Friday, 23 June 2017

Auditing Microsoft Products (like Active Directory, Group Policy, SQL, SharePoint, Exchange Server) using LepideAuditor Software

Hello Everyone,

This post is to share knowledge on new tool which is used for auditing different components in organisation like Active Directory, SQL Server, Exchange Server and SharePoint.

When I talk about Audit then it is important to understand what is Auditing & why it is required in an organisation?

Audit is a method to examine & evaluate the process or function or tool in an organisation to ensure its compliance requirements. It can be internal or external by 3rd party.

As defined in ISO 19011:2011—Guidelines for auditing management systems, an audit is a “systematic, independent and documented process for obtaining audit evidence [records, statements of fact or other information which are relevant and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [set of policies, procedures or requirements] are fulfilled.”

Auditing is not only related to process or function but it is used to examine & evaluate tools like Domain, SQL Server and SharePoint etc.

 You might think why organisation need to audit tools? What benefits you will get with the auditing? How to audit tools?

Let’s take an example for Domain. In large environments, there are “n” no of objects changes in Active Directory on daily basis. It’s not easy to track who did what changes or update in AD. If any employee leaves the organisation then how to track whether all objects/access is deleted or disabled in AD.

For monitoring/tracking AD, there must be any auditing tool which helps in generating report with all security & compliance challenges.

Similarly, Group Policy is another example where every day new policies are created & deployed or changes done in existing policies. Who created policy, for what purpose policy is created, when it is created & deployed, it’s not easy to track all these details manually in large environments. Also, if you need to roll back any changes done in policy is not possible until you have backup of policy. If you don’t have any backup then how will you roll back policy? These are the critical challenges which may have big compliance issue in any organisation.

To overcome such challenges, I will introduce you to a new Tool known as LEPIDEAUDITOR SUITE which Audit multiple products which includes:

·        Domain (AD, Group Policies, User Password Expiration Reminder etc)
·        Exchange Server
·        SQL Server
·        SharePoint Server
·        File Server


Let’s start understanding requirements & capabilities of LepideAuditor Tool…

SYSTEM REQUIREMENTS:


REQUIRED ACCESS RIGHTS:




REQUIRED PORTS:




OTHER REQUIREMENTS FOR GROUP POLICIES OBJECTS:



OPTIONAL CONFIGURATION:



  • You can install SQL Server remotely or locally where you install LepideAuditor software.



These are the basic requirements for the software.

Now let’s start with configuring Prerequisites & deployment process for LepideAuditor Software.

LAB ENVIRONMENT DETAILS:


  • 1 Active Directory VM – Windows Server 2012 R2
  • 1 LepideAuditor VM – Windows Server 2012 R2 & SQL Server 2012 SP1
  • LepideAuditor VM is joined with Domain
  • GPMC Console is installed & configured locally on LepideAuditor Machine.
  • Default Port for SQL Server is 1433.

PREREQUISITES:


Prerequisites on Domain Machine:



Login to Primary Domain Machine, Open RUN Command (Window Key + R), type “gpmc.msc” & click OK:


Expand Group Policy Management -> Domain-> DOMAIN_NAME-> Domain Controllers & Click on Default Domain Controller:


Right click on Default Domain Controller & Click Edit:


Group Policy Management Editor Console will open.  Expand Computer Configuration-> Policies-> Windows Settings-> Security Settings-> Local Policies & Click on Security Options:


Right Click on “Audit: Force Audit Policy subcategory settings (Windows Vista or Later) to override audit policy category settings” & Click on Edit:


Make Sure Define this Policy setting is unchecked:


Close the tab.


Now Click on Event Log:


Right Click on “Maximum security log size” & click on Properties:


Enable this policy & set the size to 1048576 kilobytes:


Close the tab once done.


Now Right Click on “Retention method for security log” & click on Properties:


Enable this policy, Select “Overwrite events as needed”, Click Apply & OK:


Open Command Prompt as an administrator & update group policies using “gpupdate /force”:


All prerequisites are completed on Domain Machine.

Prerequisites on LepideAuditor Machine:


Install GPMC on LepideAuditor Machine:


Open Add Roles & Features in Server Manager, Select Feature “Group Policy Management” & Install:


Click Install:



Once done, open Run Window, type “GPMC.msc” & click OK:



GPMC Console is installed on LepideAuditor Machine:


Install SQL Server 2012 SP1 on machine:

SQL Server installation is shown in my other posts. Same steps are followed except 2 point:
  • Choose Default Instance instead of Named instance.
  • Add All Accounts which are used for LepideAuditor software on Page: Database Engine Configuration.

Rest all steps are same.


Refer below link for reference:


Once all prerequisites are completed, you can proceed to install LepideAuditor Software.


LEPIDEAUDITOR SOFTWARE INSTALLATION:

You can download LepideAuditor Suite from below link:


Once You download the setup, extract it:


Click Extract All:


Click Extract:



Once file is extracted, right click on it & run as administrator:




Click Next:


Accept License Terms & Click Next:


Click Next:


Click Next:


Click Next:


Click Install:


Once Done, click finish:



Now, You have to provide domain credential which is used to install LepideAuditor:


If account is not configured for Service LogOn rights then it will ask to configure the same so Click Yes:


Once account right is configured, click OK:


Now, it will ask which component You want to Audit. I will show You for Domain (complete) so I have selected 1st option:


Now, there are 2 configuration types:

  • Express Configuration – This includes all default settings
  • Advance Configuration – Here you can select individually all configuration settings which You want to Audit.

I have used default settings:


Now provide Primary Domain Details (IP Address, Credentials & Auditing method):


Here accept all required configuration changes for auditing:

NOTE: There are no such changes done by LepideAuditor software which will have any impact on Your Domain by any means. Only required changes will be done (if any) which will be used for collecting required Auditing information’s from Domain.


Create new Group policy object by any name as LepideAuditor will not accept to do any changes in default domain controller policy:


So, Provide Domain IP & Type new GPO Name:


Here, it will ask you to select Domain Components which You want to be audited by LepideAuditor. You can click on tool icon () in front of component to configure required options as well: 


Click on ICON & Configure each policies 1 by 1 as shown below:

Schedule Group Policy Backup settings based on Daily, Weekly or Monthly basis.

Schedule Backup as per Your requirement & Click OK:


Configure Active Directory Cleanup Settings where You have options to set notification & cleanup settings for inactive accounts or those who left the organization:


Configure User Password Expiration Reminder Settings:




Once all required settings are configured, Click Next & Check if IP Settings are correct for Domain (If not then change else click next):



Here You have to provide LepideAuditor Database details where all log inventories will be stored:

NOTE: Do check credentials by click Test Connection.





Once all settings are configured, It will ask to restart the software so Click Yes:


Below is the default console for LEPIDEAUTOR Software:


NOTE: By default, LepideAuditor, provide you free trail for 15 Days. Later, you have to buy License from LepideAuditor.


EXPLORE CAPABILITIES:


RADAR:


Default Dashboard view where you have 360 views or Domain level view to see status update on all changes done based on customer time period or particular day, week or month. This view gives you complete information for AD, Exchange, and SharePoint or DB level.

Below are other dashboard views available:

  • Changes by Criticality
  • All Changes by Source
  • Top Admins
  • Failed Logon trends
  • Top modified classes
  • User with Soon to Expire Password
  • Actions Performed by Active Directory Cleaner
  • All Changes Trend
  • Resource Utilization on Server(s)
  • Live Feed





If You click on any Changes Dashboard section, It will open Audit report view where You can see report for changes done based on required inputs like Component Name, Server Name, Object Name, Who, When etc.



You can also see Compliance Reports where You have “n” no of reports to check compliance status like Password Policy modified, User Expiry Modified etc:




Click on Permission Analysis Tab to view all historical permission changes on File Server, Active Directory or Exchange Server:




If you want to restore previous back for Active Directory Objects or Group Policy then LepideAuditor provide this capability as well. Click on Restore Tab and provide required details to restore to previous state:



HEALTH MONITORING:


Here you can see complete health status of all servers which includes:

  • Server Availability
  • CPU & Memory Usage
  • Active Directory Services
  • ESENT Database Performance
  • Active Directory Web Service
  • DFSR Replicated Folders
  • Replication Status
  • LDAP Status
  • Address Book Status
  • Directory Service Status
  • NTDS Performance Counters
  • DNS Performance Counters
  • And so on…








ALERTS:


Here you can view auditing alerts & health monitoring alerts for all AD, DB, Exchange Server, Group Policies and SharePoint:



SETTINGS:


Configure settings as per your requirements:




LICENSE INFORMATION:


Here you can see license information. If you don’t have license key then click on Request License button. This will download a License Request File which you have to email to LepideAuditor Team (sales@lepide.com). Lepide Sale Team will generate key & share with you on email. Once key is available, click on Activate License & provide license key:



CONCLUSION:


LepideAuditor is an excellent tool which helps administrators to track all reports for AD, SQL DB, SharePoint, Exchange Server & Group Policies. This tool gives not only audit reports but compliance reports as well. Key capabilities include auditing, compliance reports, health monitoring, alerts and notifications, backup & restore functionality. 


REFERENCE LINK:






Share Your feedback or any query!!!



Happy Reading!!!

If You like my post then follow my updates:


Join my Facebook group for updates on trending technologies/technical references/issues etc: