Components and Settings Monitored on Windows Server
This section lists Windows Server components and settings whose changes Netwrix Auditor can monitor :
- General Computer Settings
- Add / Remove Programs
- Services
- Audit Policies
- Hardware
- DHCP configuration
- Removable media
- Scheduled Tasks
- Local Users and Groups
- DNS Configuration
- DNS Resource Records
- File Shares
When monitoring a Windows Server, Netwrix Auditor needs to audit some registry settings. See Windows Server Registry Keys for details.
If you want Netwrix Auditor to audit custom registry keys, See Monitoring Custom Registry Keys for more information.
NOTE: In the table below, double asterisks (**) indicates the components and settings for which the Who value is reported as “Not Applicable”.
Object type | Attributes |
---|---|
General Computer Settings | |
Computer |
|
Computer Name |
|
Environment Variables |
|
Event Log |
|
General |
|
Remote |
|
Startup and Recovery
|
|
System Time |
|
Add / Remove Programs | |
Add or Remove Programs |
|
Services | |
System Service
|
|
Audit Policies | |
Local Audit Policy |
|
Per-User Local Audit Policy |
|
Hardware | |
Base Board** |
|
BIOS**
|
|
Bus**
|
|
Cache Memory** |
|
CD-ROM Drive** |
|
Disk Partition** |
|
Display Adapter** |
|
DMA** |
|
Floppy Drive** |
|
Hard Drive** |
|
IDE** |
|
Infrared** |
|
Keyboard** |
|
Logical Disk** |
|
Monitor** |
|
Network Adapter |
NOTE: * — indicates the properties whose changes may not be reported correctly, displaying "Who" (i.e. initiator's account) as System. |
Network Protocol** |
|
Parallel Ports** |
|
PCMCIA Controller** |
|
Physical Memory** |
|
Pointing Device** |
|
Printing |
|
Processor** |
|
SCSI** |
|
Serial Ports** |
|
Sound Device** |
|
System Slot** |
|
USB Controller** |
|
USB Hub** |
|
DHCP configuration | |
NOTE: If the DHCP server runs on Windows Server 2008 (or below), then the Who value for DHCP server configuration events is reported as “Not Applicable”. |
|
Server role |
|
Server settings |
|
DHCP scope |
|
DHCP Reservation |
|
DHCP Policy |
|
Removable media | |
Removable Storage Media** |
NOTE: Netwrix Auditor does not report on floppy/optical disk and memory card storage medias. For removable storages, the When value reports actual time when a change was made and/or a target server was started.
NOTE: When the Audit Object Access local audit policy and/or the Audit Central Access Policy Staging \ Audit Removable Storage advanced audit policies are enabled on the target server, the |
Scheduled Tasks | |
Scheduled Task |
|
Local Users and Groups | |
Local Group |
|
Local User |
|
DNS Configuration | |
NOTE: The Who value will be reported for DNS configuration settings only if the DNS server runs on Windows Server 2012 R2 with Microsoft update KB2956577 applied. |
|
DNS Server |
|
DNS Zone |
|
DNS Resource Records | |
NOTE: The Who value will be reported for DNS Resource Records only if the DNS server runs Windows Server 2012 R2 with Microsoft update KB2956577 applied. |
|
DNS AAAA |
|
DNS AFSDB |
|
DNS ATM A |
|
DNS A |
|
DNS CNAME |
|
DNS DHCID |
|
DNS DNAME |
|
DNS DNSKEY |
|
DNS DS |
|
DNS HINFO |
|
DNS ISDN |
|
DNS KEY |
|
DNS MB*** |
|
DNS MD |
|
DNS MF |
|
DNS MG |
|
DNS MINFO |
|
DNS MR |
|
DNS MX |
|
DNS NAPTR |
|
DNS NS |
|
DNS NXT |
|
DNS PTR |
|
DNS RP |
|
DNS RRSIG |
|
DNS RT |
|
DNS SIG |
|
DNS SRV |
|
DNS TEXT |
|
DNS WINS |
|
DNS WKS |
|
DNS X25 |
|
File Shares | |
Share |
|
Windows Server Registry Keys
If you want to monitor changes to system components on a Windows Server, make sure that Windows Registry audit settings are configured on that Windows server.
This refers to the following keys:
- HKEY_LOCAL_MACHINE\SOFTWARE
- HKEY_LOCAL_MACHINE\SYSTEM
- HKEY_USERS\.DEFAULT
For these keys and subkeys, the following advanced permissions must be audited ("Successful" audit type required):
- Set Value
- Create Subkey
- Delete
- Write DAC
- Write Owner
The full list of keys (and subkeys) invlolved in Windows Server auditing is provided here.
IMPORTANT! Consider that audit data for the registry keys themselves will not appear in Netwrix Auditor reports, alerts or search results, as it is only used as one of the sources for the Activity Records formation.
- You can configure these settings automatically using Netwrix Auditor, as described in the Settings for Data Collection section. Corresponding audit settings will be also applied automatically after you select a checkbox under Monitor changes to system components on the General tab in the Windows Server data source properties (see Windows Server for details).
NOTE: Audit settings will be automatically adjusted only for the keys/subkeys involved in the monitoring of selected components (granular adjustment). For example, if you selected Services, the program will adjust the audit settings for the following subkeys:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services(|\\.*)
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services(|\\.*)
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services(|\\.*)
- To configure the audit settings manually, refer to Configure Windows Registry Audit Settings section.
Monitoring Custom Registry Keys
To monitor custom registry keys, do the following:
- On the computer where Netwrix Auditor Server resides, navigate to %Netwrix Auditor installation folder%\Windows Server Auditing.
-
Edit the customregistrykeys.txt file. File syntax is as follows:
monitoring plan name, server name, registry key name
For example:
#*,productionserver1.corp.local,HKEY_LOCAL_MACHINE\\SYSTEM\\RNG
Consider the following:
- Each entry must be a separate line.
- Wildcards (* and ?) are supported (except for the
registry key name
field). A backslash (\) must be put in front of (*), (?), (,), and (\) if they are a part of an entry value. - Lines that start with the # sign are treated as comments and are ignored.