ENABLE LOGON/LOGOFF AUDITING

(1)

Lepide Software

LepideAuditor Suite

(2)

LepideAuditor Suite Enable Logon/Logoff Monitoring

1. Introduction

To collect logon/logoff events, LepideAuditor Suite needs an agent to be added on server and a group policy at the server linked with this agent.

This will help the software to monitor the logon/logoff events, generate their reports, show their LiveFeed updates, sending their reports on schedule, and dispatching alerts on real-time basis.

The following items will not be generated if the required steps are not performed on the server.

 "Successful User Logon/Logoff" and "Domain Controller Logon/Logoff" Reports

 Custom Reports, LiveFeed, alerts, and scheduled reports for above reports

2. Steps for Agent-based Auditing

In case of selecting agent-based auditing, the agent to collect logon and logoff events will be installed by default on the server. So, there is no additional steps are required to be performed except the default steps illustrated herein below for server.

3. Steps for Agentless Auditing

In case of agentless auditing, no agent will be installed on server to collect the logon and logoff events. Therefore, it is required to install a module agent on a Domain Controller of the domain, which will collect these events and pass it to software.

A separate installer file to install logon/logoff module will be supplied with the downloaded setup. It is required to run this installer file and install Logon/Logoff Audit module agent on any domain controller of the domain. Please refer to page Install Logon/Logoff Audit Module page to

(4)

3.1 Installing Logon/Logoff Audit Module

If you are adding the domain in agentless mode that is without installing agent, then it is required to install LepideAuditor Logon/Logoff Audit Module on any of the domain controllers to collect logon/logoff events. If not installed, then logon/logoff events will not be collected; therefore, reports ("Successful User Logon/Logoff" and "Domain Controller Logon/Logoff") and their associated LiveFeed, alerts, and scheduled reports will not be generated.

The installer file for this module will come with main setup file of software, which you can download from http://www.lepide.com/lepideauditor/download.html. After downloading its installer file, execute the following steps to install the Logon/Logoff Audit Module.

1. Double click the downloaded installer file to start the installation.

Figure 1: Starting the Installation

(5)

2. Click "Next" to proceed. This will display the following wizard.

Figure 2: License Agreement

3. It's recommended to read the license agreement carefully before installing the software.

4. If you agree to the license agreement and want to continue the installation, then check "I accept the agreement" and click "Next".

(6)

5. Here, you can customize the location of the shortcuts folder in the Start Menu.

Figure 3: Option to modify the Shortcuts folder

6. Click "Browse" and select a different location to modify the location of the shortcuts folder in the Start Menu.

(7)

7. Click "Next" to use the default or customized shortcuts folder. This will display the following screen.

Figure 4: Perform Additional Tasks

8. Check the boxes titled "Create a desktop icon" and/or "Create a Quick Launch icon", if you want.

9. Click "Next" to proceed further.

(8)

Figure 5: Module is now ready to install 10. Click "Install" to begin the installation procedure.

Figure 6: Module is being installed

(9)

11. When the installation process is completed successfully, you'll receive the following message.

Figure 7: Module is installed

12. Click the Finish button to complete the process. It is recommended to keep the option

"Launch LepideAuditor Logon/Logoff Audit Module" checked.

Figure 8: Module is running

(10)

13. You can click cross icon on this dialog box to close it. However, LepideAuditor Logon/Logoff Audit Module will kept running and its icon will be visible in the system tray.

Figure 9: Showing icon and options for Logon/Logoff Audit Module

3.2 Stopping Logon/Logoff Module

You have to stop app server either to stop receiving logon/logoff events to uninstall the Module.

Follow the steps below,

1. Right click on the server icon in system tray, and click "Exit".

Figure 10: Option to stop and exit from Logon/Logoff Audit Module 2. Once you click "Exit", following warning message will appear on screen.

Figure 11: Warning Message while stopping module 3. Click "Yes" to stop the module.

(11)

3.3 Uninstalling Logon/Logoff Audit Module

Execute the following steps to uninstall the Logon/Logoff Module.

1. There are two ways to start the uninstallation.

a. Go to Start → All Programs → "LepideAuditor Logon/Logoff Audit Module", click

"Uninstall LepideAuditor Logon/Logoff Audit Module".

b. Click Start → Control Panel. Its window appears. Launch "Add/Remove Programs"

or "Programs". Select "LepideAuditor Logon/Logoff Audit Module" and click

"Remove".

2. Following any of the above methods will display a warning message.

Figure 12: Warning to uninstall the module.

3. Click “Yes” to uninstall the module.

(12)

Figure 13: Module is being uninstalled

4. After completing the un-installation, the following message box will appear.

Figure 14: Module has been uninstalled.

5. Click “OK” to finish this process.

This will uninstall the LepideAuditor Logon/Logoff Audit Module from your system.

(13)

4. Common Steps for Server

You have to perform the following steps to generate logon.exe for server and then to create a Group Policy to link it. This will enable the monitoring of logon/logoff events.

If you have not generated "logon.exe" and linked it with server, then you will get the following error while generating "Successful User Logon/Logoff" or "Domain Controller Logon/Logoff".

Figure 15: Error while generating logon/logoff reports

Follow the steps herein below for both agentless and agent-based auditing to fix this issue and to enable the collection of logon/logoff events.

4.1 Generating Logon.exe file

Perform the steps below at software to generate Logon.exe file for enabling monitoring.

1. Use any of the following methods to start with.

A. While adding a domain with Advanced Configuration, you will come at the following step.

(14)

Figure 16: Advanced Domain Configuration

B. While modifying the domain, click "Object Class and Other Settings" to access the following settings.

(15)

Figure 17: Modifying Object Class and other Settings 2. Check "Audit Successful User Logon/Logoff" option.

3. Click icon. It will show the following dialog box.

(16)

4. Follow any of the steps below as per the auditing mode.

a. For Agent-based Auditing: Enter "IP Address" of server, of which logon/logoff events has to be monitored.

b. For Agentless Auditing: Enter the IP Address of the domain controller, where Logon/Logoff Audit Module has been installed.

5. Click icon to select the location at server where you want to the save this executable file.

Figure 19: Browse for Server

It is recommended to save the executable file at the shared folder of server, of which logon/logoff events you want to monitor.

6. Select the folder and click "OK". This will take you back to previous dialog box, which will now show the selected folder.

(17)

Figure 20: Sample details to save executable file

7. Click "OK". It will generate the executable file and will save at the specified location. You will receive the following message confirming the same.

Figure 21: Successfully generated executable file

8. Click the link saying "Please follow link" to know the steps to be performed at the server.

It will open a HTML file in the default Web Browser.

(18)

Figure 22: Document showing further steps to be performed

(19)

4.2 Creating Group Policy Object at Server

Execute the steps below at the domain controller, of which logon/logoff monitoring you want to enable.

1. Go to "Start Menu" → "All Programs" → "Administrative Tools" → "Group Policy Management". This will display the Group Policy Management window.

Figure 23: Group Policy Management

2. In the left panel, expand the nodes to reach the node of domain controller.

(20)

3. Right click on the node of domain. This will display the following context menu.

Figure 24: Context Menu for a DC in Group Policy Management

4. Select the option "Create a GPO in this domain, and Link here...". This will display the following dialog box to create a new Group Policy Object (GPO).

Figure 25: Box to create a new GPO

5. Provide a name for the new Group Policy say - "Logon Logoff by LepideAuditor".

Figure 26: Providing a name for the GPO

(21)

6. Click "OK". This will create the new GPO and will show it in the Group Policy Management.

Figure 27: Showing the newly created GPO

(22)

7. Right click on this newly created GPO.

Figure 28: Right Click Menu for the new GPO

8. Select the option "Edit" in this context menu. This will show the Group Policy Management Editor.

Figure 29: Group Policy Management Editor

(23)

9. In the left pane, expand the nodes in this order - "Logon Logoff by LepideAuditor" →

"User Configuration" → "Policies" → "Windows Settings" → Scripts (Logon/Logoff)". This will display two policies - Logon and Logoff in the Right Panel.

Figure 30: Showing Logon and Logoff Policies

10. Here, you have to modify any of these two policies. In this test case, we're modifying the logon policy.

(24)

11. Double click the "Logon" policy in the Right Panel. This will display the following dialog box.

Figure 31: Logon Properties

12. Click "Add" on this tab. This will display the following box to add a script.

Figure 32: Dialog box to add a logon script

(25)

13. Click "Browse" in this new box. Leave this box opened up as it is.

Figure 33: Dialog box to open a logon script file

(26)

14. Open the shared folder where you have copied the "Logon.exe" script file. Copy it.

Figure 34: Copying file "Logon.exe

15. Paste this file "logon.exe" in the folder section of the "Browse" window.

(27)

Figure 35: Pasted the file named "Logon.exe

16. Select the file and click "Open". This will take you back to the "Add a Script" box, which will display the selected file.

(28)

17. Click "OK". This will take you back to the "Logon Properties".

Figure 37: Required Logon Properties

18. Click "Apply" and then click "OK". This will close the "Logon Properties".

19. Close the window of "Group Policy Management Editor".

20. Come back to "Group Policy Management" window.

21. Select the newly created/modified policy in the Left Panel. This will display its details in the Right Panel.

(29)

Figure 38: Showing the properties of newly created policy

22. In its Right Panel, the "Security Filtering" section lets you select the objects like users, groups and computers on which this policy will be applied.

23. Click "Add" to display the box to add the objects upon which this policy will be applicable.

(30)

24. Type "Everyone" in the text box and click "Check Names". This will select all objects.

Figure 40: Selecting everyone

25. Click "OK" to confirm the change and take you back to the "Group Policy Management"

window, which will now display the newly added object.

Figure 41: Showing 'Everyone' in Security Filtering

(31)

26. Close the "Group Policy Management" window.

27. Go to the Run Prompt or Command Prompt and type the command "gpupdate".

Figure 42: Command Prompt

28. Press Enter to run the "gpupdate" command. This will update the group policies.

(32)

29. It is required to logoff the current user and then logon again at the Windows Server to run the Logon.exe on the server.

This will enable both the collection of logon/logoff events and the generation of relevant reports, alerts, and LiveFeed updates.

5. Support

If user logon and logoff events are still not being captured and/or displayed in LepideAuditor Suite, then please contact our Support Team.

5.1 Helpline

+91-9818725861

1-866-348-7872 (Toll Free for USA/CANADA)

You can also email us about your queries at:

[email protected] for Sales [email protected] for Support

[email protected] for General Queries