Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Legal Notice
The information in this publication is furnished for information use only, and does not constitute a
commitment from Netwrix Corporation of any features or functions, as this publication may describe
features or functionality not applicable to the product release or version you are using. Netwrix makes
no representations or warranties about the Software beyond what is provided in the License Agreement.
Netwrix Corporation assumes no responsibility or liability for the accuracy of the information presented,
which is subject to change without notice. If you believe there is an error in this publication, please report
it to us in writing.
Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrix
product or service names and slogans are registered trademarks or trademarks of Netwrix Corporation.
Active Directory is a trademark of Microsoft Corporation. All other trademarks and registered trademarks
are property of their respective owners.
Disclaimers
This document may contain information regarding the use and installation of non-Netwrix products.
Please note that this information is provided as a courtesy to assist you. While Netwrix tries to ensure
that this information accurately reflects the information provided by the supplier, please refer to the
materials provided with any non-Netwrix product and contact the supplier for confirmation. Netwrix
Corporation assumes no responsibility or liability for incorrect or incomplete information provided about
non-Netwrix products.
2014 Netwrix Corporation.
All rights reserved.
2/29
Table of Contents
1. Introduction
1.1. Netwrix Auditor Overview
4
4
8
10
10
12
5. Create Managed Object to Audit Windows Server and Privileged User Session Activity
16
21
22
23
24
24
26
27
29
3/29
1. Introduction
This guide is intended for the first-time users of Netwrix Auditor for Windows Server. It can be used for
evaluation purposes, therefore, it is recommended to read it sequentially, and follow the instructions in
the order they are provided. After reading this guide you will be able to:
l
NOTE: This guide only covers the basic configuration and usage options for auditing Windows Server with
Netwrix Auditor. For advanced installation scenarios and configuration options, as well as for
information on various reporting possibilities and other product features, refer to Netwrix Auditor
Installation and Configuration Guide and Netwrix Auditor Administrator's Guide.
Configuration assessment: analyze current and past configurations with the stateintime reports.
Predefined reports: pass audits with more than 200 outofthebox reports.
Netwrix Auditor employs AuditAssurance , a patent pending technology that does not have the
disadvantages of native auditing or SIEM (Security Information and Event Management) solutions that rely
on a single source of audit data. The Netwrix Auditor platform utilizes an efficient, enterprise grade
architecture that consolidates audit data from multiple independent sources with agentless or lightweight,
non intrusive agent based modes of operation and scalable two tiered storage (file based + SQL
database) holding consolidated audit data for 10 years or more.
Powered by the Netwrix AuditAssurance technology, Netwrix Auditor makes change auditing an easy and
straightforward process, resulting in a complete and concise picture of all changes taking place in your IT
infrastructure.
Netwrix Auditor for Windows Server detects and reports on all changes made to Windowsbased servers'
configuration, including hardware devices, drivers, software, services, applications, networking settings,
registry settings, DNS, and more. It also provides automatic consolidation and archiving of event logs data.
4/29
Netwrix Auditor collects Windows event logs and syslog events from multiple computers across the
network, stores them centrally in a compressed format, and enables convenient analysis of event log data.
In addition, Netwrix Auditor for Windows Server can be configured to capture a video of users' sessions on
the audited computers which helps analyze how changes to your ITinfrastructure were made. Video
records can be integrated into change reports on different audited systems.
5/29
Supported Versions
Windows Server
Server OS: Windows Server 2003 SP2 (32 and 64-bit) and above
NOTE: Netwrix Auditor provides limited support for auditing servers
running Windows Server 2012 R2.
Hardware Requirements
Software Requirements
Minimum
Recommended
Processor
RAM
2 GB
8 GB
Component
6/29
Hardware
Minimum
Recommended
Component
Disk Space
500 MB for SQL Server databases where audit data is going to be stored
NOTE: These are rough estimations, calculated for evaluation of Netwrix Auditor
for Windows Server. Refer to Netwrix Auditor Installation and
Configuration Guide for complete information on the Netwrix Auditor disk
space requirements.
Screen resolution
1024 x 768
Requirements
l
Framework
Additional
Software
activity)
7/29
3. Click Install. Follow the instructions of the setup wizard. When prompted, accept the license
agreement and specify the installation folder.
Netwrix Auditor shortcuts will be added to the Start menu/screen and the Netwrix Auditor console will
open.
8/29
9/29
The Windows Management Instrumentation and the Remote Registry services are running and
their Startup Type is set to "Automatic". See To check the status and startup type of Windows
services for more information.
The File and Printer Sharing and the Windows Management Instrumentation features are
allowed to communicate through Windows Firewall. See To allow Windows features to communicate
through Firewall for more information.
Local TCP Port 9002 is opened for inbound connections on the computer where Netwrix Auditor is
installed. See To open Local TCP Port 9002 for inbound connections for more information.
Local TCP Port 9003 is opened for inbound connections on the audited computers. See To open
Local TCP Port 9003 for inbound connections for more information.
Remote TCP Port 9002 is opened for outbound connections on the audited computers. See To open
Remote TCP Port 9002 for outbound connections for more information.
10/29
On the Program step, specify the path: %Netwrix Auditor installation folder%/Netwrix/User
Activity Video Recorder/UAVRServer.exe.
On the Profile step, make sure that the rule applies to Domain.
On the Name step, specify the rule's name, for example UAVR Server inbound rule.
5. Double-click the newly created rule and open the Protocols and Ports tab.
6. In the Protocols and Ports tab, complete the steps as described below:
l
11/29
On the Program step, specify the path to the agent: %SystemDrive%\Program Files (x86)
\Netwrix\User Activity Video Recorder Agent.
On the Profile step, make sure that the rule applies to Domain.
On the Name step, specify the rule's name, for example UAVR Agent inbound rule.
5. Double-click the newly created rule and open the Protocols and Ports tab.
6. In the Protocols and Ports tab, complete the steps as described below:
l
On the Program step, specify the path to the agent: %Netwrix%/User Activity Video Recorder
Agent/UAVRAgent.exe.
On the Profile step, make sure that the rule applies to Domain.
On the Name step, specify the rule's name, for example UAVR Agent outbound rule.
5. Double-click the newly created rule and open the Protocols and Ports tab.
6. In the Protocols and Ports tab, complete the steps as described below:
l
12/29
Microsoft Internet Explorer 7.0 and above must be installed and ActiveX must be enabled.
Internet Explorer security settings must be configured properly. See To configure Internet Explorer
security settings for more information.
Internet Explorer Enhanced Security Configuration (IE ESC) must be disabled. See To disable Internet
Explorer Enhanced Security Configuration (IE ESC) for more information.
The user must belong to the Netwrix User Activity Video Reporter Auditors group that has access
to the Netwrix_UAVR$ shared folder where video files are stored. Both the group and the folder are
created automatically by Netwrix Auditor. See To add users to the Netwrix User Activity Video
Reporter Auditors group for more information.
A dedicated codec must be installed. This codec is installed automatically on the computer where
Netwrix Auditor is deployed, and on the monitored computers. To install it on a different computer,
download it from http:/www.Netwrix.com/download/ScreenPressorNetwrix.zip.
13/29
To enable JavaScript
1. In Internet Explorer, navigate to Tools Internet Options.
2. Switch to the Security tab and select Internet. Click Custom Level.
3. In the Security Settings Internet Zone dialog, scroll down to Scripting and make sure Active
scripting is set to "Enable".
To add users to the Netwrix User Activity Video Reporter Auditors group
Depending on the computer type (workstation or domain controller) where Netwrix Auditor is installed, do
one of the following:
l
14/29
3. In the right pane, right-click Netwrix User Activity Video Reporter Auditors, and select
Properties. Click Add and specify the users that you want to add to this group.
l
15/29
To create a Managed Object to audit Windows Server and privileged user session activity
1. Select the Managed Objects node in the left pane and click Create New Managed Object in the
right pane.
2. On the Select Managed Object Type step, select Computer Collection as a Managed Object type in
the Create New Managed Object wizard.
3. On the Specify Default Data Processing Account step, click Specify Account.
Enter the default Data Processing Account (in the DOMAIN\user format) that will be used by Netwrix
Auditor for data collection. For a full list of the rights and permissions required for the Data
Processing Account, and instructions on how to configure them, refer to Netwrix Auditor Installation
and Configuration Guide.
4. On the Specify Email Settings step, specify the email settings that will be used for Reports delivery:
Setting
Description
SMTP server
Port
Sender address
SMTP Authentication
User name
16/29
Setting
Description
Password
Confirm password
Select this checkbox if the implicit SSL mode is used, which means
mode
5. On the Specify Computer Collection Name step, enter the computer collection name.
6. On the Select Target Systems step, select Windows Server and User Activity as target systems.
7. On the Configure Reports Settings step, select Enable Reports . If the Reports functionality is
enabled, a SQL database will be created automatically on wizard completion.
Select one of the following:
l
Automatically install and configure a new instance of SQL Server Express Edition to
automatically install and configure SQL Server 2008 R2/2012 Express with Advanced Services.
For detailed information on which SQLServer versions can be installed on your operating
system, refer to the Netwrix Knowledge base article: Which SQL Server versions can be installed
automatically with Netwrix Auditor.
Use an existing SQL Server instance with SQL Server Reporting Services to use an already
installed SQL Server instance.
NOTE: Make sure the account used to create the Managed Object is granted the dbcreator
server role on this SQL Server instance. Otherwise, Netwrix Auditor will fail to create a
database to store your audit data.
Specify the following parameters:
Setting
Description
Windows Authentication
Select this option if you want to use the default Data Processing
Account to access the SQLdatabase. This account must be
granted the database owner (db_owner) role. See Netwrix
17/29
Setting
Description
Auditor Installation and Configuration Guide for more
information.
Clear this option if you want to use SQLServer Authentication.
User name
Specify the Report Server URL. Click Verify to ensure that the
resource is reachable.
Specify the Report Manager URL. Click Verify to ensure that the
resource is reachable.
NOTE: If the Data Processing Account specified earlier in this procedure is different from the account
used to create the Managed Object, you need to grant the Data Processing Account the
database owner (db_ owner) role for the newly created database. See Netwrix Auditor
Installation and Configuration Guide for more information.
8. On the Add Items to Computer Collection step, select items that you want to audit. You can add
several items to collection. Click Add, select an item type and add / browse for a computer name.
Review the following for additional information:
Option
Description
Computer name
container:
Domain
controllers,
Servers
18/29
Option
Description
do not want to audit. In the Exclude Computers dialog, click
Add and specify an object.
NOTE: The list of containers does not include child domains of
trusted domains. Use other options (Computer name, IP
address range, or Import computer names from a file)
to specify the target computers.
IP address range
from a file
a .txt file (one computer name/IP address per line is accepted). You
can choose whether to import the list once, or to update it
automatically.
If you select the Import on every data collection option, you can
later modify the list of your audited computers by editing the .txt
file. The audited computers list will be updated on the next data
collection.
9. On the Select Data Collection Method step, enable the Use Lightweight Agents option. If enabled,
an agent will be installed automatically on the audited computers that will collect and pre-filter data
and return it in a highly compressed format. This significantly improves data transfer and minimizes
the impact on the target computers' performance.
10. On the Configure Audit in Target Environment step, select Automatically for the selected
audited systems. Your current audit settings will be checked on each data collection and adjusted if
necessary.
NOTE: If any conflicts are detected with your current audit settings, automatic audit configuration
will not be performed. For a full list of audit settings required for Netwrix Auditor to collect
comprehensive audit data and instructions on how to configure them, refer to Netwrix
Auditor Installation and Configuration Guide.
11. On the Select Monitored Systems Components step, you can select the system components that
you want to audit for changes.
12. On the Configure Windows Server Change Summary Delivery Settings step, enter your email.
NOTE: It is recommended to click Verify. The system will send a test message to the specified email
address and inform you if any problems are detected.
19/29
13. On the Specify Users step, select the users whose activity should be recorded. You can select All
users or create a list of Specific users. Certain users can also be added to Exceptions list.
14. On the User Activity Video Reporter Activity Summary Delivery step, set the delivery schedule
and enter your email.
NOTE: It is recommended to click Verify. The system will send a test message to the specified email
address and inform you if any problems are detected.
15. On the last step, review your Managed Object settings and click Finish to exit the wizard. The newly
created Managed Object will appear under the Managed Objects node.
20/29
21/29
22/29
NOTE: Before making any test changes to your environment, ensure that you have the sufficient rights,
and that the changes conform to your security policy.
23/29
In order not to wait until a scheduled data collection and a Change Summary generation, launch data
collection manually. See Launch Initial Data Collection for more information.
24/29
Parameter
Description
Change Type
Object Type
When Changed
Who Changed
Shows the name of the account under which the change was made.
Server
Resource Path
Details
Shows the before and after values of the modified object, object
attributes, etc.
You will also receive an Activity Summary with information on the selected user's activity.
25/29
To see how your changes are reported with the Windows Server Overview dashboard
1. In the Netwrix Auditor console, navigate to the Enterprise Overview node.
2. In the right pane, select Windows Server Overview from the drop-down list next to Select
dashboard.
3. Review your changes.
4. Click on any chart to jump to a table report with the corresponding grouping and filtering of data.
26/29
To see how your changes are listed in the report with video
1. In the Netwrix Auditor console, navigate to Managed Objects <your_Managed_ Object>
Windows Server Reports Changes with Video.
27/29
28/29
Description
Netwrix Auditor
Administrator's Guide
Contains a list of the known issues that customers may experience with
Notes
29/29