Overcome AD Audit Log Limitations
Learn how ChangeAuditor for Active Directory helps you achieve full regulatory compliance by overcoming limits to Active Directory’s native audit log.
Read now »

ChangeAuditor for Active Directory

Track critical changes with Active Directory auditing tools

ChangeAuditor™ for Active Directory is a powerful Windows auditing tool that proactively tracks, reports and alerts on vital configuration changes to Microsoft® Active Directory® — in real time and without the overhead of native auditing.

This Active Directory reporting tool enhances security by telling you instantly who made what change when, where and from which workstation — eliminating the risks associated with day-to-day modifications. Plus, you can compare the original and current values for fast troubleshooting and remediation.

For compliance, ChangeAuditor generates intelligent, in-depth forensics for auditors and management. You’ll have confidence knowing that your organization can pass its next internal security or regulatory compliance audit.

Features

  • At-a-glance display: Tracks user and administrator activity with detailed information including who, what, when, where, which workstation and why for change events, plus original and current values for all changes.
  • Real-time alerts on the move: Sends critical change and pattern alerts to email and mobile devices to prompt immediate action, enabling you to respond faster to threats even while you're not on site.
  • Account lockout: Captures the originating IP address/workstation name for account lockout events to simplify troubleshooting.
  • Object protection: Provides protection against changes to the most critical Active Directory objects, such as accidentally deleted OUs and modified GPO settings.
  • High-performance auditing engine: Removes auditing limitations and captures change information without the need for native audit logs, resulting in faster results and significant savings of storage resources.
  • Auditor-ready reporting: Generates comprehensive reports for best practices and regulatory compliance mandates for SOX, PCI-DSS, HIPAA, FISMA, GLBA and more.
  • Role-based access: Configures access so auditors can run searches and reports without making any configuration changes to the application, and without requiring the assistance and time of the administrator.
  • Event timeline: Enables the viewing, highlighting and filtering of change events and the relation of other events over the course of time in chronological order across your Windows environment for better understanding and forensic analysis of those events and trends.
  • Related searches: Provides instant, one-click access to all information on the change you're viewing and all related events, such as what other changes came from specific users and workstations, eliminating additional guesswork and unknown security concerns.
  • AD-change rollback: Restores previous values on unauthorized, mistaken or improper changes with the click of a button, directly in the ChangeAuditor console, honoring the rights and privileges of the user requesting the rollback.
  • Web-based access with dashboard reporting: Searches from anywhere using a web browser and creates targeted dashboard reports to provide upper management and auditors with access to the information they need without having to understand architecture or administration.

Sys Reqs

Before installing ChangeAuditor, ensure your system meets the following minimum hardware and software requirements:

ChangeAuditor Client (Client-side Component)

The ChangeAuditor Client connects to a ChangeAuditor Coordinator and queries the audited event database for the desired results.

Client Hardware

Minimum: Dual Core 2.0 GHz or better; 4 GB RAM or better
Recommended: Quad Core 3.0 GHz or better; 8 GB RAM or better

A machine running on the following minimum platforms:

      • Windows Server 2003
      • Windows Server 2003 R2
      • Windows Server 2008
      • Windows Server 2008 R2
      • Windows Server 2012 (Standard, Essentials and Datacenter)
      • Windows Vista
      • Windows 7 (Pro, Enterprise and Ultimate)
      • Windows 8 (Pro and Enterprise)

    Microsoft Data Access Components (MDAC) must be enabled.(MDAC is part of the operating system and enabled by default.)

    Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

    Microsoft's Windows Server 2012 Foundation edition is NOT supported

    Screen resolution of at least 1024 x 768 with at least 256 colors

Client Software and Configuration
  • x86 or x64 versions of Microsoft's .NET Framework 4.0 or higher
    NOTE: To verify that you are running the appropriate version of Microsoft's .NET Framework use Add/Remove Programs (Start | Control Panel | Add or Remove Programs).
  • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • x86 or x64 versions of Microsoft SQLXML 4.0
Client Footprint
  • Estimated hard disk space usage of 120 MB
  • Estimated RAM physical memory of 150 MB

    NOTE: Queries that return a lot of data can cause the client to use as much memory as required to store the results in RAM.

ChangeAuditor Coordinator (Server-side component)

The ChangeAuditor Coordinator is responsible for fulfilling client and agent requests and generating alerts.

Coordinator Hardware

Minimum: Quad Core 2.0 GHz or better; 8 GB RAM or better
Recommended: Quad Core 3.0 GHz or better; 32 GB RAM or better

Member server running on the following minimum platforms:

      • Windows Server 2003 SP2
      • Windows Server 2003 R2
      • Windows Server 2008
      • Windows Server 2008 R2
      • Windows Server 2012 (Standard, Essentials and Datacenter)

Microsoft Data Access Components (MDAC) must be enabled.(MDAC is part of the operating system and enabled by default.)

Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

Microsoft's Windows Server 2012 Foundation edition is NOT supported.

Coordinator Software and Configuration
  • For the best performance Quest recommends:

    • The ChangeAuditor Coordinator must be installed on a dedicated member server.
    • The ChangeAuditor database must be configured on a separate, dedicated SQL server instance.
  • Supported SQL Server versions:
    • Microsoft SQL Server 2008
    • Microsoft SQL Server 2008 R2
    • Microsoft SQL Server 2012
  • The Coordinator must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
  • x86 or x64 versions of Microsoft's .NET Framework 4.0 or higher
  • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • x86 or x64 versions of Microsoft SQLXML 4.0
Coordinator Footprint
  • Estimated hard disk space used: 115 MB
  • Estimated RAM physical memory of 100 MB
  • Additional 80 MB disk space used by Agent MSI's
  • Estimated database size will vary depending on the number of agents deployed and audited events captured.
Minimum Permissions

User account performing the coordinator installation:


The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server:

    • Windows permissions to create and modify registry values.
    • Windows administrative permissions to install software and stop/start services.

* It is recommended that the user account performing the installation, be a member of the Domain Admins group in the domain where the coordinator is being installed.


Service account running the coordinator service (LocalSystem by default):

    • Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running a ChangeAuditor Coordinator.
    • Local Administrator permissions on the coordinator server.

If you are running the coordinator under a service account (instead of LocalSystem), use a Manual connection profile that specifies the IP address of the server hosting the ChangeAuditor Coordinator whenever you launch the ChangeAuditor Client. See the ChangeAuditor User Guide or online help for more information on defining and selecting a connection profile.

SQL Server database access account specified during installation:
An account must be created to be used by the Coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions:

  • Must be assigned the db_owner role on the ChangeAuditor database
  • Must be assigned the SQL Server role of dbcreator

ChangeAuditor Agent (Server-side component)

A ChangeAuditor Agent can be deployed to domain controllers (DCs) and member servers to monitor the configuration changes made on these servers. These agents will then report these audit events to the ChangeAuditor Coordinator which will insert the event details into the ChangeAuditor database.

Agent Hardware

Minimum: Dual Core 2.0 GHz or better; 4 GB RAM or better
Recommended: Quad Core 3.0 GHz or better; 8 GB RAM or better

  • Server running on the following minimum platforms:
      • Windows Server 2003 SP1
      • Windows Server 2003 R2
      • Windows Server 2008
      • Windows Server 2008 Core
      • Windows Server 2008 R2
      • Windows Server 2008 R2 Core
      • Windows Server 2012 (Standard, Essentials and Datacenter)
      • Windows Server 2012 Core (Standard, Essentials and Datacenter)

Microsoft Data Access Components (MDAC) must be enabled.(MDAC is part of the operating system and enabled by default.)

Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

Microsoft's Windows Server 2012 Foundation edition is NOT supported.

  • ChangeAuditor Agent requires File and Printer Sharing on Windows Server 2008. By default, File and Printer sharing is not enabled on Windows Server 2008 installations. In order to remotely deploy agents to Windows Server 2008 (Full UI and Server Core), enable the File and Printer sharing (SMB-in) Inbound rule in the Windows Firewall (Port 445) on the target host machine.
  • The File and Printer Sharing for Microsoft Networks service on the network adapter must also be enabled for remote deployment.

  • Auditing of some Exchange events require the latest Exchange service pack to be installed. Please refer to the ChangeAuditor for Exchange Events Reference Guide for the minimum service packs required for Exchange events.

  • Exchange 2003: The ChangeAuditor Agent uses the COM+ and Distributed Transaction Coordinator (DTC) services locally on the host server for detecting Exchange Server message created, moved, copied and deleted events. If the COM+ or DTC services are disabled or inoperative, these events will not be detected but the Agent will otherwise run normally. Network access to DTC is not required. When enabling the COM+ service, a ChangeAuditor Agent restart is required, because COM+ service registration occurs at agent startup time.
Agent Software and Configuration
  • Microsoft .NET Framework:
    • .NET 2.0 (or higher)
    • Additional .NET requirements are dictated by the audited software such as Exchange, SharePoint or VMware.
  • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
  • The ChangeAuditor Agent service depends on the following Windows services to be running:
    • DNS Client
    • Remote Procedure Call (RPC)
    • Windows Event Log
Minimum Permissions
  • ChangeAuditor Agent must run as localsystem.
Agent Footprint

Estimated hard disk space used: 120 MB + local database size

Estimated RAM used: 60MB

Agent Installation Incompatibilities
  • Pre-5.6 versions of ChangeAuditor
  • SecurityManager
  • InTrust plug-ins:
    • ITAD
    • ITADAM
    • ITFA
    • ITEX
  • ScriptLogic Active Administrator
  • DirectoryLockdown
  • EMC’s EmailXtender
Exchange Monitoring Minimum Service Pack Requirements
  • Windows Server 2003 and 2003 R2:
    • Microsoft Exchange Server 2003 Service Pack 2
    • Microsoft Exchange Server 2007 x64 Service Pack 1
  • Windows Server 2008 and 2008 R2:
    • Microsoft Exchange Server 2007 x64 Service Pack 1
    • Microsoft Exchange Server 2010 RTM
  • Windows Server 2008 R2 SP1:
    • Microsoft Exchange Server 2007 x64 Service Pack 1
    • Microsoft Exchange Server 2010 RTM
    • Microsoft Exchange Server 2013 CU1
  • Windows Server 2012:
    • Microsoft Exchange Server 2010 Service Pack 3
    • Microsoft Exchange Server 2013 RTM

EMC Monitoring Requirements
  • ChangeAuditor 5.6 (or higher)
  • EMC Celerra Event Enabler (CEE) Framework 4.6.7
  • EMC VNX Event Enabler (VEE) Framework 4.8.5 (through 5.1)
    • NOTE: EMC Celerra Event Enabler (CEE) Framework 6.x (or higher) is not supported in ChangeAuditor 6.0

See the ChangeAuditor for EMC User Guide for more information on the requirements, as well as how to install, configure and use ChangeAuditor for EMC.

NOTE: VNXe is NOT supported. VNXe does not support CEPA at this time and therefore ChangeAuditor for EMC will NOT run successfully in VNXe environments.

NetApp Monitoring Requirements
  • ChangeAuditor 5.6 ( or higher)
  • NetApp Filer with Data OnTap 7.2 (or higher)

See the ChangeAuditor for NetApp User Guide for more information on the requirements, as well as how to install, configure and use ChangeAuditor for NetApp.

VMware Monitoring Requirements
  • ChangeAuditor 5.7 (or higher)
  • ESX/ESXi 4.0, 4.1 and 5.0
  • vCenter 4.0, 4.1 and 5.0
SharePoint Monitoring Requirements
  • ChangeAuditor 5.7 (or higher)
  • SharePoint Server 2010 or 2013
  • SharePoint Foundation 2010 or 2013

See the ChangeAuditor for SharePoint User Guide for detailed information on installing, configuring and using ChangeAuditor for SharePoint.

At the time of this ChangeAuditor release, Microsoft does not support SharePoint 2010 on machines running Windows Server 2012.

User Logon Activity Auditing Requirements
  • ChangeAuditor 5.8 (or higher)
  • ChangeAuditor Data Gateway Service 5.8 (or higher)
  • InTrust 10.6 (or higher)
  • InTrust Repository Viewer 10.6 (or higher)

See the ChangeAuditor InTrust Integration Guide for more information on the requirements, as well as how to configure ChangeAuditor to retrieve user logon activity events from InTrust.

ChangeAuditor Web Client (Optional Component)

The ChangeAuditor web client is an optional component that is installed on the IIS web server to provide users access to ChangeAuditor data through a standard or mobile web browser.

Supported Browser Versions

Minimum Standard Browser Versions Supported:

  • Internet Explorer 9 (or higher) NOT running in Compatibility View mode
  • Firefox 10 (or higher)
  • Chrome 17 (or higher)
  • Safari 5.x
Supported IIS Versions

Application server running on the following minimum platforms:


• Windows Server 2008 (with IIS 7 or above)
• Windows Server 2012 (with IIS 8 or above)

ChangeAuditor Data Gateway Service (Optional Component)

The ChangeAuditor Data Gateway is an optional component that integrates with InTrust 10.5 (or higher) to gather logon events and display them in the ChangeAuditor client.

Data Gateway Hardware

Minimum: Dual Core 2.0 GHz or better; 4 GB RAM or better
Recommended: Quad Core 3.0 GHz or better; 8 GB RAM or better

The more processor cores available means that more threads can be used for querying results from the InTrust Repository, thus reducing the overall processor usage.

    • Member server running on the following minimum platforms:
      • Windows Server 2003 SP2
      • Windows Server 2003 R2
      • Windows Server 2008
      • Windows Server 2008 R2
      • Windows Server 2012 (Standard, Essentials and Datacenter)
    • x86 or x64 versions of Microsoft’s .NET Framework 4.0 (or higher)
    • x86 or x64 versions of Microsoft XMP Parser (MSXML) 6.0
    • Estimated physical memory (RAM) of 100 MB

      Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

      Microsoft's Windows Server 2012 Foundation edition is NOT supported.


Data Gateway Software Configuration

  • ChangeAuditor Data Gateway requires InTrust 10.6 (or higher) Repository Viewer to be installed on the same member server.

    The Data Gateway Service relies on the InTrust Repository Viewer; therefore, Quest recommends that you create two Domain accounts with interactive logon rights on the Data Gateway Service server and that have InTrust repository access privileges (i.e., an account that can be used to run a search using the InTrust Repository Viewer) BEFORE you install the Data Gateway Service:

      • An account which has elevated privileges to install and configure the Data Gateway Service.
      • A service account to be used to run the Data Gateway Service.

    To ensure that the repository access privileges are sufficient, you can use the same account that was used to install the basic InTrust components. If you use this same account, you must ensure that the following requirements are also met:

  • Account used to install and configure Data Gateway Service:

    In addition to having access to the InTrust repository, the user account that will be performing the Data Gateway Service installation and configuration must have the appropriate permissions to perform the following tasks on the target server:

      • Windows permissions to create and modify registry values.
      • Windows administrative permissions to install software and stop/start services.

    It is recommended that the user account performing the installation be a member of the Domain Admins group in the domain where the Data Gateway Service is being installed.

  • Service Account running Data Gateway Service.

    In addition to having access to the InTrust repository, the service account that will be used to run the Data Gateway Service must also be assigned the ’Log on as a service’ user rights assignment setting.

Docs