Active Directory (including Group Policy)
|
In the audited environment
See Configure Active Directory Domain for Monitoring for related settings and procedures.
TIP: Audit Configuration Assistant
On the computer where Netwrix Auditor Server is installed
-
If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Netwrix Auditor to clear the old backups automatically. For that, use the CleanAutoBackupLogs registry key, as described in the Registry Keys for Monitoring Active Directory section.
NOTE: It is recommended that you adjust retention period for the backup files accordingly (default is 50 hours). See Adjust Security Event Log Size and Retention Settings
- To provide for event data collection, the Secondary Logon service must be up and running . Open Administrative Tools → Services, right-click the Secondary Logon service and on the General tab make sure that Startup type for this service is other than Disabled.
|
AD FS
|
In the audited environment
To configure AD FS farm, you will need to enable AD FS audit settings and set up Windows audit policy:
- AD FS audit settings must be configured on the primary AD FS server, i.e. on the first server you have set up in the farm:
- To configure audit of AD FS 3.0 on Windows Server 2012 R2, use the following PowerShell cmdlet:
Set-AdfsProperties -LogLevel Errors,FailureAudits,Verbose,SuccessAudits,Warnings
- To configure audit of AD FS 4.0 on Windows Server 2016 or AD FS 5.0 on Windows Server 2019, use the following PowerShell cmdlets:
Set-AdfsProperties -LogLevel Errors,FailureAudits,Verbose,SuccessAudits,Warnings
Set-AdfsProperties –AuditLevel Verbose
- Windows Audit policy must be configured on each server in the farm. For all Windows server versions:
- Adjust log size and retention settings for Security log and for AD FS Admin log (under Applications and Service logs). See Adjusting Event Log Size and Retention Settings for details.
NOTE: If AD FS Admin logging is disabled, you should enable it.
|
Azure AD
|
No special settings are required. Remember to do the following:
- Prepare a Data Collecting Account as described in For Azure AD Auditing section.
- Configure required protocols and ports, as described in this table.
|
Exchange
|
In the audited environment
- Install the ADSI Edit utility to the server from which configuration is performed if it is not a Domain Controller. See Install ADSI Edit for more information.
-
The following policies must be set to "Success" for the effective domain controllers policy:
- Audit account management
- Audit directory service access
- The Audit logon events policy must be set to "Success" (or "Success" and "Failure") for the effective domain controllers policy.
- The Advanced audit policy settings can be configured instead of basic.
-
The Maximum Security event log size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed”.
- Auto archiving must be enabled to prevent audit data loss if log overwrites occur.
- The Object-level audit settings must be configured for the Domain, Configuration and Schema partitions.
- The AD tombstoneLifetime attribute must be set to "730".
-
If you have an on-premises Exchange server 2019, 2016, 2013 or 2010 in your Active Directory domain, consider that some changes can be made via that Exchange server. To be able to audit and report who made those changes, you should configure the Exchange Administrator Audit Logging (AAL) settings, as described in Configure Exchange Administrator Audit Logging Settings.
- The Administrator Audit Logging settings must be configured (only required for Exchange 2019, 2016, 2013 or 2010).
-
In order to audit mailbox access, native audit logging must be enabled for user, shared, equipment, linked, and room mailboxes.
-
Access types: administrator , delegate user
-
Actions: Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create
On the computer where Netwrix Auditor Server is installed
-
If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Netwrix Auditor to clear the old backups automatically. For that, use the CleanAutoBackupLogs registry key, as described in the Registry Keys for Monitoring Active Directory section.
NOTE: It is recommended that you adjust retention period for the backup files accordingly (default is 50 hours). See Adjust Security Event Log Size and Retention Settings
- To provide for event data collection, the Secondary Logon service must be up and running . Open Administrative Tools → Services, right-click the Secondary Logon service and on the General tab make sure that Startup type for this service is other than Disabled.
|
Exchange Online
|
In the audited environment
-
If you plan to audit non-owner mailbox access within your Exchange Online organization, native audit logging must be enabled for user, shared, equipment, linked, and room mailboxes.
-
Access types: administrator , delegate user
-
Actions: Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create
Depending on authentication type (basic or modern) and deployment scenario, you will need to perform related configuration procedures. See For Exchange Online Auditing
Remember to do the following:
- Prepare a Data Collecting Account as described in For Exchange Online Auditing section.
- Configure required protocols and ports, as described in Protocols and Ports Required for Monitoring Office 365
|
Windows File Servers
|
In the audited environment
-
For a security principal (e.g., Everyone), the following options must be configured in the Advanced Security → Auditing settings for the audited shared folders:
List Folder / Read Data (Files only) |
"Success" and "Fail" |
List Folder / Read Data (This folder, subfolders and files) |
"Fail"
|
Create Files / Write Data* |
"Success" and "Fail" |
Create Folders / Append Data* |
"Success" and "Fail" |
Write Extended Attributes*
|
"Success" and "Fail" |
Delete Subfolders and Files*
|
"Success" and "Fail" |
Delete*
|
"Success" and "Fail" |
Change Permissions*
|
"Success" and "Fail" |
Take Ownership*
|
"Success" and "Fail" |
NOTE: Select "Fail" only if you want to track failure events, it is not required for success events monitoring.
If you want to get only state-in-time snapshots of your system configuration, limit your settings to the permissions marked with * and set it to "Success" (Apply onto: This folder, subfolders and files).
-
The following Advanced audit policy settings must be configured:
-
The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled.
-
Depending on your OS version, configure the categories as follows:
Windows Server 2008
|
Object Access
|
Audit File Share
|
"Success"
|
Audit File System
|
"Success" and "Failure" |
Audit Handle Manipulation
|
"Success" and "Failure" |
Logon/Logoff
|
Logon |
"Success"
|
Logoff |
"Success"
|
Policy Change
|
Audit Audit Policy Change |
"Success"
|
System
|
Security State Change
|
"Success"
|
Windows Server 2008 R2 / Windows 7 and above
|
Object Access
|
Audit File Share
|
"Success"
|
Audit File System
|
"Success" and "Failure" |
Audit Handle Manipulation
|
"Success" and "Failure" |
Audit Detailed file share
|
"Failure"
|
Logon/Logoff
|
Logon |
"Success"
|
Logoff |
"Success"
|
Policy Change
|
Audit Audit Policy Change |
"Success"
|
System
|
Security State Change
|
"Success"
|
If you want to get only state-in-time snapshots of your system configuration, limit your audit settings to the following policies:
Object Access
|
Audit File System
|
"Success"
|
Audit Handle Manipulation
|
"Success" |
Audit File Share
|
"Success" |
Policy Change
|
Audit Audit Policy Change
|
"Success"
|
-
The following legacy policies can be configured instead of advanced:
-
The Security event log maximum size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed”.
- The Remote Registry service must be started.
- The following inbound Firewall rules must be enabled:
- Remote Event Log Management (NP-In)*
- Remote Event Log Management (RPC)*
- Remote Event Log Management (RPC-EPMAP)*
- Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
Network Discovery (NB-Name-In) - File and Printer Sharing (NB-Name-In)
File and Printer Sharing (Echo Request - ICMPv4-In) File and Printer Sharing (Echo Request - ICMPv6-In) NOTE: The rules marked with * are required only if you do not want to use network traffic compression for auditing. NOTE: If you plan to audit Windows Server 2019 or Windows 10 Update 1803 without network compression service, make sure the following inbound connection rules are enabled: - Remote Scheduled Tasks Management (RPC)
- Remote Scheduled Tasks Management (RPC-EMAP)
|
EMC Isilon
|
In the audited environment
-
CIFS Network Protocol support is required.
-
Create a shared directory /ifs/.ifsvar/audit/ on your cluster.
NOTE: Use SMB (CIFS) protocol for sharing.
-
The following filters for auditing protocol operations that succeeded/failed must be enabled for audited access zones on your cluster:
-
Audit Success: read, write, delete, set_security, rename
-
Audit Failure: read, create, write, delete, set_security, rename
|
EMC VNX/VNXe/Unity
|
In the audited environment
- CIFS Network Protocol support is required.
-
Security Event Log Maximum Size must be set to 4GB.
-
The Audit object access policy must be set to "Success" and "Failure" in the Group Policy of the OU where the audited EMC VNX/VNXe/Unity/Celerra appliance belongs to.
-
Audit settings must be configured for CIFS File Shares. For a security principal (e.g., Everyone), the following options must be set to "Success" and "Fail" in the Advanced Security → Auditing settings for the audited shared folders:
-
List Folder / Read Data (Files only)
-
Create Files / Write Data
-
Create Folders / Append Data
-
Write Attributes
-
Write Extended Attributes
-
Delete Subfolders and Files
-
Delete
-
Change Permissions
-
Take Ownership
|
NetApp
|
In the audited environment
- CIFS Network Protocol support is required.
-
Qtree Security must be configured. The volume where the audited file shares are located must be set to the "ntfs" or "mixed" security style.
- On Data ONTAP 7 and Data ONTAP 8 in 7-mode:
The httpd.admin.enable or the httpd.admin.ssl.enable option must be set to "on". For security reasons, it is recommended to configure SSL access and enable the httpd.admin.ssl.enable option. The cifs.audit.liveview.enable option must be set to "off". The cifs.audit.enable and the cifs.audit.file_access_events.enable options must be set to "on". - Unless you are going to audit logon events, the
cifs.audit.logon_events.enable and the cifs.audit.account_mgmt_events.enable options must be set to "off". The Security log must be configured: cifs.audit.logsize 300 000 000 (300 MB)
cifs.audit.autosave.onsize.enable on
cifs.audit.autosave.file.extension timestamp
- On Clustered Data ONTAP 8 and ONTAP 9:
External Web Services: true .
For security reasons, it is recommended to enable only SSL access. Firewall policy for data interfaces must be configured to allow ONTAPI protocol connections. Audit settings must be configured as follows: Auditing State: | true | Log Destination Path: | /audit | Categories of Events to Audit: | file-ops, cifs-logon-logoff | Log Format: | evtx | Log File Size Limit: | 300MB |
-
Audit settings must be configured for CIFS File Shares. For a security principal (e.g., Everyone), the following options must be set to "Success" and "Fail" in the Advanced Security → Auditing settings for the audited shared folders:
- List Folder / Read Data (Files only)
- Create Files / Write Data
- Create Folders / Append Data
- Write Extended Attributes
- Delete Subfolders and Files
- Delete
- Change Permissions
- Take Ownership
|
Nutanix File Server
|
- To allow inbound connections to Netwrix Auditor server from Nutanix File Server, a TCP port must be open:
- Target Nutanix File Server must be located in the same subnet as Netwrix Auditor Server and must be configured as described in the Configure Nutanix File Server for Monitoring section.
|
Network Devices
|
In the audited environment:
For Cisco ASA:
- The global configuration mode is selected.
-
The logging enable option is selected on the Cisco ASA device.
-
The logging host parameter is set to the host address of the audited CiscoASA device. And UDP port (for, example 514) is used for sending messages.
NOTE: Do not select the EMBLEM format logging for the syslog server option.
- The
logging timestamp option enabled.
- The
logging trap option is selected from 1 to 6 inclusive.
For Cisco IOS:
- The global configuration mode is selected.
- The
logging timestamp option enabled.
- The
logging trap option is selected from 1 to 6 inclusive.
- The
logging host parameter is set to the host address where the service is going to be installed. And UDP port (for, example 514) is used for sending messages.
For Fortinet Fortigate:
The target Fortinet Fortigate device must be configured via Command Line Interface (CLI) as described in the Configure Fortinet FortiGate Devices section.
For PaloAlto:
Create a Syslog Server profile and syslog forwarding for the target PaloAlto device via Web Interface as described in the Configure PaloAlto Devices section.
For Juniper:
The target Juniper device must be configured via JunOS Command Line Interface (CLI) as described in the Configure Juniper Devices section.
For SonicWall:
Configure log settings, depending on your device type. See Configure Network Devices for Monitoring for more information.
|
Oracle Database
|
In the audited environment
Required settings are described in the Configure Oracle Database for Monitoring section.
On the computer where Netwrix Auditor Server is installed:
Verify that Oracle Data Provider for .NET and Oracle Instant Client are installed and properly configured.
See Oracle Database section of system requirements.
|
SharePoint
|
|
SharePoint Online (including OneDrive for Business)
|
In the cloud:
No special configuration required.
Remember to do the following:
- Prepare a Data Collecting Account as described in For SharePoint Online Auditing
section.
- Configure required protocols and ports, as described in Protocols and Ports Required for Monitoring Office 365
|
SQL Server
|
Required settings are described in the Configure SQL Server for Monitoring section.
|
VMware
|
No configuration required
|
Windows Server (including DNS, DHCP and removable media)
|
In the audited environment
- The Remote Registry and the Windows Management Instrumentation (WMI) service must be started.
- The following advanced audit policy settings must be configured:
- The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled.
- For Windows Server 2008—The Object Access, Account Management, and Policy Change categories must be disabled while the Security Group Management, User Account Management, Handle Manipulation, Other Object Access Events, Registry, File Share, and Audit Policy Change subcategories must be enabled for "Success".
- For Windows Server 2008 R2 / Windows 7 and above—Audit Security Group Management, Audit User Account Management, Audit Handle Manipulation, Audit Other Object Access Events, Audit Registry, Audit File Share, and Audit Audit Policy Change advanced audit policies must be set to "Success".
-
The following legacy audit policies can be configured instead of advanced: Audit object access, Audit policy change, and Audit account management must be set to "Success".
- The Enable Persistent Time Stamp local group policy must be enabled.
- The Application, Security, and System event log maximum size must be set to 4 GB. The retention method must be set to “Overwrite events as needed”.
- For auditing scheduled tasks, the Microsoft-Windows-TaskScheduler/Operational event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.
- For auditing DHCP, the Microsoft-Windows-Dhcp-Server/Operational event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.
- For auditing DNS, the Microsoft-Windows-DNS-Server/Audit event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.
- The following inbound Firewall rules must be enabled:
- Remote Event Log Management (NP-In)
- Remote Event Log Management (RPC)
- Remote Event Log Management (RPC-EPMAP)
- Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
Network Discovery (NB-Name-In) - File and Printer Sharing (NB-Name-In)
Remote Service Management (NP-In) Remote Service Management (RPC) Remote Service Management (RPC-EPMAP) - Performance Logs and Alerts (DCOM-In)
- Performance Logs and Alerts (TCP-In)
NOTE: If the audited servers are behind the Firewall, review the list of protocols and ports required for Netwrix Auditor and make sure that these ports are opened. See Protocols and Ports Required for Netwrix Auditor Server for more information.
- For auditing removable storage media, two Event Trace Session objects must be created.
NOTE: If you want to use Network traffic compression, make sure that the Netwrix Auditor Server is accessible by its FQDN name.
|
Event Log (including Cisco)
|
|
IIS
|
|
Logon Activity
|
In the audited environment
-
The following policies must be set to "Success" and "Failure" for the effective domain controllers policy:
- Audit Logon Events
- Audit Account Logon Events
- The Audit system events policy must be set to "Success" for the effective domain controllers policy.
- The Advanced audit policy settings can be configured instead of basic.
-
The Maximum Security event log size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed” or "Archive the log when full".
-
The following Windows Firewall inbound rules must be enabled:
- Remote Event Log Management (NP-In)
- Remote Event Log Management (RPC)
- Remote Event Log Management (RPC-EPMAP)
|
User Activity
|
On the computer where Netwrix Auditor Server is installed
- The Windows Management Instrumentation and the Remote Registry services must be running and their Startup Type must be set to "Automatic".
- The File and Printer Sharing and the Windows Management Instrumentation features must be allowed to communicate through Windows Firewall.
- Local TCP Port 9004 must be opened for inbound connections.
|