This week, we reviewed download poll results on two popular systems administration tools: Netwrix Logon Reporter and Netwrix Event Log Manager. Both tools help administrators gain visibility over their user activities and events that may be adversely impacting security or system performance. Maintaining a detailed history of these events for auditors is nearly impossible with native Active Directory tools and as a result, creates an intense need for control over these activities.
Astonishingly, well over half cited the need to get detailed information on the most common user activity: logon events. No user can access network resources or perform any action on their system without first logging in. These events can capture a variety of problems and security risks when recorded and presented efficiently and are considered the front-lines of network administration. Event log management results showed nearly one-third of those downloading were doing so for the real-time Event Log alerts also in reaction to those events that are frequent and drive much of the help desk problems each day.
Combined, these two products represent core tools any network administrator needs to be successful at their daily management tasks. What is most important to note in these two results that by download volume, investigation of logon events made up for more than half. This means that of all the types of activity that goes on in a network, logon events still represent the most helpful and valuable information available. While various event log messages are important and should also be reviewed, these will commonly impact fewer users than simple logon problems and that is clearly reflected in the download poll results of these two products. The reason logon problems are so prevalent is because everything requires authentication for security and are the most sensitive to end-user interaction. Logon problems, because of their frequency, also pose the greatest risk to users being able to perform their duties each day. Logon problems are also present when various automated services and applications are tied to logon credentials. These can be anything from batch programs to aggregate data to database maintenance tasks.
Understanding logon events make up a large portion of problems you may encounter and these results clearly show this. Managing large volumes of logon events, both successful and unsuccessful, with native Active Directory tools is next to impossible. Furthermore, maintaining an archive for compliance and providing reports for auditing purposes are not capabilities of native Active Directory tools. Netwrix offers both the Logon Reporter and Event Log Manager in freeware editions to help sustain an organization’s compliance and security efforts. As an administrator, taking a proactive role in resolving these will reduce help desk calls and make a more secure and efficient environment for users. These tools also serve to fill the needs not found in Active Directory for storing and reporting on large volumes of information.
What logon/access issues do you deal with most? How does monitoring of logon activity improve your environment? Do you have a need to maintain this information for your auditors internally and/or externally? Please share your thoughts and comments below.
