File System Auditing That Works

7/27/2019 File System Auditing That Works

1/18

WHITE PAPER

Real-Time, Secured Auditing Using Real-World Inormation

Written byDon Jones

Co-ounder o Concentrated Technology (ConcentratedTech.com)

and Microsot MVP

File System AuditingThat Works


2/18

White Paper: File System Auditing That Works 1

2010 Quest Software, Inc.

ALL RIGHTS RESERVED.

This document contains proprietary information protected by copyright. No part of this document may bereproduced or transmitted in any form or by any means, electronic or mechanical, including photocopyingand recording for any purpose without the written permission of Quest Software, Inc. (Quest).

The information in this document is provided in connection with Quest products. No license, express orimplied, by estoppel or otherwise, to any intellectual property right is granted by this document or inconnection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS ANDCONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUESTASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORYWARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUTLIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OFINFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IFQUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes norepresentations or warranties with respect to the accuracy or completeness of the contents of thisdocument and reserves the right to make changes to specifications and product descriptions at any timewithout notice. Quest does not make any commitment to update the information contained in thisdocument.

If you have any questions regarding your potential use of this material, contact:

Quest Software World Headquarters

LEGAL Dept

5 Polaris Way

Aliso Viejo, CA 92656

www.quest.com

E-mail:[email protected]

Refer to our Web site for regional and international office information.

Trademarks

Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix,AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch,BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, DesktopAuthority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin,Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe,LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase,NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, QuestvToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map,SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat,StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl,vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomationSuite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator,WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software,Inc in the United States of America and other countries. Other trademarks and registered trademarks usedin this guide are property of their respective owners.

January 2010
http://www.quest.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.quest.com/


3/18


ContentsIntroduction...................................................................................................................................................... 3The Need for Auditing ..................................................................................................................................... 4

Internal Requirements ................................................................................................................................................. 4External Requirements ................................................................................................................................................ 4The Real World Needs More Than Auditing ................................................................................................................ 4

Windows Native File Auditing ......................................................................................................................... 6Capabilities .................................................................................................................................................................. 6Limitations ................................................................................................................................................................... 6

ChangeAuditor for File Systems: Practical Auditing for the Real-World ......................................................... 9How It Works ............................................................................................................................................................... 9Secure Repository ....................................................................................................................................................... 9Granular Configuration ................................................................................................................................................ 9Central Management Console ................................................................................................................................... 10Real-Time Alerts ........................................................................................................................................................ 10Out-of-the Box Reports that Are Easy to Understand ................................................................................................ 11

Conclusion..................................................................................................................................................... 14Next Steps ..................................................................................................................................................... 15About the Author ........................................................................................................................................... 16


4/18


IntroductionSince the introduction of Windows NT 3.1, Windows server operating systems have excelled at sharingfiles within organizations. However, file sharing created the need to audit access to shared files, includinglegitimate and unauthorized access attempts.

Today, the need forproperauditing is mission-critical. However, native auditing tools do not meet theauditing requirements of todays organizations. Fortunately, Quest ChangeAuditor for File Systems canmeet these needs with comprehensive, centralized and flexible auditing.


5/18


The Need for Auditing

Internal RequirementsToday, organizations are increasingly more sensitive about security. Industrial espionagepolitely referredto as data leakagecontinues to hurt companies, forcing them to use auditing to:

Provide forensic evidence in cases of wrongdoing.

Serve as a deterrent. When corporate users knowthat their actions are being rigorously

monitored by automated systems, they are much less likely to engage in wrongdoing.

External RequirementsOrganizations internal security concerns are intensified by legislative, industry and other externalrequirements, including:

The Health Insurance Portability and Accountability Act (HIPAA)Affects companies and

organizations working in the U.S. health care industry

The Sarbanes-Oxley (SOX) ActAffects U.S. publicly-traded companies

The Gramm-Leach-Bliley (GLB) Act Affects financial services companies doing business in

the U.S.

The Payment Card Industry Data Security Standard (PCI DSS) Affects nearly any company

that accepts credit or debit cards as a form of payment

Numerous federal rules and laws affecting government organizations and contractors, as well

as other organizations

European privacy and accountability laws affecting almost every corporate entity in the

European Union

All of these regulations have different objectives and require tracking different types of covered data.HIPAA, for example, focuses on patient information, while PCI DSS focuses on cardholder information.However, their file access requirements are the same:

All access to covered data must be logged, whether the access is legitimate or improper.

All audit logs must be tamperproof or tamper-evident.

Separation of duties requires that those who control access to files cannot also control the

audit log.

Audit logs must be permanent; no one should be able to clear the log or remove individual

entries in an attempt to cover their tracks.

The Real World Needs More Than AuditingIn most cases, organizations will also need capabilities beyond those required by internal securitypractices or external requirements. For example, organizations should have:

Searchable audit logs with data that can be compiled for reports used during periodic audits

by live auditors.

Real-time notification of inappropriate activity, enabling administrators to logand correctthat

activity as quickly as possible.


6/18


Details of every activity, including who accessed a file, whatthey did, when they did it, how

they accessed it, where they accessed it from, and more.

Centralized audit logs, so that review, alerting, and reporting activities can include the entire

enterprise, not just a single server.


7/18


Windows Native File Auditing

CapabilitiesWindows has always offered native file auditing capabilities. In current versions of Windows Server, thesecapabilities are controlled through local or, ideally, central Group Policy settings. Both Success and Failure

(access denied) activity can be audited, and the information is stored in the Windows Security event log.

LimitationsThe security event log is managed on a per-server basis, and contains allaudit events generated by everysubsystem of the Windows operating system. That is one of the event logs major weaknesses: they arenot centralized. If a file exists on ten file servers, and you want to know who has accessed that file, thenyou need to search the log on all ten serversa time-consuming, manual task. Tools exist to consolidatethe event logs, but they require their own infrastructure and management.

Another problem with the native event logs is that they are managed by server administratorsthe sameindividuals who control access to files. In other words, an administrator can give someone permission toaccess a file, wait until it is accesses, and then change the permissions back. The administrator can thenclear the event log to hide any evidence of wrongdoing. This violates two major security requirements:tamperproofortamper-evident, and separation of duties. This issue alone often makes the native eventlogs unusable for serious auditing purposes.

Also, the event logs tend to contain highly-technical data that is difficult to translate into real-worldinformation like users and specific file resources. For example, consider this typical security event log entryfrom the file system:


8/18


You cant tell what has happened or which user was responsible. The entry shows 0x3e7 as the logon ID,but who is that, exactly? What file was accessed? Deciphering the log information can be very time-consuming.

Working with the event logs can be difficult, too. Although search functionality is included, its a simple textsearch. This means you have to know exactly what youre looking for. For example, typing 0x3e7 wonttypically return results.

Filtering capabilities exist, but they use the same deeply-technical identifiers as the event log entries, sotheres no real way to search for events that relate to a particular file or user, unless you know the under-the-hood hexadecimal data involved.


9/18


The event logs dont support native reporting and omit critical information. For example, when a filespermissions are changed, the event log records only that the permission change occurred. It doesnt logwhat the permissions were before the change, making it very difficult to find out exactly what changed, andto determine whether or not the change was inappropriate.

While the native event logs exist and can in theory track everything that happens within the file system,they are not, in practice, usable for most internal security requirements or for almost any external securityrequirement. To summarize, the native event logs:

Lack centralization

Are not tamperproof or tamper-evident

Do not support separation of duties

Do not support robust searching

Do not provide plain-English information

Do not provide before-and-after views of changes

Do not provide real-time alerting on selected activities

Do not provide reporting


10/18


ChangeAuditor for File Systems: PracticalAuditing for the Real-World

How It Works

Quests ChangeAuditor for File Systems solves the problems with the native Windows Security event logand provides practical, real-world auditing capabilities that meet todays common requirements andsecurity best practices.

ChangeAuditor works by installing a small agent on each file server. This agent is tamper-evident,meaning it is very difficult to shut the agent down without either crashing the server or leaving an audit trail.The agent is also low-overhead; it places a very small processing burden on the file server. In fact, in mostcases, the agent imposes less overhead than enabling full-blown native auditing of every file systemaccess attempt.

The ChangeAuditor agent does not utilize the native event logs, so you can shut them off completely.Instead, the agent taps deeply into the Windows file system, capturing activity at its source, where themost detailed information is located.

Secure RepositoryEvents are immediately forwarded to a centralized and secured SQL Server-based repository. Onceevents are in that repository, they are permanent: the repository carries its own set of permissions,independent of those held by the normal administrators in the organization.

Granular ConfigurationChangeAuditor provides highly-granular auditing configurations, so managers can enable or disableevents based on their own requirements. For example, you can exclude high- traffic or safe accounts frombeing audited, thereby keeping the audit trail more meaningful.

Figure 1. Configuring ChangeAuditor


11/18


Central Management ConsoleChangeAuditors management console provides access to the repository to both administrators andauditors. It provides robust searching and filtering, and allows administrators to define e-mail and otheralerts for selected activities, such as permissions changes to sensitive files. ChangeAuditor can evenintegrate with Microsoft System Center Operations Manager (SCOM), raising critical alerts in real-time to asingle operations monitoring console.

Figure 2. ChangeAuditors management console

Real-Time AlertsChangeAuditors smart alerts can even alert administrators or managers to problematic patterns ofbehavior, where no individual event is worrisome, but where the overall pattern of activity can indicate aproblem. These alerts further enable businesses to not only track file system activity, but to respondtopotential problems as quickly as possible.


12/18


Figure 3. Configuring alerts in ChangeAuditor

Out-of-the Box Reports that Are Easy to UnderstandBecause the ChangeAuditor repository is stored in SQL Server, ChangeAuditor can leverage the powerand flexibility of SQL Reporting Services (SRS) to generate both on-demand and subscription reports.Numerous pre-designed reports are included for major auditing and compliance scenarios; these reportsmake ChangeAuditor a successful auditing tool right out of the box.


13/18


Figure 4. Sample ChangeAuditor report

Best of all, ChangeAuditor embodies Quests years of expertise with security and the Windows operatingsystem, enabling it to translate the deeply-technical data it gathers intoan easy-to-understand report,including before-and-after snapshots of changes.


14/18


Figure 5. Sample ChangeAuditor search


15/18


ConclusionComparing ChangeAuditors capabilities with Windows native event log feature reveals how wellChangeAuditor meets modern requirements for compliance and security.

Capability Native Event Log ChangeAuditor for File Systems

Audit all changes in the filesystem

X X

Built-in reports for security andcompliance

X

Subscription-based reports viaSRS

X

Accesses file system controlsdirectly

X

Centralizes all audit activity X

Tamper-evident audit

collection

X

Tamperproof audit repository X

Granular, custom auditingconfiguration

X

Integrates with SCOM formonitoring

X

ChangeAuditor for File Systems complements your Windows operating system investment to meetyour internal security needs andcompliance requirements. It will help you generate intelligent, in-depthforensics for auditors and management, as well as reduce the risks associated with day-to-day filesystem modifications.


16/18


Next StepsFor more information about ChangeAuditor for File Systems, please visit:www.quest.com/changeauditor-for-file-systems


17/18


About the AuthorDon Jones is a co-founder of Concentrated Technology (ConcentratedTech.com), a Microsoft MostValuable Professional Award recipient, and the author of more than thirty books on information technology.His consulting practice specializes in making the connection between technology and business, helpingbusinesses realize more value from their IT investment, and helping IT align more closely to business

needs and values. Don has been an IT journalist for more than eight years, and is currently a ContributingEditor for Microsoft TechNet Magazine. He is also a sought-after speaker at industry conferences andsymposia, including Connections conferences, Microsoft TechEd, TechMentor Events, and others.


18/18

5 Polaris Way, Aliso Viejo, CA 92656 | PHONE800.306.9329 | WEBwww.quest.com | E-MAIL [email protected]

I you are located outside North America, you can nd your local ofce inormation on our Web site

WHITE PAPER

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve eiciency. Quest Sotware

creates and supports smart systems management productshelping our customers solve

everyday IT challenges aster and easier. Visit www.quest.com or more inormation.

Contacting Quest Software

PHONE 800.306.9329 (United States and Canada)

I you are located outside North America, you can ind your

local oice inormation on our Web site.

E-MAIL [email protected]

MAIL Quest Sotware, Inc.

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656

USA

WEB SITE www.quest.com

Contacting Quest Support

Quest Support is available to customers who have a trial version o a Quest product or who

have purchased a commercial version and have a valid maintenance contract.

Quest Support provides around-the-clock coverage with SupportLink, our Web sel-service.

Visit SupportLink at https://support.quest.com.

SupportLink gives users o Quest Sotware products the ability to:

Search Quests online Knowledgebase

Download the latest releases, documentation, and patches or Quest products

Log support cases

Manage existing support cases

View the Global Support Guide or a detailed explanation o support programs, online services,

contact inormation, and policies and procedures.

2010 Quest Software, Inc.

ALL RIGHTS RESERVED.

File System Auditing That Works

Documents