LT Auditor+ for Windows: Overview
LT Auditor+ is a security software application that provides surveillance of user activity for Microsoft Windows & Novell NetWare servers and security activity for Microsoft Active Directory/NT Domains & Novell eDirectory/NDS to produce an enterprisewide audit trail.
Concept
· LT Auditor+ Management Console installed on a Windows server that will be the LT Auditor+ Manager · Windows servers are remotely installed from this console · Audit policies set on each server cause Windows to write events to the Event Logs · Agent Services run on every Windows server collecting from Event Logs in realtime (including the LT Auditor+ Manager server) · Data collected according to configured filters, via logical Groups defined on the Manager · Optional alerts according to configured filters · Regular transfer to the Manager server · Daily rollup to database · Reports run from database using the LT Auditor+ SQL Report GeneratorCrossplatform consolidation from NetWare:
1. Getting Started
For further information or if you encounter any problems installing please see the files: README.TXT in the unzip folder or Windows folder of the CD,
LT Auditor+ for Microsoft Windows User Guide.PDF (Adobe Acrobat) in the Manuals folder, LTA.CHM (Compiled Help) in the "Program Files\BlueLance, Inc\LT Auditor+ for Windows" folder.
For additional information, please try our web support page (www.altman.co.uk/support), which has a Frequently Asked Questions (FAQ) section; if this does not help, contact Altman Technologies (see frontsheet for contact details). The software is available as a download from the web or can be supplied on CD. The zip file you are provided with specifies the version number in its name & needs to be unzipped. Please read this entire document before starting the installation.
Setting up Windows 2000/NT security policies
Windows audit policies determine which security events are logged to the event logs. To set up audit policies:
· In your Microsoft Windows 2000 environment:
a. From the Administrative Tools folder, launch the Local Security Policy (Windows 2000 Professional), Domain Controller Security Policy (Windows 2000 Server) or the Domain
Security Policy (Windows 2000 Advanced Server) application.
Note: The application you select is determined by the type of Windows 2000 operating
system installed on your computer.
b. Select Local Policies _Audit Policy and doubleclick a policy name to modify that policy’s settings.
· In your Microsoft Windows NT environment:
a. From the Administrative Tools folder, launch the User Manager or Domain User Manager application.
b. Select Policies _Audit and modify the policy’s settings.
You can set up file auditing policies for each directory that you want to audit. For complete instructions on setting fileauditing policies, refer to Appendix A of the manual.
2. Server Installation
Event Log configurations
To set up the event log configuration in a Windows environment: 1. Launch the Event Viewer.2. In Windows 2000, rightclick an event log folder and select Properties. In Windows NT, select the Log menu and Log Settings.
3. Modify the log properties settings.
a. Modify the Maximum log size field based on your storage requirements but not less than 10240KB (Security event log) or 1024KB (all other event logs).
b. Modify the When maximum log size is reached section. To ensure that all events are correctly captured, select Overwrite events as needed.
Setting up the database
LT Auditor+ can be used with any of the following databases: · Btrieve or XML · Microsoft SQL Server 2000/7.0 · Oracle databases 8i or laterBtrieve and XML are builtin to the product, so no set up is required. To create a database using SQL Server 7.0 or SQL Server 2000, refer to the following guidelines:
· Create a basic or custom database.
· Create the structure within the database for LT Auditor+ to run properly. This structure comprises three database components (i) Tables (ii) Views (iii) Stored procedures
· Assign permissions to the database.
Note: For SQL Server installation requirements, refer to the Microsoft website at: http://www.microsoft.com
Note: For Oracle installation requirements, refer to the Oracle website at: http://www.oracle.com
For further instructions on constructing a SQL or Oracle database, refer to Chapter 3 —
Constructing a Database in the manual.
on a workstation or server, select Start _Programs _LT Auditor+ _LT Auditor+ for Windows _Remote Install and the Install Wizard guides you through the installation process.
3. Configuring LT Auditor+
To configure LT Auditor+, launch the LT Auditor+ Management Console. 1. Configure the rollup destination database by performing the following steps: a. Select the Manager Console window. b. Rightclick on the root and select Settings for [machinename] c. On the General tab, select one of the following databases: i. LT Auditor+ Custom Format (= XML) ii. Pervasive Btrieve iii. Microsoft SQL Server iv. Oracled. Click the Advanced button to configure database connectivity information such as server name, database name, user, and password. If you select LT Auditor+ Custom Format or Pervasive Btrieve, you can specify the destination file name.
2. On the Event Log List tab add the Event logs to be audited; recommended to use the LT Auditor+ Processed Log for evaluation purposes.
Note: An event log will be audited only if there is at least 1 filter statement associated with it.
a. Amend Archive, Transfer settings used within the application, SNMP and SMTP settings if required from their respective Tabs.
3. a. Create a filter statement for each event log that needs to be audited. Ensure that RealTime is specified for the log collection type. b. Configure jobs to: i. Transfer audit data ii. Rollup data into the required database Note: For complete details on creating a job policy or filter statement, refer to the manual. 4. Create group(s) and their agent server(s) by performing these steps: a. From the Manager Console window, create a new group. b. Rightclick the newly created group and create a new agent. Note: An agent can be added to a group only if it is not assigned to another manager. 5. Modify the agent’s policy information by performing the following steps:
a. From the Manager Console window, rightclick the group just created and select Policy
Information for xxx (where xxx represents the group name).
Assigning authorised users to manage LT Auditor+
By default, the user installing LT Auditor+ is the only user authorised to manage LT Auditor+. To allow other users to manage LT Auditor+ they need to be included into the authorised users list. All authorised users must have the following Windows trustee rights on all servers they manage: · Full Control to the folder where LT Auditor+ is installed · Full Control to the Windows directory (usually C:\WinNT). For complete instructions on using LT Auditor+ for Windows, refer to the manual.
Uninstalling
Uninstalling the software from the Manager server desktop does not automatically uninstall the agent servers.
To do this, first free the agents by deleting them from within the group in the Manager Console, then uninstall the agent server(s) from their Control Panel, Add/Remove programs.
Finally, run uninstall for the LT Auditor+ Windows software from the Control Panel, Add/Remove programs on the Manager server.
Registering
LT Auditor+ comes with a fully functional, 30day evaluation licence. Before the end of this evaluation, if you wish to buy, we will supply you with a serial number to turn the evaluation into a full licensed version, enabling you to keep all the data & filters you have collected and customised.
Updating versions
There is no need to uninstall first. New versions can safely be installed over previous versions as long as you are within maintenance.