Securing the Infrastructure and company domain is one step and auditing is another step that works side by side to close any gap. Unfortunately some system admin or security admins invest time, effort and money in several solutions and devices to protect their network under the assumption that these devices or software are working out of the box with no need to continuously monitor and audit them.
Most of your domain infrastructure as Active Directory, Exchange, File servers, SQL.........etc generate a lot of log files and we as administrators tend to turn on logging for everything but the question is do you periodically check these intense detailed deep logs and the answer is that only few admins periodically check it while others will only check the log when a problem occur as User lockout, file deletion............etc
Auditing is very crucial and it need to be done periodically and not after the fact, you need to have a system that fully audit your Infrastructure and generate easy to use reports and provide the capability to customize your reports as per your domain. This will help draw a baseline of your environment and alert you with any abnormal behavior. Being proactive and fully visualizing your environment will surely pay off than being reactive.
During the last week i have been reviewing the LepideAuditor Suite and I thought of sharing my feedback for this Audit tool starting by the setup, configuration till the reporting phase.
Setup and Installation:
- The full auditor suite can be downloaded from Lepide website, the trial version runs for 15 days with all needed features.
- The Suite was installed on a Windows 10 (1703) machine.
- SQL 2016 Express was installed and a DB for Lepide was created (Installed SQL Management Studio).
- Group Policy Management console need to be installed to collect/get Group policy data.
- After downloading the LepideAuditor Suite, you get a Zip folder with 4 files as shown below
- I picked the LepideAuditor Suite and installed the EXE in this folder.
- It took me another 3 or 4 clicks (Next) and the suite was installed. The overall process is around 7-8 minutes.
- After Installation and opening the Lepide Icon you get prompted to either use the logged in account or another account.
- The Next screen is to start adding the components that you would like to Audit
- For the trial purpose I picked the AD, Exchange, GP........etc components which will give you great details and deep auditing on your domain, Exchange, Usernames.....etc since everything is tied to the Active directory. For the configuration type you get the Express option and the advanced option, as the name implies the express is the quicker way to setup your domain configuration with default values and you have the flexibility to change it later from the Lepide settings. I picked the Express option to get my system up and running in few clicks.
- Enter your domain credentials and pick the option of Auditing with or Without agent. I tried both and i can't see major difference regarding the audit data. For large Organizations with huge data activity the agent option can provide better option for data compression and reporting.
- I picked all options on the next configuration screen, the wizard already listed all Domain controllers, Exchange servers in the environment and Group policy servers with health monitoring and change Auditing enabled.
- The next step is to configure the SQL DB, I already installed SQL express on my PC and I created a DB named Lepide using the SQL Management studio. I entered my local machine details and picked the DB I created earlier.
- Finish and that's it, you have a running Auditing system for your AD, Exchange, Group Policy, User modifications in 5 clicks. LepideAuditor Suite will restart and you will get the dashboard/360view and it start pulling data within few minutes.
Example of Auditing report:
I started to run several changes and check whether they are reflected in the LepideAuditor Suite, One of the changes was moving a mailbox from one Exchange DB to another Exchange DB (This is common task for Exchange admins to provide the user with better mailbox storage or even move him to the cloud)
I moved the user mailbox and after the batch move was done i checked Lepide Audit Reports - Domain - Exchange Modification Reports - MS Exchange Modification Reports - Mailbox Modifications - Mailbox Moved and it was logged as shown below.
The change is already logged in the Exchange changes from the Main Dashboard change.
Active Directory has several detailed reports including computer, user, printers, containers, OUs and many other reports.
File Server Audit Setup/Installation:
The Next thing i planned to do during my Lepide test was Auditing the file share server and the installation was straight forward as shown below:
- Go to Settings - Component Management and add component (File Server)
- In the File server Console Settings, click on the + Icon to add the Windows File server
- You need to enter the Server IP, Domain and User credentials.
- Enter the SQL settings. You can use an existing DB or create a new one to host your File Server Audit changes.Tracking.
- The Wizard will install the agent and then Finish.
- The File Server Reports in the Audit Reports are very detailed including file modifications, deletions, permissions.......etc
- The first thing to test the FileServer Audit was to delete a test file from one of the shares and check the Audit Reports (File and Folder Deletion) for the File Server and it was clearly shown with all details on which file, who deleted, when..........etc
One very nice feature that might be required by several organizations is the compliance reports. The LepideAuditor Suite provides detailed list for several regulatory reports.
The Reports in general in Lepide can be easily grouped, filtered as if you are playing with native SQL reporting system with enhanced GUI options and you can save all these reports to PDF or CSV.
This a nice feature added to the Auditor Suite which monitors the health of your servers (Active Directory, Exchange........etc) and lists the general health (Processors and RAM), services status, AD DB performance, Replication status, LDAP status, NTDS counters and many other indicators. This option is not present in several other Audit tools and i find it very beneficial.
Auditing is very critical and should be thoroughly considered for all Organisations since we all depend on our systems and use them on our day to day operations, I have seen several issues that were re-mediated at early stages due to a correct audit and alerting rule. LepideAuditor Suite provides an easy to use and very simple installation and setup tool to audit your environment. The reporting will provide with huge amount of data and the nice thing is that you can customize a lot of your audit and reporting settings.
For more Information on LepideAuditor Suite - https://www.lepide.com/lepideauditor/
To download LepideAuditor Suite - https://www.lepide.com/lepideauditor/download.html