quest win解决方案变更审计changeauditor

1、 张军华TM2011.10变更审计与法规遵从ChangeAuditor for ChangeAuditor 覆盖ChangeAuditor for Active DirectoryChangeAuditor for LDAPChangeAuditor for ExchangeChangeAuditor for Windows File ServersChangeAuditor for NetAppChangeAuditor for EMC ChangeAuditor for SQL ServerChangeAuditor for Defender ChangeAuditor for QAS挑战

2、Microsoft AD, Exchange, Windows File Servers, NetApp, EMC, SQL Server，都是关键业务基础架构的组成部分事件记录与变更报告都是满足审计部门要求和法规遵从要求所必需的对遍布企业各处的变更和时间，没有一个综合性视图要想深入查找某个特定事件太耗时了原生事件信息内容有限且零散，不易理解无法保护某些敏感对象，使其避免误删除或误恢复等管理员通常在系统中止服务后才“哦，原来如此”无论何时，报表都是个耗时耗力的工作解决方案：ChangeAuditor实时变更审计：AD, LDAP, Exchange, SQL, Windows file ser

3、vers, NetApp, EMC, Registry, Services, Local Users & Groups从一个直观的客户端查看企业范围内所有变更。即时排序、过滤、画图通过实时跟踪变更并记录变更前后的设置值，确保安全和法规遵从通过对象保护以及对授权/未授权变更的洞察，增强内部控制什么是 ChangeAuditor?提供完全、实时的变更管理。为Windows平台上所有关键配置的变更提供前瞻性的审计、深入的洞察力和综合性报表等能力。包括： Active Directory, ADLDS, LDAP, Exchange, Windows File Servers, NetApp, EMC

4、 and SQL ServerWho 谁做了变更？When 什么时候发生的变更？Why 为什么要变更？Where 哪个网络位置发起的变更？What 什么对象发生了变更？Smart AlertsWorkstation 哪个终端发起的变更？ChangeAuditor 关键特征广泛的平台支持：Active Directory & ADLDSExchange Windows File ServersNetAppEMCSQL ServerQueries against Active DirectoryRegistry, Local Users & Groups, and Services详细的 what

5、, when, where, why and workstation, plus original and current values 简单且直观的表达Optionally log events to a Windows event log 主动的对象保护 避免重要的AD对象、邮箱、Windows文件/文件夹被误删除等ChangeAuditor 关键特征（续）广泛且综合性的审计信息库，包括内置告警、报表、基于最佳实践和规范的强力查询和 SQL Reporting Services (SRS) 的集成使得出版报表和自动传递轻而易举基于事件模式，发送“Smart Alerts”基于角色的授权访问

6、自动的Agent部署与管理（在客户端）关键性能指标Event count, Queue count, Database size, Uptime, 100s more支持 Windows Server 2008 R2, Server Core & Windows 7集成 Quest Authentication Services (QAS) & Defender使用 Management Pack 发送事件到 Console使用“帐号排除”减少无意义的事件数量（白噪）ChangeAuditor 架构变更审计环境配置ChangeAuditorReal TimeExchangeActive Dir

7、ectory/LDAPWindows File ServerSQL ServerEMCNetAppChangeAuditor for AD, ADLDS & LDAPChangeAuditor for AD概览易读事件过滤ChangeAuditor for AD：GPO 设置ChangeAuditor for AD：Locked OutChangeAuditor for AD对象保护基于角色的访问ChangeAuditor for ADChangeAuditor for LDAPChangeAuditor for LDAP为AD域的集中/迁移的Discovery过程提供帮助谁需要访问AD？标识

8、在迁移期间和之后哪些系统需要连接到AD？What objects or containers in Active Directory are used for application data storage?标识降低DC性能的低效查询长时间运行的查询，暗示了一个较差的写或读结果集如果很大，也暗示了写或读没有合适的过滤条件哪些查询在短时间内不断重复地执行？为什么 ChangeAuditor 比原生审计更好原生事件日志ChangeAuditor配置对每一个DC都必须手工编辑注册表在ChangeAuditor客户端集中配置得到事件的时机缺省：每 12 小时只有在进行垃圾回收时才放入事件日志中实时事

9、件转发事件的收集不支持 要求第三方的收集工具所有事件被转发和集中保存到ChangeAuditor 容器的过滤与排除不支持原生审计要么都审，要么什么都不审， ChangeAuditor 使你能收集真正对你重要的内容安全与签名不支持用 Secure (SSL/TLS) 和/或 Signed 标识查询命名解析不支持将原始的 IP 解析为主机名报表与报告不支持报表也包括过滤和分组能力收集些什么信息？谁执行的这个查询？此查询是在哪个 DC 上运行的？此查询最初起源于哪个 workstationserver？此查询从哪个 container 开始？返回了多少结果？查询运行了多长时间？查询最近运行了多少次？

10、查询是安全的/签名的吗？集中化管理抛弃少于某某个对象的结果用户可以更关心查询性能抛弃运行时间小于某某毫秒的查询用户可以更关心查询性能抛弃在最近某某时间内发生的重复信息对迁移 discovery 和性能优化都有好处从审计中排除 Containers清除重复查询的 AD 对象和container，防止太多的“噪声”事件ChangeAuditor for Exchange挑战无法跟踪 Exchange Store 设置的变化事件日志和审计数据散布在企业各处大量的审计数据很难归档大量的审计数据需要花大量的时间去分析、趋势分析、生成报告和分发本地审计没有提供以下详细信息：Non-owner mailbo

11、x access and specific activity related to this accessChanges to permissions at the client levelChanges to permissions to the Configuration Store本地审计没有提供详细的AD中有关邮箱许可变更的跟踪审计 Exchange 需要考虑什么有管理权限的 security groups 的改变Exchange Server 配置的变更访问关键的邮箱Executives, Board members, HR, 关键的分发列表中成员的改变Senior Leadersh

12、ip Team discuss company strategiesExchange 2010 SP1 法规遵从与发现能力特征描述管理员审计日志(Exchange 2007 & 2010)审计管理行为和配置变更（创建、修改、删除）。命令被记录在一个隐藏的 arbitration mailbox。入口可以从 Exchange Control Panel 看到，或者使用 PowerShell。 只有从 Ex. 2010 管理工具中做的变更才被记录。邮箱审计日志(Exchange 2010 SP1)审计记录被保存在被审计用户的一个隐藏表中。从 Outlook 或 OWA 无法访问，必须使用 Exch

13、ange Management Shell 或 ECP。 Type of auditing; Administrator, Delegate, & Owner. 微软强调在为一个或多个邮箱打开此开关时，必须严肃考虑。如果你打算实施本地审计，还需考虑多种环境，多种工具Exchange 2007, ADSIEdit, VBScript日志入口的数量There could be thousands of events written to these auditing mailboxes. Searching could prove to be quite time consuming.Ad hoc

14、 reporting might be tolerable but routine reviews impossible报表需求If special reports and charts are required the built-in tools will not be adequate前瞻性通知与保护Just not feasible natively数据存储时长缺省的本地审计保留90天。很多公司的策略却是37年！ChangeAuditor for Exchange 能力特征ChangeAuditor 收益管理员审计日志Audit Logging所有管理类的变更都被审计 无论你使用何种工

15、具。 使用客户端，你还可以排序、过滤、分组、图形化变更信息，接收实时告警，随时运行报表。邮箱审计日志Mailbox Audit LoggingEasy to use client for configuring, reporting, searching, protecting and alerting. View all configuration changes and mailbox accesses all from one report. Support for purging noisy events and archiving the important ones automat

16、ically.With ChangeAuditor for Exchange you can Automate the process of collecting, storing, reporting and alerting onLogons to mailboxesPermission & Delegate modificationsMailbox creation/deletionSubject line audit Non-owner mailbox access and activities such as:CopyDeleteReadForward Changes to Exch

17、ange related attributes in Active Directory Exchange Server Configuration changes Use of Send-as privilegesChangeAuditor for ExchangeMailboxProtectRole-BasedAccessChangeAuditor for ExchangeConfigTrackerChangeAuditor for ExchangeReporting Capabilities in ChangeAuditorChangeAuditor for Windows File Se

18、rversChangeAuditor for NetAppChangeAuditor for EMC The ChallengesProviding timely information to help compliance/security teams meet requirements around file/object access is critical:What are users doing with their access?When potential violations occur to permission changes?When ownership changes

19、take place?Critical documents may be at risk without reporting/alerting on permission and ownership changes.File/Folder access auditing has always been a big hole in regards to compliance and security initiatives.The collecting and reporting on file access audit data is difficult and takes many man

20、hours. Archiving and consolidating event logs takes up a large amount of network bandwidth and disk space.Forensic analysis is virtually impossible with native tools.Native file access auditing degrades server performance.Permission changes made to files and folders is difficult to capture and inter

21、pret.With ChangeAuditor for Windows File Servers, NetApp & EMC you canReduce cost & complexity and meet security objectivesEasily determine what permission changedEasily determine what action was performed Improve IT Operational Management and EfficiencyCritical system resources are saved & security

22、 is improvedChangeAuditor for Windows File Servers, NetApp & EMCChangeAuditor for Windows File ServersShareAuditReal-TimeAlertRapidReportChangeAuditor for Windows File ServersShareAuditChangeAuditor for Windows File ServersChangeAuditor for Windows File ServersChangeAuditor for SQL Server ChangeAudi

23、tor for SQL ServerOrganizations face increased demands to improve security to meet regulatory requirements surrounding sensitive and financial data.Reduce the risks of operational outages from accidental or malicious actions by privileged users.Report on DBA and other privileged users activity on yo

24、ur SQL Servers across the enterprise and answer questions such as:How do you monitor access to confidential information?How do you log SQL Server security events such as startups, shutdowns, and logins and do you review exceptional events?How do you report on direct access to production data that is

25、 outside of normal application controls?How do you monitor database configuration and parameter setting changes?ChangeAuditor for SQL Server: Improves Security and Reduces IncidentsAutomates the process of collecting data about both privileged and non-privileged access.Centralizes the collected even

26、tsNormalizes SQL and other Windows events into a single platform in simple to understand termsAllows privileged users to perform their important and required job duties by unobtrusively monitoring and auditing behaviorsAllows you to answer your auditors and regulators questions about how you manage

27、activity of users on SQL Servers across the enterpriseHow ChangeAuditor interfaces with SQL TraceEvent Tracing for Windows (ETW)Events are gathered if they are listed in the ChangeAuditor SQL Auditing TemplateTracing is done locally on the SQL Server by the ChangeAuditor Agent, not remotely.Events S

28、ources can be any of the sources that produces a trace event (T-SQL Queries, etc.)ChangeAuditor for SQL Server Auditing TemplatesEnable SQL Server auditing by adding a SQL Auditing template to an agent configuration.Which can then be assigned to a ChangeAuditor agent (SQL Server)ChangeAuditor ships

29、with a pre-defined SQL Auditing templateBest Practice SQL Auditing TemplateCommon SQL Configuration Examples Only audit events for databases named “Accounting”:Audit any activity that is not from this servicee account:Audit any activity that is not from my application server:ChangeAuditor for SQL Se

30、rver Supports: 2005, 2008, & 2008 R2ChangeAuditor for SQL ServerChangeAuditor for SQL Server:Captures the Actual Query UsedNative SQL AuditingSQL Server Audit Events in the Best Practices TemplateAdd DB UserAdd LoginAdd Login to server roleAdd Member to DB roleAdd RoleChange Database OwnerChange Mem

31、ber in DB RoleCreate databaseDelete databaseDelete DB userDelete LoginDelete Login from Server roleDelete member from DB roleDelete RoleGrant database access to DB userRevoke database access from DB userIn Total 397 SQL events can be capturedChangeAuditor for Defender ChangeAuditor for Defender Ques

32、t Defender enhances security by enabling two-factor authentication to network, Web, and applications-based resources. Defender was designed to base all administration and identity management on an organizations existing investment in Active DirectoryChangeAuditor for Defender tracks changes to user accounts enabled with Defender tokens in Active DirectoryChangeAuditor for Defender Audited EventsChangeAuditor for Defender - OverviewChangeAuditor for Defender Token addedChangeAuditor for Defender Token removedChangeAuditor for Quest Authentication Services ChangeAuditor f