PRODUCT REVIEW: NETWRIX IDENTITY MANAGEMENT SUITE: “JUST RIGHT”

A few months ago we wrote about Change Reporter tool from NetWrix Corporation and impressions were really good. Let’s see if the the set of NetWrix tools for identity management would share the same attributes.

Identity and general management of service and user accounts, passwords and related stuff is a daily routine for almost any AD administrator. Automation of these processes often requires the purchase and deployment of expensive and complex solutions such as Microsoft Forefront Identity Manager or similar tools from other software vendors. Alternatively, you can write and use scripts for these tasks, but such a solution is usually difficult to support and definitely not easy to implement. And this is where an integrated identity management solution from NetWrix comes in.

NetWrix Identity Management Suite is composed of several largely independent products, which can be installed individually or together. Prerequisites are not particularly large. You will need a member server with Windows 2003 or newer (can be installed on a domain controller but that is neither necessary nor recommended) installed with the Web Server role included or IIS .NET Framework and Silverlight. For reporting features some tools require SQL Server Express /SQL Server full version (if available).

NetWrix Password Manager

Now let’s see what components make up NetWrix Identity Management Suite. To me the most interesting part is NetWrix Password Manager. The customer support due to problems with passwords and locked accounts makes a good deal of each administrator or support services –  Active Directory does not allow any kind of self-servicing for the users (in terms of self-reset forgotten passwords and unlocked accounts) and therefore all the work was transferred to the administrative side. Only products like ForeFront Identity Manager provide certain degree of functionality in this regard, but the implementation of FIM just to achieve this functionality is not an optimal solution.

NetWrix Password Manager is just about self-servicing in terms of account and password for the user. After the implementation of this component, and the appropriate configuration users will have the opportunity, , to reset their own forgotten password or to unlock a locked account through a very simple web-based interface. Before this functionality becomes available the administrator must make a couple of things related to the configuration. In the administrative portal you can configure the title and text of a self-service site, set up the company logo, contact information for support, and links to documents that specify requirements for the password.

Also, it is possible to manage the available functionality – the user can enable one or more of the following features: reset passwords, set options to change your password on the next logon, set “Password never expires” option on the account, account unlock and update the existing password (in the knowledge prior). These individual features can be switched on or off as needed.

Probably many will choose not to allow users to set attributes such as “Password never expires” on their account. Unfortunately in this version you cannot control on a per-user (or user group) basis as options to adjust the administrative section apply to all self-service users. Otherwise, almost all self-servicing options are based on challenge-response technique and pre-defined answers to the questions. This is a well-known technique to reset the password that is being used on Internet for years, but in AD this is, by design, not supported. You can define a total of 8 questions that are used for this purpose (such as mother’s maiden name, name of first pet, etc), but you can also add your own or modify existing ones. Each user during the enrollment process has to choose which questions to use as their own, and set answers only known to them.

The administrative side allows the configuration in the sense that you can define the minimum length of the answer to any question, the minimum required number of questions that must be set at enrollment, and the minimum number of responses that must be given exactly to unlock the account and perform password reset. Furthermore, it is possible to set a limitation that more questions have the same response or that response contains any string that is mentioned in the question. A very useful option, which definitely strengthens  the whole security system. What is particularly interesting is that the user may be obliged to define not only answers but also questions.. In this way we achieve a high degree of safety, but also relatively inconsistent configuration, so it is recommended to consider this before allowing users to define their own questions.

Events or actions that are performed by using self-service portal can be forwarded via e-mail to administrator, or anyone else who is doing the auditing. In addition to the administrative console, and console for the end user, NetWrix Password Manager provides the Help Desk Portal. This web portal, as its name suggests, is intended for those who work on the help desk. Somewhat as an alternative to the Self Service portal, the web portal through its interface allows a support technician to quickly and efficiently perform tasks that unlock locked accounts and reset passwords s. Also, this portal provides the ability to quickly and simply report on the actions that are carried through it and the customers who have done this in the enrollment system.

Alternatively, if you do not want to direct users to the web portal for performing these tasks, you can install the Password Manager client software on client computers to access self-service password / account for operations with the logon screen. In the event that the client is installed, users are offered enrollment in the system at the first logon after installing the client.

The whole system of account management and the password function is relatively simple. All operations are performed in the context of service that is installed on the computer / server on which NetWrix Password Manager  and portal run. Account under which the service runs can be specified during the installation of software and it must be delegated the right to manipulate user accounts in terms of resetting passwords and unlocking, and a few additional operations listed in software documentation. This approach is somewhat manual, but it allows an administrator to retain full control over the software.

NetWrix Account Lockout Examiner

NetWrix Account Lockout Examiner is quite simple but very useful piece of software that is designed for management of locked AD accounts and examining the causes for locking user accounts. Upon its launch, it will show the list of user accounts that were previously locked up for whatever reason along with information about the workstation on which the lock has happened, the domain controller that has locked the account and a few more details.

Except the possibility to unlock the account directly from the console, it can also be used to discover the reasons why account is locked. This is done by running a series of tests which include testing scheduled task that run under that account (and who may have the old password and causing lock), who use the service account, mapped drive or share-this application. The aim is that the administrator receives a more detailed insight into the potential reason why account is locked, if it is not some trivial reason, such as forgotten password. It is also possible to establish a certain degree of automation in the management of locked accounts, such as the ability to unlock it via e-mail from the administrator, or notified by mail when the lock occurs.

NetWrix Inactive Users Tracker and NetWrix Password Expiration Notifier

NetWrix Inactive Users Tracker is part of NetWrix Identity Management Suite that monitors user activity as well as accounts and sends notifications accordingly or takes a specific action. Extremely useful and easy to use, this tool helps administrators to handle a fairly common concern such as old and remaining accounts in the AD.

The first setting you should define is the number of days since last login, after which the account is considered inactive. After that, you can take more action. For example, you can send an e-mail to a manager of inactive user or you can automatically set random password to the account, disable the account or move it to another OU. The final option is to delete the account. Each of these actions is individually configurable and can be adjusted in relation to the number of days since last login. Technically, this tool actually reads the latest Logon attribute on user accounts and based on the result , uses the appropriate service account to run certain operations.

A related tool is located in the same console as well, and it is called NetWrix Password Expiration Notifier. This component tracks the last change of password on user accounts and in relation to the set value of the maximum duration of passwords notifies administrators or users that the time to change the password is near. This is a very simple tool, but that does its job and allows users to start thinking about new passwords beforehand.

NetWrix Privileged Account Manager

Another distinct piece of software featuring Silverlight-based console is NetWrix Privileged Account Manager which was the latest addition to the NetWrix Identity Management Suite. Actually it is a solution designed for managing accounts which in any way were delegated higher rights or privileges including both system administration and service accounts on one or more servers. The essential purpose of NetWrix Privileged Account Manager is to centralize password management for all privileged accounts shared between multiple users or multiple services and applications. Adding accounts within the PAM console automatically sets a random password that is synchronized with all systems where this account is used. Password change also takes place in the console, by default once a day and as such is synchronized with all the places where you used the account. If necessary, the password can be read from the console (through the so-called  check out process but when it is used again, and you make a check-in for an account, password changes again for security reasons. This solution is very interesting and definitely quite original. Passwords that are set to managed account through this console are random generated, 15 characters long, and one is able to maneuver in terms of defining the number of occurrences of uppercase and lowercase letters, numbers or special characters.

NetWrix Logon Reporter

Finally, within NetWrix Identity Management Suite we have NetWrix Logon Reporter. This tool collects event logs, which are primarily related to logging (or logoff) or attempts to login to servers and workstations in the domain and collects the same in the .evtx file stored in an SQL database for later analysis. It also monitors events and changes to the typed passwords, reset passwords and locked and unlocked accounts. Like other tools, everything can be sent via e-mail notification.

Conclusion

Finally, it is difficult to say anything except that this set of tools is definitely on the wish list of every Active Directory administrator. Just like the change auditing solution set that we reviewed earlier, NetWrix Identity Management Suite shares the same attributes, namely ease of use and configuration, minimal software-hardware requirements and all the components of the Suite did exactly what we expected. At first glance, anyone can see that it significantly improves the work with digital identities and accounts in general. However, it should be noted that the field in which these tools operate is very sensitive and is therefore very important to understand how each of the tools works, and to control their use. License fee, which ranges from 5.25 USD per user is also very reasonable and we can say that it really justifies the functionality. After 13 years of experience in working with Active Directory service I can really recommend this software to all system administrators.

We invite you to download free trial ASAP to evaluate the product which gained important new features listed below in detail:

• Support for Failover Clusters.
• Support for EMC VNX/VNXe file storage systems.
• New reports: “Folder Permission Changes” and “All File Server Activities”.

Other important downloads – please, read briefly before you install:

• NetWrix File Server Change Reporter 3.3 Quick Start Guide
• NetWrix File Server Change Reporter 3.3 Release Notes

We will appreciate any feedback on the newest version of NetWrix File Server Change Reporter and will work tirelessly to answer all of your questions about this brand new release.

Please, leave a comment below to share your impression from the new version. What do you like, what don’t you like about it?

This is great news for all who would like to audit and protect administrative accounts in Active Directory, servers, and other systems without having to store logins and passwords (such as Administrator, service accounts and root accounts) in unsecured spreadsheets and text files.

NetWrix Privileged Account Manager (or PAM) also enables you to track who used what admin accounts and when. PAM provides a secure web-based portal for accessing and automatic maintenance of administrative user accounts, to ensure centralized management and auditing of all privileged identities. Please note that the license code is provided on the download page after a brief registration.

Protection of Privileged Accounts

All devices, servers, and workstations have powerful built-in accounts with unlimited rights, such as enable on Cisco, Administrator on Windows, and root on UNIX. PAM provides a secure storage for all privileged accounts and their passwords within your organization.

Centralized Management

The product stores all privileged accounts in a central location, enabling designated members of your IT team to access them according to established role-based security policies. PAM provides one unified workflow for accessing and updating all privileged accounts in your organization.

Regulatory Compliance

The product controls and audits the use of privileged shared accounts to enable security and compliance with Sarbanes-Oxley, GLBA, HIPAA, PCI, and others. At every single point, you can determine who knows an account password today and who knew it, for example, a month ago. PAM includes audit reports on operations with shared accounts.

Automated Password Management

PAM automatically updates account passwords according to password expiration policies defined in your organization. It not only changes the account itself, it also updates all affected services and applications that use this account.

Enterprise Class Scalability

PAM can effectively manage tens of thousands of privileged accounts and systems without performance degradation. All automated operations can be scheduled during non-business hours to ensure minimum impact on your production environment.

What is needed is Change Auditing: A core competence of NetWrix. Change Auditing is a better approach to sustaining compliance, improving security and promoting oversight because it combines Who, What, When, and Where data with Before and After details regardless of the application or platform being audited. We offer AuditAssurance™ technology in our Change Reporter Suite covering most enterprise needs including Active Directory, Group Policy, Exchange, File Servers, SQL servers, SharePoint, VMware, EMC, SCVMM and more.

Are you using a SIEM or Log Management solution currently? Why or why not? What do you both love and loathe about it? Please share your comments below:

NetWrix Change Reporter Suite wins in "Best Security Software" category

Info Security Products Guide, the industry’s leading information security research and advisory guide, has named NetWrix Change Reporter Suite a winner of the 2012 Global Excellence Awards in Best Security Software (New or Updated version) category.

We had been awaiting fo this news since December 2011 when NetWrix Change Auditing Solution was announced finalist in 2 categories: Auditing and Best Security Software; NetWrix Identity Management Suite – in Identity Management category. And now Change Reporter Suite finally made it.

This award once again proves that NetWrix is #1 for change auditing considering this is the second year in the row that Change Reporter Suite wins in Global Excellence Awards – last year it was a winner of the 2011 Tomorrow’s Technology Today Award.

NetWrix flagship Change Auditing Solution was selected among tens of software solutions that are making the most positive impact on security in today’s highly sophisticated and blended attacks environment.

Info Security Product Guide Global Excellence Awards is the security industry’s leading global excellence program honoring achievements in every facet of the security industry.

The security industry celebrated its 8^th Annual 2012 Global Excellence Awards in San Francisco by honoring excellence in every facet of the industry including products, people behind the successes and best companies.

If you haven’t done so already, take a look at Active Directory Change Reporter and the Active Directory Object Restore Wizard. These two tools combined will greatly improve your control over AD auditing and provide much needed tools like reporting not available natively and object/attribute restoration. Active Directory Change Reporter and Object Restore Wizard are also part of the Change Reporter Suite which offers oversight and control over other applications and devices such as Group Policy, Exchange, SharePoint, SQL, File Servers, Windows Servers, Network appliances, EMC Celerra/VNX and more. Share your AD management troubles and challenges below or tell us what other applications lack good native auditing tools.

Are you auditing Active Directory? If not, why? Please share your thoughts below:

Change Reporter Suite is a multi-award winning integrated solution for IT infrustructire change auditing and regulatory compliance. Active Directory Change Reporter is a powerful AD auditing solution that tracks and reports all changes made to AD and Group Policy.

Act now and get NetWrix Event Log Manager at absolutely no cost.

Event Log Manager, which collects event logs from multiple computers across a given network, alerts on the most critical events and centrally stores them in a compressed format that enables convenient analysis of archived event log data. Coupled with Change Reporter Suite, Event Log Manager provides NetWrix customers with the complete change auditing and event logging capability necessary to ensure compliance with regulations and security policies, and maintain visibility into all IT infrastructure changes.

Considering that Event Log Manager is not a part of Change Reporter Suite, customers who act now will enjoy significant savings.

You can download your free trials of Change Reporter Suite, Active Directory Change Reporter and Event Log Manager to evaluate the product benefits yourself, or view Event Log Manager pricing tiers below to gain a better understanding of just how much money you can save by acting now.

Product Review: NetWrix Active Directory Change Reporter

Supervising of the events in the Active Directory (in the literature generally known by the term Auditing) is one of the concerns of any Windows environment administrator. Although this is certainly not the first or the most important thing that administrators do, it is something that without which is difficult to imagine in a serious IT environment. Usually, the need for auditing occurs reactively – after usually some unwanted event, admins understand that auditing should have been implemented long ago.

My personal experience as an IT consultant and long-time lecturer, I am speaking in favor of exactly what I have outlined. Auditing the people generally does not deal with almost all, or at least not seriously enough that it could be considered a reliable source of information. Part of the credit for this laziness is that admins sometime don’t want to do something that de-facto does not functionally improves the system (but protects it), and partly because the techniques for auditing Active Directory are a fairly slow to develop. Specifically, Audit policies that as a result provide audit logs, almost more than 10 years have not substantially changed. Windows Server 2008 R2 has brought some improvement in terms of adding new policy settings that are now giving more precise control of what is monitored (to avoid over-auditing which is basically almost the same as you do not monitor anything), but the mechanism of applying the further group policy, and logs are still collected in the Security log on computers that keep track of what happens. Because the Security log is almost always full of a variety of other records, without good filtering techniques, audit logs will be very difficult to see. Fortunately, the new Event Viewer that we have in Windows Server 2008 delivers significant improvements in this field, although still not quite as we expected.

What is actually the goal of auditing in an Active Directory-based environment? The primary goal is to provide quality, focused and timely information on changes that have occurred in the IT environment (specifically in the AD), and to provide information about who made the change, when, where or on which resource. This is a reactive approach to auditing. In addition, auditing can be used proactively – that is, to observe events on the system, which could initiate to something that might happen in the future, we would like to prevent. Proactive monitoring, in addition to the techniques, however, requires a lot of analytic knowledge, but is certainly more desirable than reactive.

The theme of this article is that Active Directory Change Reporter is an extremely useful tool that is used for auditing purposes and to specific Windows Server-based environment that is based on Active Directory. It is produced by NetWrix, the company with many years of experience in this field, resulting in a number of tools which are used mainly for the purpose of auditing and logging. More information about the tools can be found via their website www.netwrix.com.

As its name says, this is a tool for tracking changes in Active Directory. Besides being monitored, this tool provides the possibility of extremely powerful reporting on what changes were recorded in various categories. Through a specially-developed console, administrators now have the ability to replace filters and filtration of hundreds of log entries and focus on the essence – and that is change, and the attributes that accompany the change itself (who, when, where and why). It performs all this without using the Event Viewer.

NetWrix Active Directory Change Reporter is composed of 4 components:
• Active Directory Change Reporter
• Group Policy Change Reporter
• Exchange Change Reporter
• Active Directory Object Restore Wizard
The very names of the components are sufficiently descriptive to see what was going on. Although the inside of functional groups Exchange Server is also mentioned, it’s actually working on tracking changes in Active Directory, but what relates to the Exchange, since this product most of its configuration holds exactly in Active Directory. There is also an Object Restore Wizard, which helps to restore deleted objects, or objects that are in the state in which they run tombstone life time. However, we should say that it is not an alternative interface for Active Directory Recycle Bin, but more like restoring deleted objects in the “old way” or the way it was possible prior to Windows Server 2008 R2 (which brings AD Recycle Bin). This means that this can be applied to older versions of Windows Server Active Directory. The only downside is that restored deleted objects lose all the attributes, but it is relatively easy to re-create, and retain the SID and SAMaccountName what is most important. Also, use this wizard to restore previously deleted objects deprives administrators need to use tools such as Ldp.exe or command line tools, which to put it mildly, not very popular.

Through these functional components, AD change reporter can do the following:
- In each notice of change, in addition to data on the revised property name it provides old and new value of the changed attributes (or more). The software can track and multiple changes within a single cycle of observation, and if changes occur in many different attributes values, everything will be remembered.
- Generate different types of web-based reports on registered changes in demand. It is also possible to create your own reports with many already predefined filters, or order additional reports from the manufacturer
- Monitor Active Directory snapshots and compare the situation in AD over time, in terms of reporting facilities and the changes that have accompanied them.
- Generate real-time alerts distributed via e-mail for all critical events that cannot wait to generate Report on a schedule (such as adding or removing someone from the Enterprise Admins group).
- Maintain logs and reports indefinitely long time
- Create “subscription” e-mails to various types of reports. This deprives the needs of the administrator to the console searches for statements that he wants to continuously monitor.

The administrative console is a classic MMC 3.0 and how it can be seen in the following figure, is quite intuitive, and none experienced administrator should not have problems using the same.

Technology that works in Change Reporter is not unknown. It is a well-known technology DirSync change tracking based on a change in the value of USN. Otherwise, DirSync is used to synchronize the changes that occur in different directory services, and here it is used to actually detect the change and instead synchronizing the change in another directory, it is actually recorded in the database.

USN is the Updated Sequence Number or value that changes when any change occurs in the domain, configuration or schema partition of Active Directory. Active Directory Change Reporter drives the process of controlling this type of data every 10 minutes. In this way achieves a moderate system load because data is collected in relatively small quantities, while it often enough that it does not happen any loss of data due to overwriting the old data in the security log.
Installation and configuration

Installing the AD Change Reporter software is very easy process. The console itself can be installed on any computer in the domain, and does not have to be located at the domain controller. It supports all versions of Active Directory from Windows 2000 onwards, which gives a very wide range of applications in most of today’s environment. Requirements for installation are not too large – it will be sufficient to have NET Framework 2.0, MMC 3.0, and that’s all it takes. If you want to use the advanced reporting, it is necessary to also install SQL Server Express or the full version of SQL Server with Reporting Services functionality. Of course, it is necessary to provide the account with appropriate privileges to connect to Active Directory, or to run the task, which generates reports at regular intervals.

After installation, you need to do the initial configuration. The first step is to create a Managed-object, which is the Active Directory domain that you will audit. After that, make a brief analysis of existing auditing settings, and one set to the required value, if not already configured. Once the software is connected to the domain, it remains to adjust the settings related to the Exchange server (if any), the settings for the SQL Server database (if you will use advanced reporting), and settings for notification via e-mail or subscribe to certain reports. Since the software comes with large number of pre-created samples for the reports, the first time probably will not need to create some new ones, at least until you don’t find what you. Upon completion of the configuration to make an initial snapshot and from that moment the system is ready for operation. These screenshots show some of the predefined reporting, and configurable settings for the most important settings.

As in the case of conventional auditing through the security logs in Event Viewer, and here it is recommended to avoid over-auditing. True, with this software it is much harder to over-audit, but not impossible. I suggest you to review the details provided with existing reports and to enable those you really need and to possibly create new one where needed. Making a new report is actually creating an appropriate filter on the object you want to track. For example, you can create a filter that report that will track changes in a particular security group in AD or the like.

Reports themselves are substantial and can be distributed via e-mail in some summary form, or called directly from SQL Server Reporting Services. Below you can see a couple of types of reports:

Conclusion

NetWrix Active Directory Change Reporter is a very useful piece of software. It is especially effective in environments where multiple people have privileges to real changes in Active Directory, and where necessary centralized monitoring of the changes that are happening. Also, its feature that uses SQL Server Reporting Services is a hit – which create the reports in this way, look great and give the very essence of what we want to see in this type of report. Perhaps one of the best features of this software is that it gives the exact of what you would expect, without too much complicating and without superfluous questions.

We also have to say something about the price of this product. If it is used in environments with up to 150 users (like the most in our country), the price is 8.70 USD per user. If the number of users increasing, the cost per user is even lower. Also available are special discounts for government institutions, educational Institutions and non-profit organization. If you want to include this change and Exchange reporter, added another 1.35 USD per user, also for environments up to 150 users. For accurate pricing, it is necessary (and advisable) to contact the manufacturer. In any case, the price that is listed here in general is not expensive if we take into consideration what you get, and that the license be purchased once.

For those who need to track changes in AD but find traditional approached ineffective or too complicated – this is the right choice.

The problem here is that security needs time to work backwards towards the foundation to plug all the holes. Constant software patching and updates are a part of everyday life and is emblematic of the state of security. Every decision that brought a product to where it is today needs to be revisited to uncover original flaws as well as adapt to new threats such as social engineering and rogue insiders. Another major problem that exists is that so many networks and systems are poorly configured or not even managed at all leaving them open to exploitation while understaffed and sometimes undertrained IT staff struggles to keep up. What we have here is a gap between what is secure and what is not and I expect it will be years before most systems and technologies are very secure from the foundation and human threats can be mitigated effectively.

In this gap fits change auditing. Change auditing, unlike security measures and practices, is already all grown-up. It doesn’t have to mature because change auditing simple is tracking every change that takes place and condense that information so that someone in charge can see what’s going on. Where needed, actions can be taken to improve defenses and detect things like rogue users tampering with data they shouldn’t. Where security fails, change auditing succeeds.

NetWrix’s AuditAssurance™ technology is at the forefront of change auditing because it allows the administrator flexible implementation without taking a performance hit while collecting concise change detail in a human readable format. What makes our technology even more exciting is that it captures and stores audit information from separate and multiple sources so that detail is complete and near impossible to clear by a rogue admin while also stored in two repositories physically separate from the resources being audited. We’ve built integrated tools for Active Directory, Group Policy, Exchange, File Servers, Windows Servers, SQL, SharePoint, EMC Celerra, NetApp Filer, as well as include our storage, reporting, and AD restore functionality. If you are looking to bridge this gap while security continues to mature, take a look at the NetWrix Change Reporter Suite today.