monitoring No Yes Reporting on when an by whom the changes were made No Yes

Technical Support

The Free Edition can be used by companies and individuals for an unlimited time, at no charge. The Standard Edition can be evaluated free of charge for 20 days.

(5)

1.3 How It Works

(6)

6

Typical Server Configuration Monitor data collection and reporting workflow is as follows:

1. An administrator launches the configuration utility and sets the parameters for the automated data collection and reporting, choosing whether to report on changes to:

• general computer settings

• software installation

• services

• hardware and system drivers

• local users and groups

• windows registry

2. A dedicated scheduled task which is launched periodically (every night, at 3 AM by default; it can also be launched manually when needed) collects server configuration snapshots and/or audit data, and e-mails the reports to the specified recipients. The task name is NetWrix Server Configuration Monitor.

3. If Advanced Reporting (based on SSRS) is enabled and configured, the task will also store information about the server configuration changes to the specified SQL server database (note that this feature is unavailable in the Freeware Edition). The changes later are available for review through the SQL SRS web interface. 4. A mail client is used to view the reports sent by e-mail (all Editions); the Report Viewer can be used to

(7)

2. Getting Started

This section describes the necessary prerequisites for Server Configuration Monitor installation.

2.1 System Requirements

Supported server configurations: MONITORED SERVERS:

• Microsoft Windows 2000 or later

OS requirement:

COMPUTER WHERE SERVER CONFIGURATION MONITOR WILL BE INSTALLED: Windows XP SP2 or higher

Necessary additional software:

• Microsoft.Net Framework 2.0 or later

• Microsoft Windows Installer 3.1 or later Additional requirements:

• Disk space – enough for a temporary data storage (server configuration snapshots and/or audit data will be stored there). Disk space cost highly depend on the number of servers and audit parameters. It is recommended to have no less than 20Gb of disk space available. The disk space cost is approximately 250 bytes per each change found.

• SQL Server 2005 or 2008 with Reporting Services (SSRS) are required for advanced reporting (*). SQL Server Express Edition with Advanced Services is supported; it can be installed and configured automatically. The following article explains how to configure SQL Server 2005 Express Edition to allow

remote connections:

Required rights and permissions

The account which the Server Configuration Monitor service will use for data processing and report generation requires the following:

• ‘Manage auditing and security log’ privilege. There are two ways to enable the necessary Group or Local Policy settings:

 Through Group Policy: Launch the Group Policy Object Editor and in the Group Policy object (e.g. Default Domain Controllers Policy), navigate to Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment and open the Manage Auditing And Security Log parameter, then click Add User or Group and specify an account under which Server Configuration Monitor is running. Do this for all managed servers. To centrally enable this setting, it’s recommended to create a dedicated Group Policy Object and assign to your servers OU).

 Through the Local Security Policy: Launch the Local Security Settings, go to Security Settings

(8)

8

| Local Policies | User Rights Assignment and open Manage Auditing And Security Log, then click Add User or Group and specify an account under which Server Configuration Monitor is running. Do this for all managed servers.

• Local administrator rights on the computer where Server Configuration Monitor is installed.

• Local administrator rights for the servers monitored by Server Configuration monitor (the account used to run Server Configuration Monitor must be a member of the local administrators group on the monitored servers)

If you plan to collect data using agents (*) (which is recommended; for details, see the Additional Configuration section), consider that:

• Agent service will be run under the Local System account. For Advanced Reporting (*) to work properly:

The account used by the users to configure the Report Server, as well as Server Configuration Monitor service account must be assigned the Content Manager role for the SSRS Home folder. To assign that role:

1. Run SSRS Report Manager (can be accessed from the Report Viewer by clicking Web-based reports (SQL SRS) link or directly by pasting the Report Manager URL from the Advanced Reporting configuration window, evoked from the Server Configuration Monitor main window, into your web browser address string), open the Properties tab of the Home folder, and click New Role Assignment.

2. Specify the necessary group or user account in this format: domain\user. (The account should be in the same domain or in a trusted domain.)

3. Select Content Manager.

4. Click OK to save the role assignments.

The account used by the users to view the reports, must be assigned the Browser role for the SSRS Home folder. To assign that role:

1. Run SSRS Report Manager (can be accessed from the Report Viewer by clicking Web-based reports (SQL SRS) link or directly by pasting the Report Manager URL from the Advanced Reporting configuration window, evoked from the Server Configuration Monitor main window, into your web browser address string), open the Properties tab of the Home folder, and click New Role Assignment.

2. Specify the necessary group or user account in this format: domain\user. (The account should be in the same domain or in a trusted domain.)

3. Select Browser.

4. Click OK to save the role assignments.

WARNING: a user account assigned the Browser role is unable to edit or configure the SSRS Home Folder. For this purpose use the Content Manager role.

(9)

2.2 Configuring System Auditing (applicable only for the

Standard Edition)

Before you start using the product please perform the system auditing setup, by following the recommendations provided in this section.

NOTE: Server Configuration Monitor can configure Object Modifications Auditing settings for you automatically. The automatic configuration is available if you do not wish to change all the settings manually as described below and click Apply in the configuration utility main window. A message will pop up telling you that the audit settings are not configured. Click Yes for the Server Configuration Monitor to configure it automatically. If you click No than you will have to configure the system auditing manually. Follow the instructions presented in the section 2.2.2. Object Modifications Auditing.

2.2.1 Object Access Auditing

Depending on the types of the reports you need, you have to specify the appropriate audit settings (for example, to track all the object changes events, or registry changes, etc.). First, you must enable object access auditing by defining auditing policy settings for the Object Access event category.

Important: To audit the system auditing properties, you must be logged on to this system as a member of the Administrators local group or you must be granted the Manage auditing and security log right in Group Policy to perform this procedure.

To centrally enable these audit setting, it's recommend to create a Group Policy Object and assign it to your servers

OU (as described in the

1. In the Group Policy object, navigate to the Computer Configuration | Windows Settings|Security Settings | Local Policies | Audit Policynode

2. Make sure that 'Audit object access' setting is set to ‘Success’ (only required for monitoring changes to the following configurations: General, System Startup, Remote Desktop, System Drivers, Windows Registry). 3. If you need to monitor changes in local users and groups, set ‘Audit account management’ to ‘Success’.

Alternatively, you can use the local policy, as described in

2.2.2 Object Modifications Auditing

To manually configure the audit settings please carefully follow the instructions below. Skip this section if you have Server Configuration Monitor already configured your audit settings automatically.

CAUTION: Using the Registry Editor incorrectly can cause data loss or even operating system failure. First

1) Click : configure the audit settings for the HKEY_LOCAL_MACHINE registry section. To do this: Start|Run. 2) Type “regedit” (without quotation marks) and click OK.

3) In the Registry Editor right-click on the HKEY_LOCAL_MACHINE\SOFTWARE node and then click on Permissions. 4) In the Permissions window click Advanced, go to the Auditing tab, and then click Add.

5) Type “Everyone” as the object name, click Check Names to verify the name, and then click OK. 6) Make sure that the Successful check boxes are checked next to the following access types: - Set Value

(10)

10 - Create Subkey

- Delete - Write DAC

Figure 2: Audit Settings dialog window

7) Click OK twice.

8) Do the actions from 3 to 7 for the HKEY_LOCAL_MACHINE\SYSTEM registry node. Second

1) Locate in the RegEdit and right-click the first or the first picked key from the file.

: open the “omitregkeys.txt” file (located in the program installation folder) and uncheck “inheritable auditing entries from the parent” for every key specified in the file. To do this:

2) On the Edit menu, click Permissions.

3) Click Advanced, go to the Auditing tab and uncheck Allow inheritable auditing entries from the parent… 4) Click OK twice.

WARNING: If the Object Modification Auditing settings remain not configured, the reports will be generated anyway but the Who Changed and When Changed fields will be unavailable in the reports.

2.3 Product Installation

To install Server Configuration Monitor, run the setup program on any computer in the domain where the managed servers are located.

Follow the steps of the wizard. When prompted, accept the license agreement, then specify the installation folder, and click Next to proceed with the installation.

(11)

3. Quick Setup

The two sections below describe how to quickly configure Server Configuration Monitor and how to view its reports.

3.1 Configuration

Launch the configuration utility:

Freeware Edition: Start | All Programs | NetWrix Freeware | Server Configuration Monitor | Server Configuration Monitor.

Standard Edition: Start | All Programs | NetWrix | Server Configuration Monitor | Server Configuration Monitor. The configuration utility main window is displayed as follows:

(12)

12 Perform the following quick configuration:

1. Make sure that Enable Server Configuration Change Reporting check box is checked.

2. Click the Add button and type in the names of the servers you want to monitor the changes on. 3. Leave the Store data to:text box by default.

4. Check Enable long-term archiving for: and enter the number of months you want the archived data to be stored for.

5. Make sure Enable network traffic compression (*) is checked. It helps to increase data collection speed and effectiveness. While this option is enabled, a tiny program is remotely executed on the remote computers by the task schedule. The program collects and compresses the data thus lessening the overall network load. It also has minimal impact on computer productivity.

6. Click Select… and choose the types of changes you want to monitor. For the test run you may select “General computer settings”, “Software installation” and “Windows registry”.

7. Under Email report delivery settings, enter the following:

a) E-mail addresses to which the reports on server configuration changes will be delivered (multiple recipients should be separated by a semicolon).

b) Supply SMTP server settings (the name and the port) c) Supply the From address.

8. Click Verify to test the e-mail settings you specified. 9. Click Apply to finish with configuration settings.

10.A message regarding some registry settings that may prevent correct ‘Who Changed’ and ‘When Changed’ field from being collected right may pop up. Please click Yes to configure the settings automatically.

11.You will be prompted for the credentials to run the data collection and the report generation.

Figure 4: Scheduled Task Credentials dialog window

Specify the account under which the scheduled task (named NetWrix Server Configuration Monitor) will collect your server changes data and e-mail the reports to the specified recipients.

Note: Make sure the account you supply has sufficient privileges, that is ‘Manage auditing and security log’ privilege, and Local administrator rights on the computer where Server Configuration Manager is installed.

(13)

3.2 Data Collection and Reporting

This section describes how you can perform the data collection and reporting using Server Configuration Monitor Standard Edition.

Wait for the data collection task to run twice or launch it manually to see the results right now. The task is named

NetWrix Server Configuration Monitor and can be accessed using Task Scheduler.

At the first run of the scheduled task, the message notifies you that the initial analysis is completed. Next, you can make some changes to your servers to see an example of how they will be reported. The following change parameters can be concerned:

• General computer settings (for example: make changes to a local disc (partition size, description, make changes to computer description, change DNS).

• Software installation (for example: install or uninstall a program)

• Services (for example: install or uninstall a service, change its description)

• Hardware and system drivers (for example: mount or unmount a DVD-ROM or a memory strip, add or delete a device from Device Manager)

• Local users and groups (for example: add a user or a group, add or remove a user from a group)

• windows registry: (for example: add or remove a key or change a key value in the HKEY_LOCAL_MACHINE\SOFTWARE subtree)

After that, you can launch the scheduled task again, and then check the mailbox for the new report. The changes should be reported like shown in the figure below. A web browser is used to view the reports from Report Manager. See the page below for a report example.

(14)

14

(15)

3.3 Viewing Archived Changes

To get an on-demand report on changes made to your servers, you can use the Report Viewer. This tool allows you to generate a report on changes that occurred between 2 snapshots of your choice.

Note: The scheduled task should execute at least 2 times before the reports become available. To view the changes that occurred between the particular snapshots:

1. Launch the Report Viewer from the Start menu by going to All Programs > NetWrix > Server Configuration Monitor.

Figure 10: Server Configuration Monitor Viewer main window

2. Select the server and snapshots (by date) and click Generate to generate and save a report on changes between them (in the HTML format).

3. In the Save as dialog, specify the location where the HTML report will be saved. By default, it is saved to ‘Server Configuration Monitor.html’ file in the user’s Documents folder.

4. The report will then be saved as HTML file and opened in your default web browser to show you the changes that occurred between the selected snapshots. The report will also include information on multiple different server configuration parameters if the corresponding settings were enabled in the configuration utility.

(16)

16

3.4 Advanced Reporting

With SQL Server Reporting Services deployed, you can also configure Advanced Reporting. Advanced Reporting has the following advantages:

● Ability to change report filters to fine-tune the data view according to your needs. ● Export to different formats: PDF, XLS, etc.

● Apply grouping and sorting to the report data. An example of advanced reporting is shown below:

(17)
(18)

18

4. About NetWrix Products

Solutions developed by NetWrix Corporation help organizations to meet compliance standards, simplify identity management, and reduce IT infrastructure costs. The product line includes solutions for change management, identity management, virtualization, and Active Directory troubleshooting.

delivers detailed information on a daily basis. The report includes the 4 “W”s - Who, What, When, and Where - of all changes and includes “before” and “after” values for each and every setting. This report lists changes made to AD and Exchange configurations, Group Policy objects and setting modifications, and many more.

account lockout incidents in a self-service fashion without involvement of help desk personnel.

administrative costs associated with manual resolution of account lockouts.

provisioning of shared administrative accounts, to enable centralized control and auditing of all shared accounts in organizations, from Active Directory and servers to routers and database systems.

For more information, please visit

5. Disclaimer

The information in this publication is furnished for information use only, does not constitute a commitment from NetWrix Corporation of any features or functions discussed and is subject to change without notice. NetWrix Corporation assumes no responsibility or liability for any errors or inaccuracies that may appear in this publication. NetWrix is a registered trademark of NetWrix Corporation. The NetWrix logo and all other NetWrix product or service names and slogans are registered trademarks or trademarks of NetWrix Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and registered trademarks are property of their respective owners.

© 2010 NetWrix Corporation. All rights reserved.

Figure

Figure 1: Product Architecture and data flow
Figure 2: Audit Settings dialog window  7) Click OK twice.
Figure 3: Server Configuration Monitor configuration utility window
Figure 4: Scheduled Task Credentials dialog window
+5

References

Related documents

As the above results indicate, the literature references identified in PubMed are concerned with the attenuation efficiency, rating systems, acceptance, testing methods, and design

Default domain are domain and domain controller policy from the username and link order they were completely missing a breach of the agent through group.. Logs on computer

PhD Scholar, Clinical Neurosciences National Institute of Mental Health and Neurosciences (NIMHANS)... • Several disorders have subtle, and specific findings and the ability to

11 In a Crosby FM transmitter, an FM signal having a center frequency of 2.04 Mhz and a deviation of 69 Hz is passed through four cascaded frequency multiplier stages: two

Basically, a Group Policy Object (GPO) is a policy to define user and computer configurations in a Windows environment.. You can configure a GPO at the site level, domain level or

• Local Computer Policy: As mentioned earlier, each Windows 2000, Windows XP, or Windows Server 2003 computer has a local Group Policy object which has many settings in common

Navigate to the following location within the Group Policy Editor: Default Domain Controllers Policy>Computer Configuration, Windows Settings> Security Settings>

To enable an audit policy you need to open Group Policy Management Editor and select Computer Configuration > Policies > Windows Settings > Security Settings >