7/27/2019 File System Auditing That Works
1/18
WHITE PAPER
Real-Time, Secured Auditing Using Real-World Inormation
Written byDon Jones
Co-ounder o Concentrated Technology (ConcentratedTech.com)
and Microsot MVP
File System AuditingThat Works
7/27/2019 File System Auditing That Works
2/18
White Paper: File System Auditing That Works 1
2010 Quest Software, Inc.
ALL RIGHTS RESERVED.
This document contains proprietary information protected by copyright. No part of this document may bereproduced or transmitted in any form or by any means, electronic or mechanical, including photocopyingand recording for any purpose without the written permission of Quest Software, Inc. (Quest).
The information in this document is provided in connection with Quest products. No license, express orimplied, by estoppel or otherwise, to any intellectual property right is granted by this document or inconnection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS ANDCONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUESTASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORYWARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUTLIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OFINFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IFQUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes norepresentations or warranties with respect to the accuracy or completeness of the contents of thisdocument and reserves the right to make changes to specifications and product descriptions at any timewithout notice. Quest does not make any commitment to update the information contained in thisdocument.
If you have any questions regarding your potential use of this material, contact:
Quest Software World Headquarters
LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
www.quest.com
E-mail:[email protected]
Refer to our Web site for regional and international office information.
Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix,AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch,BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, DesktopAuthority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin,Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe,LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase,NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, QuestvToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map,SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat,StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl,vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomationSuite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator,WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software,Inc in the United States of America and other countries. Other trademarks and registered trademarks usedin this guide are property of their respective owners.
January 2010
http://www.quest.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.quest.com/7/27/2019 File System Auditing That Works
3/18
White Paper: File System Auditing That Works 2
ContentsIntroduction...................................................................................................................................................... 3The Need for Auditing ..................................................................................................................................... 4
Internal Requirements ................................................................................................................................................. 4External Requirements ................................................................................................................................................ 4The Real World Needs More Than Auditing ................................................................................................................ 4
Windows Native File Auditing ......................................................................................................................... 6Capabilities .................................................................................................................................................................. 6Limitations ................................................................................................................................................................... 6
ChangeAuditor for File Systems: Practical Auditing for the Real-World ......................................................... 9How It Works ............................................................................................................................................................... 9Secure Repository ....................................................................................................................................................... 9Granular Configuration ................................................................................................................................................ 9Central Management Console ................................................................................................................................... 10Real-Time Alerts ........................................................................................................................................................ 10Out-of-the Box Reports that Are Easy to Understand ................................................................................................ 11
Conclusion..................................................................................................................................................... 14Next Steps ..................................................................................................................................................... 15About the Author ........................................................................................................................................... 16
7/27/2019 File System Auditing That Works
4/18
White Paper: File System Auditing That Works 3
IntroductionSince the introduction of Windows NT 3.1, Windows server operating systems have excelled at sharingfiles within organizations. However, file sharing created the need to audit access to shared files, includinglegitimate and unauthorized access attempts.
Today, the need forproperauditing is mission-critical. However, native auditing tools do not meet theauditing requirements of todays organizations. Fortunately, Quest ChangeAuditor for File Systems canmeet these needs with comprehensive, centralized and flexible auditing.
7/27/2019 File System Auditing That Works
5/18
White Paper: File System Auditing That Works 4
The Need for Auditing
Internal RequirementsToday, organizations are increasingly more sensitive about security. Industrial espionagepolitely referredto as data leakagecontinues to hurt companies, forcing them to use auditing to:
Provide forensic evidence in cases of wrongdoing.
Serve as a deterrent. When corporate users knowthat their actions are being rigorously
monitored by automated systems, they are much less likely to engage in wrongdoing.
External RequirementsOrganizations internal security concerns are intensified by legislative, industry and other externalrequirements, including:
The Health Insurance Portability and Accountability Act (HIPAA)Affects companies and
organizations working in the U.S. health care industry
The Sarbanes-Oxley (SOX) ActAffects U.S. publicly-traded companies
The Gramm-Leach-Bliley (GLB) Act Affects financial services companies doing business in
the U.S.
The Payment Card Industry Data Security Standard (PCI DSS) Affects nearly any company
that accepts credit or debit cards as a form of payment
Numerous federal rules and laws affecting government organizations and contractors, as well
as other organizations
European privacy and accountability laws affecting almost every corporate entity in the
European Union
All of these regulations have different objectives and require tracking different types of covered data.HIPAA, for example, focuses on patient information, while PCI DSS focuses on cardholder information.However, their file access requirements are the same:
All access to covered data must be logged, whether the access is legitimate or improper.
All audit logs must be tamperproof or tamper-evident.
Separation of duties requires that those who control access to files cannot also control the
audit log.
Audit logs must be permanent; no one should be able to clear the log or remove individual
entries in an attempt to cover their tracks.
The Real World Needs More Than AuditingIn most cases, organizations will also need capabilities beyond those required by internal securitypractices or external requirements. For example, organizations should have:
Searchable audit logs with data that can be compiled for reports used during periodic audits
by live auditors.
Real-time notification of inappropriate activity, enabling administrators to logand correctthat
activity as quickly as possible.
7/27/2019 File System Auditing That Works
6/18
White Paper: File System Auditing That Works 5
Details of every activity, including who accessed a file, whatthey did, when they did it, how
they accessed it, where they accessed it from, and more.
Centralized audit logs, so that review, alerting, and reporting activities can include the entire
enterprise, not just a single server.
7/27/2019 File System Auditing That Works
7/18
White Paper: File System Auditing That Works 6
Windows Native File Auditing
CapabilitiesWindows has always offered native file auditing capabilities. In current versions of Windows Server, thesecapabilities are controlled through local or, ideally, central Group Policy settings. Both Success and Failure
(access denied) activity can be audited, and the information is stored in the Windows Security event log.
LimitationsThe security event log is managed on a per-server basis, and contains allaudit events generated by everysubsystem of the Windows operating system. That is one of the event logs major weaknesses: they arenot centralized. If a file exists on ten file servers, and you want to know who has accessed that file, thenyou need to search the log on all ten serversa time-consuming, manual task. Tools exist to consolidatethe event logs, but they require their own infrastructure and management.
Another problem with the native event logs is that they are managed by server administratorsthe sameindividuals who control access to files. In other words, an administrator can give someone permission toaccess a file, wait until it is accesses, and then change the permissions back. The administrator can thenclear the event log to hide any evidence of wrongdoing. This violates two major security requirements:tamperproofortamper-evident, and separation of duties. This issue alone often makes the native eventlogs unusable for serious auditing purposes.
Also, the event logs tend to contain highly-technical data that is difficult to translate into real-worldinformation like users and specific file resources. For example, consider this typical security event log entryfrom the file system:
7/27/2019 File System Auditing That Works
8/18
White Paper: File System Auditing That Works 7
You cant tell what has happened or which user was responsible. The entry shows 0x3e7 as the logon ID,but who is that, exactly? What file was accessed? Deciphering the log information can be very time-consuming.
Working with the event logs can be difficult, too. Although search functionality is included, its a simple textsearch. This means you have to know exactly what youre looking for. For example, typing 0x3e7 wonttypically return results.
Filtering capabilities exist, but they use the same deeply-technical identifiers as the event log entries, sotheres no real way to search for events that relate to a particular file or user, unless you know the under-the-hood hexadecimal data involved.
7/27/2019 File System Auditing That Works
9/18
White Paper: File System Auditing That Works 8
The event logs dont support native reporting and omit critical information. For example, when a filespermissions are changed, the event log records only that the permission change occurred. It doesnt logwhat the permissions were before the change, making it very difficult to find out exactly what changed, andto determine whether or not the change was inappropriate.
While the native event logs exist and can in theory track everything that happens within the file system,they are not, in practice, usable for most internal security requirements or for almost any external securityrequirement. To summarize, the native event logs:
Lack centralization
Are not tamperproof or tamper-evident
Do not support separation of duties
Do not support robust searching
Do not provide plain-English information
Do not provide before-and-after views of changes
Do not provide real-time alerting on selected activities
Do not provide reporting
7/27/2019 File System Auditing That Works
10/18
White Paper: File System Auditing That Works 9
ChangeAuditor for File Systems: PracticalAuditing for the Real-World
How It Works
Quests ChangeAuditor for File Systems solves the problems with the native Windows Security event logand provides practical, real-world auditing capabilities that meet todays common requirements andsecurity best practices.
ChangeAuditor works by installing a small agent on each file server. This agent is tamper-evident,meaning it is very difficult to shut the agent down without either crashing the server or leaving an audit trail.The agent is also low-overhead; it places a very small processing burden on the file server. In fact, in mostcases, the agent imposes less overhead than enabling full-blown native auditing of every file systemaccess attempt.
The ChangeAuditor agent does not utilize the native event logs, so you can shut them off completely.Instead, the agent taps deeply into the Windows file system, capturing activity at its source, where themost detailed information is located.
Secure RepositoryEvents are immediately forwarded to a centralized and secured SQL Server-based repository. Onceevents are in that repository, they are permanent: the repository carries its own set of permissions,independent of those held by the normal administrators in the organization.
Granular ConfigurationChangeAuditor provides highly-granular auditing configurations, so managers can enable or disableevents based on their own requirements. For example, you can exclude high- traffic or safe accounts frombeing audited, thereby keeping the audit trail more meaningful.
Figure 1. Configuring ChangeAuditor
7/27/2019 File System Auditing That Works
11/18
White Paper: File System Auditing That Works 10
Central Management ConsoleChangeAuditors management console provides access to the repository to both administrators andauditors. It provides robust searching and filtering, and allows administrators to define e-mail and otheralerts for selected activities, such as permissions changes to sensitive files. ChangeAuditor can evenintegrate with Microsoft System Center Operations Manager (SCOM), raising critical alerts in real-time to asingle operations monitoring console.
Figure 2. ChangeAuditors management console
Real-Time AlertsChangeAuditors smart alerts can even alert administrators or managers to problematic patterns ofbehavior, where no individual event is worrisome, but where the overall pattern of activity can indicate aproblem. These alerts further enable businesses to not only track file system activity, but to respondtopotential problems as quickly as possible.
7/27/2019 File System Auditing That Works
12/18
White Paper: File System Auditing That Works 11
Figure 3. Configuring alerts in ChangeAuditor
Out-of-the Box Reports that Are Easy to UnderstandBecause the ChangeAuditor repository is stored in SQL Server, ChangeAuditor can leverage the powerand flexibility of SQL Reporting Services (SRS) to generate both on-demand and subscription reports.Numerous pre-designed reports are included for major auditing and compliance scenarios; these reportsmake ChangeAuditor a successful auditing tool right out of the box.
7/27/2019 File System Auditing That Works
13/18
White Paper: File System Auditing That Works 12
Figure 4. Sample ChangeAuditor report
Best of all, ChangeAuditor embodies Quests years of expertise with security and the Windows operatingsystem, enabling it to translate the deeply-technical data it gathers intoan easy-to-understand report,including before-and-after snapshots of changes.
7/27/2019 File System Auditing That Works
14/18
White Paper: File System Auditing That Works 13
Figure 5. Sample ChangeAuditor search
7/27/2019 File System Auditing That Works
15/18
White Paper: File System Auditing That Works 14
ConclusionComparing ChangeAuditors capabilities with Windows native event log feature reveals how wellChangeAuditor meets modern requirements for compliance and security.
Capability Native Event Log ChangeAuditor for File Systems
Audit all changes in the filesystem
X X
Built-in reports for security andcompliance
X
Subscription-based reports viaSRS
X
Accesses file system controlsdirectly
X
Centralizes all audit activity X
Tamper-evident audit
collection
X
Tamperproof audit repository X
Granular, custom auditingconfiguration
X
Integrates with SCOM formonitoring
X
ChangeAuditor for File Systems complements your Windows operating system investment to meetyour internal security needs andcompliance requirements. It will help you generate intelligent, in-depthforensics for auditors and management, as well as reduce the risks associated with day-to-day filesystem modifications.
7/27/2019 File System Auditing That Works
16/18
White Paper: File System Auditing That Works 15
Next StepsFor more information about ChangeAuditor for File Systems, please visit:www.quest.com/changeauditor-for-file-systems
7/27/2019 File System Auditing That Works
17/18
White Paper: File System Auditing That Works 16
About the AuthorDon Jones is a co-founder of Concentrated Technology (ConcentratedTech.com), a Microsoft MostValuable Professional Award recipient, and the author of more than thirty books on information technology.His consulting practice specializes in making the connection between technology and business, helpingbusinesses realize more value from their IT investment, and helping IT align more closely to business
needs and values. Don has been an IT journalist for more than eight years, and is currently a ContributingEditor for Microsoft TechNet Magazine. He is also a sought-after speaker at industry conferences andsymposia, including Connections conferences, Microsoft TechEd, TechMentor Events, and others.
7/27/2019 File System Auditing That Works
18/18
5 Polaris Way, Aliso Viejo, CA 92656 | PHONE800.306.9329 | WEBwww.quest.com | E-MAIL [email protected]
I you are located outside North America, you can nd your local ofce inormation on our Web site
WHITE PAPER
About Quest Software, Inc.
Now more than ever, organizations need to work smart and improve eiciency. Quest Sotware
creates and supports smart systems management productshelping our customers solve
everyday IT challenges aster and easier. Visit www.quest.com or more inormation.
Contacting Quest Software
PHONE 800.306.9329 (United States and Canada)
I you are located outside North America, you can ind your
local oice inormation on our Web site.
E-MAIL [email protected]
MAIL Quest Sotware, Inc.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656
USA
WEB SITE www.quest.com
Contacting Quest Support
Quest Support is available to customers who have a trial version o a Quest product or who
have purchased a commercial version and have a valid maintenance contract.
Quest Support provides around-the-clock coverage with SupportLink, our Web sel-service.
Visit SupportLink at https://support.quest.com.
SupportLink gives users o Quest Sotware products the ability to:
Search Quests online Knowledgebase
Download the latest releases, documentation, and patches or Quest products
Log support cases
Manage existing support cases
View the Global Support Guide or a detailed explanation o support programs, online services,
contact inormation, and policies and procedures.
2010 Quest Software, Inc.
ALL RIGHTS RESERVED.
Top Related