Page 1
Solution/Product/Report Mapping To Primary Compliance Requirements of
SOX, PCI, HIPAA, GLBA and FISMA
Page 2
Contents
SOX COMPLIANCE ...................................................................................................................................................................................................................... 5
AI3: ACQUIRE AND MAINTAIN TECHNOLOGY INFRASTRUCTURE...................................................................................................................................................................... 5 AI6: MANAGE CHANGES ........................................................................................................................................................................................................................ 7 AI7: INSTALL AND ACCREDIT SOLUTIONS AND CHANGES ............................................................................................................................................................................. 10 DS3: MANAGE PERFORMANCE AND CAPACITY ......................................................................................................................................................................................... 12 DS4 ENSURE CONTINUOUS SERVICE ....................................................................................................................................................................................................... 12 DS5 ENSURE SYSTEMS SECURITY ............................................................................................................................................................................................................ 13 DS9: MANAGE THE CONFIGURATION ...................................................................................................................................................................................................... 15 DS10: MANAGE PROBLEMS ................................................................................................................................................................................................................. 15 DS13: MANAGE OPERATIONS ............................................................................................................................................................................................................... 15
PCI COMPLIANCE ..................................................................................................................................................................................................................... 17
7. RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED-TO-KNOW ...................................................................................................................................................... 17 8. ASSIGN A UNIQUE ID TO EACH PERSON WITH COMPUTER ACCESS .............................................................................................................................................................. 18 10. TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA ................................................................................................................................. 21
HIPAA COMPLIANCE ................................................................................................................................................................................................................ 25
§ 164.308: ADMINISTRATIVE SAFEGUARDS ............................................................................................................................................................................................. 25 § 164.312: TECHNICAL SAFEGUARDS ..................................................................................................................................................................................................... 28 § 164.528 ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH INFORMATION. .......................................................................................................................................... 29
GLBA COMPLIANCE .................................................................................................................................................................................................................. 31
ACCESS CONTROL: ACCESS RIGHTS ADMINISTRATION(TIER I: OBJECTIVES 4 & 7, TIER II: SECTION A) .............................................................................................................. 31 ACCESS CONTROL: AUTHENTICATION (TIER I: OBJECTIVE 4, TIER II: SECTION A) ......................................................................................................................................... 33 ACCESS CONTROL: NETWORK ACCESS (TIER I: OBJECTIVE 4, TIER II: SECTION B) ........................................................................................................................................ 34 ACCESS CONTROL: OPERATING SYSTEM ACCESS (TIER I: OBJECTIVE 4, TIER II: SECTION C) ............................................................................................................................ 34 ACCESS CONTROL: APPLICATION ACCESS (TIER I: OBJECTIVE 4, TIER II: SECTION G) .................................................................................................................................... 37 ACCESS CONTROL: REMOTE ACCESS (TIER I: OBJECTIVE 4) ...................................................................................................................................................................... 38 SECURITY MONITORING (TIER I, OBJECTIVE 6, TIER II: SECTION M)........................................................................................................................................................ 39
FISMA COMPLIANCE ................................................................................................................................................................................................................ 41
FAMILY: ACCESS CONTROL CLASS: TECHNICAL ...................................................................................................................................................................................... 41
Page 3
FAMILY: AUDIT AND ACCOUNTABILITY CLASS: TECHNICAL ........................................................................................................................................................................ 44 FAMILY: CERTIFICATION, ACCREDITATION, AND SECURITY ASSESSMENTS CLASS: MANAGEMENT ..................................................................................................................... 52 FAMILY: CONFIGURATION MANAGEMENT CLASS: OPERATIONAL .............................................................................................................................................................. 53 FAMILY: MEDIA PROTECTION CLASS: OPERATIONAL ............................................................................................................................................................................... 56 FAMILY: PERSONNEL SECURITY CLASS: OPERATIONAL ............................................................................................................................................................................. 57 FAMILY: SYSTEM AND INFORMATION INTEGRITY CLASS: OPERATIONAL ....................................................................................................................................................... 59
APPENDIX A: NETWRIX EVENT LOG MANAGER REPORTS ........................................................................................................................................................ 61
ACCOUNT MANAGEMENT REPORTS ........................................................................................................................................................................................................ 61 AUDITING REPORTS ............................................................................................................................................................................................................................. 61 LOGON REPORTS ................................................................................................................................................................................................................................. 62 EVENT REPORTS .................................................................................................................................................................................................................................. 62 MISCELLANEOUS REPORTS .................................................................................................................................................................................................................... 63
APPENDIX B: NETWRIX LOGON REPORTER REPORTS ............................................................................................................................................................... 65
EVENTS, LOGONS, LOGOFFS, LOCKOUTS AND MORE ................................................................................................................................................................................... 65
APPENDIX C: NETWRIX ACTIVE DIRECTORY CHANGE REPORTER REPORTS ............................................................................................................................... 67
ALL CHANGES REPORTS ........................................................................................................................................................................................................................ 67 AD STRUCTURE REPORTS...................................................................................................................................................................................................................... 68 OBJECT SECURITY ................................................................................................................................................................................................................................ 68 GROUP MEMBERSHIP ........................................................................................................................................................................................................................... 69 USER ACCOUNT .................................................................................................................................................................................................................................. 69 BEST PRACTICE REPORTS ...................................................................................................................................................................................................................... 70
APPENDIX D: NETWRIX GROUP POLICY CHANGE REPORTER .................................................................................................................................................... 76
ALL CHANGES REPORTS ........................................................................................................................................................................................................................ 76 ACCOUNT LOCKOUT POLICY .................................................................................................................................................................................................................. 77 LOCAL POLICIES .................................................................................................................................................................................................................................. 77 SECURITY SETTINGS ............................................................................................................................................................................................................................. 77 SOFTWARE INSTALLATION ..................................................................................................................................................................................................................... 78 PASSWORD POLICY .............................................................................................................................................................................................................................. 78
APPENDIX E: NETWRIX EXCHANGE CHANGE REPORTER ........................................................................................................................................................... 79
ALL CHANGES REPORTS ........................................................................................................................................................................................................................ 79 MAILBOX ........................................................................................................................................................................................................................................... 79 RECIPIENT .......................................................................................................................................................................................................................................... 80 SERVER ............................................................................................................................................................................................................................................. 81
Page 4
STORAGE GROUP ................................................................................................................................................................................................................................ 81 STORE ............................................................................................................................................................................................................................................... 81
APPENDIX F: NETWRIX SHAREPOINT CHANGE REPORTER REPORTS......................................................................................................................................... 83
ALL CHANGES REPORTS ........................................................................................................................................................................................................................ 83
APPENDIX G: NETWRIX FILE SERVER CHANGE REPORTER REPORTS ......................................................................................................................................... 84
SUCCESSFUL MODIFICATIONS ................................................................................................................................................................................................................ 84 SUCCESSFUL READS ............................................................................................................................................................................................................................. 85 FAILED MODIFICATION ATTEMPTS .......................................................................................................................................................................................................... 85 FAILED READ ATTEMPTS ....................................................................................................................................................................................................................... 86
APPENDIX H: NETWRIX SERVER CONFIGURATION CHANGE REPORTER REPORTS .................................................................................................................... 87
APPENDIX I: NETWRIX SQL SERVER CHANGE REPORTER REPORTS ........................................................................................................................................... 87
ALL CHANGE REPORTS ......................................................................................................................................................................................................................... 87 OBJECT CHANGES ................................................................................................................................................................................................................................ 88
APPENDIX J: NETWRIX VMWARE CHANGE REPORTER REPORTS .............................................................................................................................................. 91
ALL CHANGE REPORTS ......................................................................................................................................................................................................................... 91 CLUSTER ............................................................................................................................................................................................................................................ 92 DATACENTER ...................................................................................................................................................................................................................................... 92 DATASTORE........................................................................................................................................................................................................................................ 93 FOLDER ............................................................................................................................................................................................................................................. 93 HOST ................................................................................................................................................................................................................................................ 94 RESOURCE POOL ................................................................................................................................................................................................................................. 94 ROLE ................................................................................................................................................................................................................................................ 95
Page 5
SOX Compliance
All public companies in the U.S. are subject to Sarbanes Oxley (SOX) compliance without exceptions. SOX compliance requirements
also apply overseas operations of U.S. public companies and international companies listed on U.S. exchanges. Failure to comply with
SOX can result in fines of up to 5 million dollars and up to 20 years of imprisonment of C-level executives accountable for SOX
implementation. Other countries have similar laws, for example, Canada enacted a regulation known as Bill 198, Japan established
aptly named J-SOX, and both are very similar to the "American" SOX in many parts.
SOX requires public companies to adopt Internal Controls over Financial Reporting (ICFR), and these controls of course include IT
controls that affect financial reporting operations. The Act includes two sections that affect IT departments: Section 302 (15 U.S.C. §
7241: "Corporate Responsibility for Financial Reports") and 404 (15 U.S.C. § 7262: "Management Assessment of Internal Controls")
of SOX. SOX defines three major requirements: establishing of controls, ongoing evaluation of controls (monitoring and testing), and
disclosure ("auditability") of control effectiveness (including defects and weaknesses that can result in fraud). Manual implementation
of these requirements can result in increased operational costs, while automation usually results in much lower compliance costs,
increased efficiency, and other benefits.
The Sarbanes-Oxley Act does not provide any recommendations for implementation of SOX and this why several organizations
created different standards of IT controls implementation. The most widely recognized IT-specific standards are COSO "Internal
Control - Integrated Framework" endorsed by SEC and COBIT (Control Objectives for Information and Related Technology) created
by ISACA (www.isaca.org).
NetWrix SOX Compliance Suite covers many requirements of both frameworks to sustain compliance and pass compliance audits. In
general, this automated compliance solution helps to maintain established controls by tracking and reporting all changes in IT
infrastructure for auditing purposes and implementing secure identity management practices to ensure system security.
SOX NetWrix Implementation Components Reports
AI3: Acquire and Maintain Technology Infrastructure
AI3.2 Infrastructure Resource The NetWrix solution ensures AD Change Reporter/ All Active
Page 6
Protection and Availability auditability during configuration,
integration and maintenance of
hardware and infrastructural
software to protect resources and
ensure availability and integrity.
The use of infrastructure
components, such as Active
Directory, Group Policy, file servers,
and virtualization systems is
monitored and can be easily
evaluated. The NetWrix solution
streamlines creation of reports for
auditors, CCOs, security managers,
and risk managers.
AD Change Reporter
Group Policy Change Reporter
File Server Change Reporter
Server Configuration Change
Reporter
SQL Server Change Reporter
VMware Change Reporter
Directory Changes
Group Policy Change Reporter /
All Group Policy Changes
File Server Change Reporter /
All File Server Changes
Server Configuration Change
Reporter/ All Server Changes
SQL Server Change Reporter/
All SQL Server Changes
VMware Change Reporter/All
VMware Changes
AI3.3 Infrastructure
Maintenance
The NetWrix solution monitors
and reports on changes in
infrastructure systems (Active
Directory, Group Policy, file
servers, VMware servers, etc) to
make sure they are controlled in
line with the organization's
change management procedure.
The solution also includes
capabilities for periodic reviews
against business needs (e.g.
recent changes in group
membership and access rights),
patch management
(automatically tests that all
currently required patches are
AD Change Reporter
Group Policy Change Reporter
Server Configuration Change
Reporter
File Server Change Reporter
SQL Server Change Reporter
VMware Change Reporter
NetWrix Patch Reporter
AD Change Reporter/ All Active
Directory Changes
Group Policy Change Reporter /
All Group Policy Changes
File Server Change Reporter /
All File Server Changes
Server Configuration Change
Reporter / All Server Changes
SQL Server Change Reporter /
All SQL Server Changes
VMware Change Reporter / All
Page 7
installed on all managed
servers), upgrade strategies,
risks, vulnerabilities assessment
and security requirements. The
NetWrix solution streamlines
creation of reports for auditors,
CCOs, security managers, and
risk managers.
VMware Changes
AI3.4 Feasibility Test
Environment
Development and test
environments aim to support
efficient feasibility and
integration of infrastructure
components. NetWrix solution
provides an easy way to
automatically document all
changes made in test
environments to replicate them
in production environments.
AD Change Reporter
Group Policy Change Reporter
Server Configuration Change
Reporter
File Server Change Reporter
SQL Server Change Reporter
VMware Change Reporter
AD Change Reporter/ All Active
Directory Changes
Group Policy Change Reporter /
All Group Policy Changes
File Server Change Reporter/All
File Server Changes
Server Configuration Change
Reporter/ All Server Changes
SQL Server Change Reporter/
All SQL Server Changes
VMware Change Reporter/All
VMware Changes
AI6: Manage Changes
AI6.3: Emergency Changes
Emergency changes that do not
follow the established change
processes must be documented
and NetWrix helps to implement
AD Change Reporter / All
Active Directory Changes
AD Change Reporter / All
Active Directory Configuration
Page 8
automated change
documentation process to make
sure no change goes
undocumented. Even if your
organization already has
specialized management tools
for making changes (e.g. Group
Policy versioning system with
check-in/checkout/approval
capabilities), there is a chance
that these tools can be bypassed
in emergency situations and
required changes made directly
into the system. The NetWrix
solution captures all changes at
the system level, no matter what
management tool is used.
AD Change Reporter
Group Policy Change Reporter
Server Configuration Change
Reporter
File Server Change Reporter
SQL Server Change Reporter
VMware Change Reporter
Changes
AD Change Reporter / All
Active Directory Schema
Changes
Group Policy Change Reporter /
All Group Policy Changes
Group Policy Change Reporter /
Software Installation Policy
Changes
Server Configuration Change
Reporter/ All Server Changes
File Server Change Reporter /
All File Server Changes
SQL Server Change Reporter /
All SQL Server Changes
SQL Server Change Reporter /
Server Instance Changes
VMware Change Reporter / All
VMware Changes
VMware Change Reporter /
Clusters Removed
AI6.4: Change Status Tracking
and Reporting
The NetWrix solution provides a
reporting system to
automatically document all
AD Change Reporter
Group Policy Change Reporter
Server Configuration Change
AD Change Reporter/ All Active
Directory Changes
Page 9
changes in system components
(e.g. servers, Active Directory,
virtual machines), make sure
that approved changes are
implemented as planned, and,
most importantly, no
unauthorized changes take place.
Reporter
File Server Change Reporter
SQL Server Change Reporter
VMware Change Reporter
Group Policy Change Reporter /
All Group Policy Changes
Group Policy Change Reporter /
Security Policy Changes
Server Configuration Change
Reporter/ All Server Changes
File Server Change Reporter/All
File Server Changes
File Server Change Reporter /
Permission Changes
SQL Server Change Reporter/
All SQL Server Changes
VMware Change Reporter/All
VMware Changes
AI6.5: Change Closure and
Documentation
Whenever changes are
implemented, the associated
system and user documentation
and procedures must be updated
accordingly. The NetWrix
solution makes it easy to review
all changes and make sure that
all related aspects are reflected
in the documentation.
AD Change Reporter
Group Policy Change Reporter
Server Configuration Change
Reporter
File Server Change Reporter
SQL Server Change Reporter
VMware Change Reporter
AD Change Reporter/ All Active
Directory Changes
Group Policy Change Reporter /
All Group Policy Changes
Server Configuration Change
Reporter/ All Server Changes
File Server Change Reporter /
All File Server Changes
SQL Server Change Reporter/
Page 10
All SQL Server Changes
VMware Change Reporter/All
VMware Changes
AI7: Install and Accredit Solutions and Changes
AI7.4: System and Data
Conversion
As long as all changes are
automatically documented (full
audit trail is created in Active
Directory, servers, physical and
virtual machines) an
organization can easily replicate
changes from test environment
to production and make sure that
everything is done according to
a previously tested
implementation plan.
AD Change Reporter
Group Policy Change Reporter
Server Configuration Change
Reporter
File Server Change Reporter
SQL Server Change Reporter
VMware Change Reporter
AD Change Reporter/ All Active
Directory Changes
Group Policy Change Reporter /
All Group Policy Changes
Server Configuration Change
Reporter/ All Server Changes
File Server Change Reporter/All
File Server Changes
SQL Server Change Reporter/
All SQL Server Changes
VMware Change Reporter/All
VMware Changes
AI7.7: Final Acceptance Test
The outcome of the testing
process can be easily evaluated
through review of changes in
infrastructure components by
business process owners and IT
stakeholders.
AD Change Reporter
Group Policy Change Reporter
Server Configuration Change
Reporter
File Server Change Reporter
SQL Server Change Reporter
VMware Change Reporter
AD Change Reporter/ All Active
Directory Changes
Group Policy Change Reporter /
All Group Policy Changes
Server Configuration Change
Reporter/ All Server Changes
Page 11
File Server Change Reporter/All
File Server Changes
SQL Server Change Reporter/
All SQL Server Changes
VMware Change Reporter/All
VMware Changes
AI7.8: Promotion to
Production
Full record of changes
implemented on production
environments can be reviewed to
ensure it's in line with the
implementation plan. Audit trails
can be compared with those
generated on the test
environment to make sure
everything went as planned.
AD Change Reporter
Group Policy Change Reporter
Server Configuration Change
Reporter
File Server Change Reporter
SQL Server Change Reporter
VMware Change Reporter
AD Change Reporter/ All Active
Directory Changes
Group Policy Change Reporter /
All Group Policy Changes
Server Configuration Change
Reporter/ All Server Changes
File Server Change Reporter/All
File Server Changes
SQL Server Change Reporter/
All SQL Server Changes
VMware Change Reporter/All
VMware Changes
AI7.9: Post-implementation
Review
Post-implementation review is
greatly simplified by viewing all
changes made in affected
systems in a set of easy to use
reports targeting Active
Directory, servers, virtual
machines, and other systems.
AD Change Reporter
Group Policy Change Reporter
AD Change Reporter/ All Active
Directory Changes
Group Policy Change Reporter /
All Group Policy Changes
Server Configuration Change
Page 12
Server Configuration Change
Reporter
File Server Change Reporter
SQL Server Change Reporter
VMware Change Reporter
Reporter/ All Server Changes
File Server Change Reporter/All
File Server Changes
SQL Server Change Reporter/
All SQL Server Changes
VMware Change Reporter / All
VMware Changes
DS3: Manage Performance and Capacity
DS3.5: Monitoring and
Reporting
NetWrix provides monitoring
tools for available disk space on
servers and service downtime for
selected system services to
ensure resilience, contingency,
current and projected workloads,
storage plans and resource
acquisition.
Disk Space Monitor,
Service Monitor
Disk Space Monitor daily report
Service Monitor daily report
DS4 Ensure Continuous Service
DS4.3: Critical IT Resources
The NetWrix solutions provides
quick object-level and attribute-
level recovery capabilities for
Active Directory and file servers
to focus attention on items
specified as most critical in IT
infrastructure.
Active Directory Object Restore
Wizard
AD Change Reporter/ All Active
Directory Changes
Page 13
DS5 Ensure Systems Security
DS5.3: Identity Management
- NetWrix solution complements
standard mechanisms provided
by Active Directory to ensure
that all users and their activity
on IT systems are uniquely
identifiable, including situations
when shared administrative
accounts (e.g. local server admin
accounts) are required.
- The self-service identity
password management
capabilities ensure secure
verification (based on challenge
response mechanism) of users
even if they forget their
passwords, in a cost-effective
manner.
- The self-service group
management capabilities provide
an easy way of implementing
access rights management and
user entitlement according to
current job functions. This
ensures that user access rights
are requested by user
management, approved by
system owners and implemented
by the security-responsible
person, in a cost-effective
Event Log Manager,
AD Change Reporter,
Server Configuration Change
Reporter,
File Server Change Reporter,
VMware Change Reporter,
Server Configuration Change
Reporter,
Password Manager,
Event Log Manager,
Privileged Account Manager
Event Log Manager/All Events
by Date
AD Change Reporter/ All Active
Directory Changes
AD Change Reporter / All
Active Directory Changes by
Object Type
Server Configuration Change
Reporter/ All Server Changes by
Date
File Server Change Reporter /
All File Server Changes by Date
File Server Change Reporter /
All File Server Changes by Type
VMware Change Reporter / All
VMware Changes
Password Manager /
Enrollment on-demand report
Event Log Manager/All Events
by Date
Page 14
manner.
Privileged Account Manager/
User Activity Report
DS5.4: User Account
Management
The self-service group
management capabilities makes
it easy to implement an approval
procedure outlining the data or
system owner granting the
access privileges and perform
regular management review of
all accounts and related
privileges.
Privileged Account Manager
AD Change Reporter
Privileged Account Manager/
User Activity Report
AD Change Reporter/ All Active
Directory Changes
DS5.5: Security Testing,
Surveillance and Monitoring
NetWrix provides the logging
and monitoring function to
enable the early prevention
and/or detection and subsequent
timely reporting of unusual
and/or abnormal activities that
may need to be addressed.
Password Expiration Notifier
Event Log Manager
Password Expiration Notifier
daily report
Event Log Manager alerts
DS5.9: Malicious Software
Prevention, Detection and
Correction
NetWrix provides a tool to
ensure that up-to-date security
patches are in place across the
N/A
Page 15
organization to protect
information systems and
technology from malware (e.g.,
viruses, worms, spyware, spam).
DS9: Manage the Configuration
DS9.x: Manage the
Configuration
The NetWrix solution monitors
and records all changes to
relevant information and
configuration items and capable
of maintaining a baseline of
configuration items for all
systems and services. It also
simplifies periodic reviews of the
configuration data to verify and
confirm the integrity of the
current and historical
configuration, including
detection of unauthorized and
unlicensed software.
Server Configuration Change
Reporter
Server Configuration Change
Reporter/ All Server Changes
DS10: Manage Problems
DS10.2: Problem Tracking and
Resolution
NetWrix provides audit trail
facilities that allow tracking,
analyzing and determining the
root cause of all reported
problems for all configuration
items.
N/A
DS13: Manage Operations
DS13.3: IT Infrastructure The NetWrix solution collects Event Log Manager, Event Log Manager/All Events
Page 16
Monitoring chronological information is
stored in operation logs to
enable reconstruction, review,
and examination of the time
sequences of operations and the
other activities surrounding or
supporting operations.
Server Configuration Change
Reporter,
Logon Reporter
by Date
Server Configuration Change
Reporter/ All Server Changes
Logon Reporter/Logon Reports
Page 17
PCI Compliance
All vendors that accept credit cards are subject to PCI compliance. Failure to comply with PCI may result in fines, loss of reputation,
and inability to accept major credit cards.
The following table summarizes requirements of PCI-DSS 1.2 compliance and shows how NetWrix provides a complete PCI
compliance Suite. This includes the following PCI DSS requirements covered:
#7 (Restrict access to cardholder data by business need-to-know)
#8 (Assign a unique ID to each person with computer access)
#10 (Track and monitor all access to network resources and cardholder data)
The rest must be covered by internal procedures (e.g. physical security, network perimeter security, testing and verification).
PCI NetWrix Solution Components Report Mapping
7. Restrict access to cardholder data by business need-to-know
7.1 Limit access to system
components and cardholder
data to only those individuals
whose job requires such access.
Auditing functionality to monitor
all security-related changes in
Active Directory, Group Policy,
Exchange, file servers, SQL
Servers, virtualization
environments. Audited use of
high-privileged system accounts.
AD Change Reporter
File Server Change Reporter
VMware Change Reporter
SQL Server Change Reporter
Privileged Account Manager
AD Change Reporter /
Administrative Group
Membership Changes
AD Change Reporter/ Object
Security Changes
File Server Change Reporter /
Permission Changes
SQL Server Change
Reporter/Object Changes
Page 18
Privileged Account
Manager/User Activity
7.2 Establish a mechanism for
systems with multiple users that
restricts access based on a
user´s need to know and is set
to "deny all" unless specifically
allowed.
Monitoring of file and folders and
their permissions, Active Directory
and Group Policy objects, SQL
Server security for early detection
of unauthorized changes to
security access settings (e.g.
granting of new permissions).
AD Change Reporter
File Server Change Reporter
SQL Server Change Reporter
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter/All Group Policy
Changes
File Server Change
Reporter/Permission Changes
SQL Server Change Reporter /
Login Changes
SQL Server Change Reporter /
Credential Changes
8. Assign a unique ID to each person with computer access
8.1 Assign all users with a
unique user name before
allowing them to access system
components or cardholder data.
Complete auditing of user logons
to analyze violations and prevent
usage of the same ID by multiple
persons (e.g. from different
computers).
Event Log Manager,
Logon Reporter
Event Log Manager/Logon
Reporter
Logon Reporter/All logon
reports
8.5.1 Control addition, deletion,
and modification of user IDs,
credentials and other identifier
objects.
Full auditing of user account
creations, deletions, password
resets, and modifications to all
user account attributes: in Active
Directory and SQL Server.
AD Change Reporter
SQL Server Change Reporter
AD Change Reporter / User
Accounts Created
AD Change Reporter / All
Active Directory Changes
Page 19
SQL Server Change Reporter/
Login Changes
SQL Server Change Reporter /
User Changes
8.5.2 Verify user identity before
performing password resets.
Web-based challenge-response
system based on verification
question/answer pairs selected by
users upon enrollment, with full
control over the number of
required verification answers. The
same data can be used by help
desk personnel to assist with
password resets on the phone.
Password Manager
Password Manager/User
Enrollment on-demand report
8.5.3 Set first-time passwords
to a unique value for each user
and change immediately after
the first use.
Auditing of all newly created user
accounts and their initial attributes
(including "must change at next
logon") to prevent violations.
AD Change Reporter
AD Change Reporter/ User
Account Modifications
8.5.4 Immediately revoke
access for any terminated users.
Auditing of disabled accounts,
automated de-provisioning of
inactive user accounts.
AD Change Reporter
Inactive Users Tracker
AD Change Reporter/ Users
Disabled
Inactive Users Tracker/Daily
report
8.5.5 Remove or disable
inactive user accounts at least
every 90 days.
Automated disabling and removal
with full reporting. Inactive Users Tracker
Inactive Users Tracker/Daily
report
8.5.6 Enable accounts used by
vendors for remote
maintenance only during the
Auditing of account creation,
enabling, disabling, and deletion,
with time stamps to analyze their
AD Change Reporter
SQL Server Change Reporter
AD Change Reporter / User
Account Modifications
Page 20
time period needed. lifetime. SQL Server Change Reporter /
Login Changes
SQL Server Change Reporter /
User Changes
8.5.7 Communicate password
procedures and policies to all
users who have access to
cardholder data.
Automatic customizable reminders
for expiring passwords, redirection
to password requirements
document if user enters "weak"
password during reset.
Password Expiration Notifier
Password Manager
Password Expiration
Notifier/Daily report, User
notification reports
Password Manager/User
Activity on-demand report
8.5.8 Do not use group, shared,
or generic accounts and
passwords.
Full auditing of account use (find
all actions done under a shared
account and help eliminate its
usage) and delegated access with
account checkout/check-in
concept.
AD Change Reporter
File Server Change Reporter
Privileged Account Manager
AD Change Reporter/ All
Active Directory Changes by
User
File Server Change Reporter/
All File Server Changes by
User
Privileged Account
Manager/User activity report
8.5.9 Change user passwords at
least every 90 days.
Audits changes to password policy
settings in Active Directory,
automatically reminds users about
impending password expirations,
provides easy way to change
passwords to minimize the number
of help desk calls.
Group Policy Change Reporter
Password Expiration Notifier
Password Manager
Group Policy Change
Reporter/ All Password Policy
Changes
Password Expiration
Notifier/Daily report
Password Manager/User
Activity on-demand report
Page 21
8.5.10 - 8.5.12 Password
complexity requirements
(Require a minimum password
length of at least seven
characters, Use passwords
containing both numeric and
alphabetic characters, Do not
allow an individual to submit a
new password that is the same
as any of the last four
passwords he or she has used).
Audits changes to password
policies in Active Directory,
implements self-service password
reset functionality to help users
with forgotten passwords without
involvement of help desk
personnel.
Group Policy Change Reporter
Password Manager
Group Policy Change
Reporter/ All Password Policy
Changes
Password Manager/User
Activity on-demand report
8.5.13 Limit repeated access
attempts by locking out the user
ID after not more than six
attempts.
Complements the built-in AD
mechanism with extensive account
lockout troubleshooting
capabilities to resolve false
positives and prevent user
frustration and system downtime.
Auditing of account unlock and
password reset operations to
monitor unauthorized access.
Account Lockout Examiner
AD Change Reporter/ User
Account Modifications
8.5.14 Set the lockout duration
to thirty minutes or until
administrator enables the user
ID.
Auditing of account lockout policy
changes to prevent non-compliant
policy changes.
Group Policy Change Reporter
Group Policy Change
Reporter/ Account Lockout
Policy Changes
8.5.16 Authenticate all access
to any database containing
cardholder data. This includes
access by applications,
administrators, and all other
users.
Auditing of changes to database
logins and roles, SQL server
security settings.
SQL Server Change Reporter
SQL Server Change Reporter/
Login Changes, Roles
Changes, Credential Changes,
User Changes
10. Track and monitor all access to network resources and cardholder data
Page 22
10.1 Establish a process for
linking all access to system
components (especially those
done with administrative
privileges such as root) to each
individual user.
Full features auditing and
reporting of all administrative
activity within Active Directory,
Group Policy, file servers,
virtualization environments, SQL
Server, etc. Detection of who
changed what, when, and where.
AD Change Reporter
File Server Change Reporter
VMware Change Reporter
SQL Server Change Reporter
AD Change Reporter/ All
Active Directory Changes
Group Policy Change Reporter
/ All Group Policy Changes
SQL Server Change Reporter/
All SQL Server Changes
File Server Change
Reporter/All File Server
Changes
VMware Change Reporter/All
VMware Changes
10.2 Implement automated
audit trails to reconstruct the
required events.
Complete audit trail processing
capabilities for servers and
workstations, both user-initiated
and administrative activity.
Event Log Manager
AD Change Reporter
File Server Change Reporter
VMware Change Reporter
SQL Server Change Reporter
AD Change Reporter/ All
Active Directory Changes
File Server Change
Reporter/All File Server
Changes
VMware Change Reporter/All
VMware Changes
SQL Server Change Reporter/
All SQL Server Changes
Event Log Manager / All
Events by Date
10.3 Record at least the
following audit trail entries for
all system components for each
Full information of every change:
who changed what, when, where,
in Active Directory, File Server,
AD Change Reporter
File Server Change Reporter
VMware Change Reporter
AD Change Reporter / All
Active Directory Changes
Page 23
event: User identification, Type
of event, Date and time,
Success or failure indication,
Origination of event, Identity or
name of affected data, system
component, or resource.
virtual machines, SQL Servers. SQL Server Change Reporter File Server Change Reporter
/All File Server Changes
VMware Change Reporter / All
VMware Changes
SQL Server Change Reporter/
All SQL Server Changes
10.5 Secure audit trails so they
cannot be altered.
Securable file-based storage with
optional SQL Server storage. Full
featured role based access to all
reports. Centralized collection,
archiving, and consolidation of
event logs to secure file-based
storage.
All modules All reports
10.6 Review logs for all system
components at least daily.
Full-featured web-based
reporting functionality with
predefined reports and ability to
create custom reports on any type
of collected data. Out-of-the box
reports scheduled daily and sent
via e-mail for review.
All modules All reports
10.7 Retain audit trail history
for at least one year, with a
minimum of three months
immediately available for
analysis.
Unlimited storage capabilities
with efficient storage use to store
up to 8 years of past audit trails
and history of changes to system
components and security settings.
Full-featured web-based
reporting for immediate access to
all required data.
Event Log Manager
AD Change Reporter
File Server Change Reporter
VMware Change Reporter
SQL Server Change Reporter
All reports
Page 24
Page 25
HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard
protected health information (PHI) by regulating healthcare providers. HIPAA has been around since 1996 but has never been taken
seriously before the new act called HITECH (The Health Information Technology for Economic and Clinical Health Act) was enacted
that becomes effective in February 2010. The original HIPAA includes two sections: Title I is mostly about protecting workers
healthcare coverage in case they change or lose their jobs, and HIPAA Title II, also known as Administrative Simplification (AS),
which is all about protection of patient data (section 164). HITECH act further extends HIPAA with additional provisions.
From an IT department's standpoint, a typical HIPAA/HITECH implementation is based on the following core principles aimed to
provide transparency and accountability (auditability) of regulated data and systems:
Identity management and access control: to ensure that data is only accessible by personnel that have a business need.
System configuration control: tracking of administrative activities.
Monitoring of access to data: knowledge of who accessed what data and when and review on a regular basis.
Data handling and encryption control: protection of data in storage and during transfers.
Meeting the requirements of HIPAA/HITECH requires all healthcare organizations to setup processes and controls that ensure security
and integrity of PHI. The ability to show that PHI is secured through reliable access control and monitoring is key to ensure a
successful HIPAA audit.
The following table summarizes requirements set forth in part 164 of C.F.R. 45 of HIPAA and shows how NetWrix provides a
HIPAA/HITECH suite to sustain compliance. Items marked with 'R' are required. Items marked with 'A' are "addressable": that
means it must be either fully implemented or the reason why it was not implemented must be clearly documented.
HIPAA NetWrix Solution Components Reports
§ 164.308: Administrative Safeguards
R: 164.308(a)(1)(ii)(D) Information system activity
review: Implement procedures
to regularly review records of
Extensive auditing and reporting on
both administrative and user
activity in Active Directory, Group
Policy, Exchange, the file servers,
Event Log Manager
AD Change Reporter
File Server Change Reporter
AD Change Reporter/ All
Active Directory Changes
File Server Change
Page 26
information system activity,
such as audit logs, access
reports, and security incident
tracking reports.
virtual environments (VMware,
Microsoft), SQL Servers. Detection
of who did what, when, and where
with advanced rollback capabilities
of unauthorized actions. Centralized
consolidation and archival or audit
trials with web-based reporting
using predefined and custom-built
reports covering all major types of
activities: logins, logoffs, user
account operations, file access on
servers, workstations, both
successful and failed.
VMware Change Reporter
Non-owner Mailbox Access
Reporter
SQL Server Change Reporter
Reporter/All File Server
Changes
VMware Change Reporter/All
VMware Changes
SQL Server Change Reporter/
All SQL Server Changes
Event Log Manager/All Events
by Date
Non-owner Mailbox Access
Reporter/Daily reports
A: 164.308(a)(3)(ii)(C) Termination procedures:
Implement procedures for
terminating access to
electronic protected health
information when the
employment of a workforce
member ends.
Auditing of disabled accounts,
automated de-provisioning of
inactive user accounts. Automated
disabling and removal with full
reporting.
AD Change Reporter
Inactive Users Tracker
AD Change Reporter / Users
Disabled
Inactive Users Tracker/Daily
report
R: 164.308(a)(4)(ii)(A) Isolating health care
clearinghouse functions: If a
healthcare clearinghouse is
part of a larger organization,
the clearinghouse must
implement policies and
procedures that protect the
electronic protected health
information of the
clearinghouse from
Auditing of all types of changes and
access to critical data and security-
related settings in Active Directory,
file servers, virtual machines,
databases, to make sure that no
members of larger organization
change or access data of its child
organization. Prevention of external
media usage.
AD Change Reporter
File Server Change Reporter
VMware Change Reporter
SQL Server Change Reporter
USB Blocker
AD Change Reporter / All
Active Directory Changes
File Server Change Reporter /
All File Server Changes
VMware Change Reporter /
All VMware Changes
SQL Server Change Reporter /
All SQL Server Changes
Page 27
unauthorized access by the
larger organization.
USB Blocker/*
A: 164.308(a)(4)(ii)(C) Access establishment and
modification: Implement
policies and procedures that,
based upon the entity's access
authorization policies,
establish, document, review,
and modi fy a user's right of
access to a workstation,
transaction, program, or
process.
Complete auditing and automated
change documentation for all types
of access rights, privileges, and
policies that control access to
workstations, programs,
transactions, and other systems.
AD Change Reporter
File Server Change Reporter
VMware Change Reporter
SQL Server Change Reporter
AD Change Reporter/ All
Active Directory Changes
File Server Change
Reporter/All File Server
Changes
VMware Change Reporter/All
VMware Changes
SQL Server Change Reporter/
All SQL Server Changes
A: 164.308(a)(5)(ii)(C) Log-in Monitoring:
Procedures for monitoring
log-in attempts and reporting
discrepancies.
Centralized consolidation and easy
to use reporting of all successful
and failed logon/logoff activities
with extensive filtering capabilities.
Logon Reporter
Logon Reporter / Successful
User Logons
Logon Reporter / User Logoffs
A: 164.308(a)(5)(ii)(D) Password Management:
Procedures for creating,
changing, and safeguarding
passwords.
Auditing of all password changes.
Workflow-based control of
privileged account use. Self-service
password management for end
users with customizable password
security settings and secure access
based on user identity verification.
Prevention of excessive help desk
calls related to secure password
policies.
AD Change Reporter
Event Log Manager
Password Manager
Privileged Account Manager
Password Expiration Notifier
Event Log Manager /
Password Changes by User
Event Log Manager /
Administrative Password
Resets
Password Manager/User
Activity on-demand report
Password Expiration
Notifier/Daily report, User
Page 28
notification reports
AD Change Reporter/
Password Changes by User
AD Change Reporter /
Administrative Password
Resets
Privileged Account
Manager/User Activity
R: 164.308(a)(6)(ii) Response and Reporting:
Identify and respond to
suspected or known security
incidents; mitigate, to the
extent practicable, harmful
effects of security incidents
that are known to the covered
entity; and document security
incidents and their outcomes.
Auditing of all administrative and
user activities with configurable
alerts and reporting that documents
all security incidents and helps with
early detection and prevention of
further security incidents.
AD Change Reporter
File Server Change Reporter
Event Log Manager
Event Log Manager/All Events
by Date
File Server Change Reporter /
Permission Changes
AD Change Reporter/ Security
Group Modifications
AD Change Reporter / Object
Security Changes
R: 164.308(a)(7)(ii)(B) Disaster recovery plan:
Establish (and implement as
needed) policies and
procedures for responding to
an emergency or other
occurrence.
Quick rollback of unauthorized and
accidental changes to Active
Directory objects, including restore
of deleted objects. File versioning
and restore capabilities based on
Volume Shadow Copy services.
AD Object Restore Wizard
File Server Change Reporter
AD Change Reporter/ All
Active Directory Changes
File Server Change Reporter /
All File Server Changes
§ 164.312: Technical Safeguards
Page 29
R: 164.312(a)(2)(i) Unique user identification:
Assign a unique name and/or
number for identifying and
tracking user identity.
In addition to standard AD user
authentication, shared accounts
used for administration and
applications are audited and
associated with individual user
identities through password check
out concept.
Privileged Account Manager
Privileged Account
Manager/User Activity
R: 164.312(b) Audit Controls: Implement
hardware, software, and/or
procedural mechanisms that
record and examine activity in
information systems that
contain or use electronic
protected health information.
Auditing, archiving, and reporting
of access to the protected health
information, auditing of privileged
access, changes to security-related
settings, and all other significant
security events, intrusions, and
anomalies.
AD Change Reporter
File Server Change Reporter
Event Log Manager
Event Log Manager/All Events
by Date
AD Change Reporter/ Security
Group Modifications
AD Change Reporter / Object
Security Changes
File Server Change Reporter /
Permission Changes
R: 164.312(d) Person or entity
authentication: Implement
procedures to verify that a
person or entity seeking
access to electronic protected
health information is the one
claimed.
In addition to standard AD
authentication, all users can be
verified using question/answer
(challenge/response) system to
verify their identity when they
forget their passwords (e.g. verify
user's badge ID and/or mother's
maiden name). This ensures that all
password reset requests are
authorized and cannot be initiated
by malicious person acting on
behalf of someone else.
Password Manager
Password Manager/User
Enrollment on-demand report
§ 164.528 Accounting of disclosures of protected health information.
Page 30
R: 164.528(a) Right to an accounting of
disclosures of protected health
information: An individual
has a right to receive an
accounting of disclosures of
protected health information
made by a covered entity in
the six years prior to the date
on which the accounting is
requested.
Holding records of all activities for
6 years and more to be able to fully
reconstruct all activities and access
attempts to protected health
information upon request.
All products All reports
Page 31
GLBA Compliance
The Gramm-Leach-Bliley Act (GLBA) of 1999 was enacted to improve financial industry though removal of regulations that
prevented merger of different type of financial institutions (e.g. banks and insurance companies) with the goal to open up competition
between companies and modernize financial services industry.
Section 501(b) of GLBA contains important provisions aimed at protection of information. Information is one of a financial
institution's most important assets. Protection of information assets is necessary to establish and maintain trust between the financial
institution and its customers, maintain compliance with the law, and protect the reputation of the institution.
Section 501(b) compliance is sometimes referred to as FFIEC compliance after the name of the Federal Financial Institutions
Examination Council (FFIEC) that created a document called FFIEC Examination Handbook for Information Security to help GLBA
auditors perform adequate compliance audits. The table below summarizes requirements of section 501(b) as per the FFIEC Handbook
(Document body and appendix A) and shows how the NetWrix provides a complete solution to these requirements.
GLBA NetWrix Solution Components Reports
ACCESS CONTROL: Access rights administration(Tier I: Objectives 4 & 7, Tier II: Section A)
Reviewing periodically
user's access rights at an
appropriate frequency based
on the risk to the application
or system: A monitoring
process to oversee and
manage the access rights
granted to each user on the
system (p. 23).
Extensive auditing and reporting of
changes to users accounts, security
and distribution groups, policies,
permissions, and other objects that
control access to information in
Active Directory, Group Policy,
Exchange, file servers, virtual
environments (VMware, Microsoft ),
and SQL Servers. Detection of who
did what, when, and where with
advanced rollback capabilities of
unauthorized actions.
AD Change Reporter
Group Policy Change Reporter
File Server Change Reporter
VMware Change Reporter
SQL Server Change Reporter
AD Change Reporter/ All
Active Directory Changes
File Server Change
Reporter/All File Server
Changes
VMware Change
Reporter/All VMware
Changes
SQL Server Change
Reporter/ All SQL Server
Changes
Page 32
Group Policy Change
Reporter/All Group Policy
Changes
Logging and auditing the
use of privileged access (p.
24).
Centralized consolidation and archival
or audit trials with web-based
reporting using predefined and
custom-built reports covering all
major types of privileged access, both
successful and failed: logins, logoffs,
access to mailboxes, user account
operations, file access.
Event Log Manager
AD Change Reporter
File Server Change Reporter
VMware Change Reporter
Non-owner Mailbox Access
Reporter
SQL Server Change Reporter
AD Change Reporter/ All
Active Directory Changes
File Server Change Reporter
/ All File Server Changes
File Server Change Reporter/
Successful File Reads
VMware Change
Reporter/All VMware
Changes
SQL Server Change
Reporter/ All SQL Server
Changes
Event Log Manager/All
Events by Date
Non-owner Mailbox Access
Reporter/Daily reports
Reviewing privileged access
rights at appropriate
intervals and regularly
reviewing privilege access
allocations (p. 24).
Complete auditing of all changes to
access rights and privileges with
archiving feature that allows to review
all changes at any time for request
time frame.
AD Change Reporter
File Server Change Reporter
VMware Change Reporter
SQL Server Change Reporter
File Server Change Reporter/
Successful File Reads
VMware Change Reporter /
All VMware Changes
Page 33
SQL Server Change
Reporter/ All SQL Server
Changes
AD Change Reporter/ All
Active Directory Changes
File Server Change
Reporter/All File Server
Changes
Prohibiting shared
privileged access by
multiple users (p. 24).
Privileged account management
system to ensure that every access
attempt under a shared account is
assign to an individual account and
properly audited.
Privileged Account Manager
Privileged Account Manager
/ User Activity
ACCESS CONTROL: Authentication (Tier I: Objective 4, Tier II: Section A)
The user should select them
without any assistance from
any other user, such as the
help desk.
Web-based self-service password
management system that operates
without intervention of human
personnel to prevent sharing of
passwords during password resets,
while enforcing full compliance with
required password policies (such as
password strength, prevention of
reuse, etc).
Password Manager
Password Manager / User
Activity on-demand report
Authentication systems
should force changes to
shared secrets on a schedule
commensurate with risk.
Complimentary to the built-in
password expiration mechanism in
Active Directory, NetWrix solution
minimizes administrative burden
related to expired passwords for users
who are never prompted to change
Password Expiration Notifier
Password Expiration Notifier
/ Daily report, User
notification reports
Page 34
their password by the system (e.g.
remote users, VPN clients, non-
Windows clients).
Prevention of attacks that
target a specific account and
submits passwords until the
correct password is
discovered.
Complimentary to the built-in account
lockout mechanism in Active
Directory, NetWrix solution helps to
reduce the effects of false positives by
proactive monitoring and resolution
of account lockout incidents.
Account Lockout Examiner N/A
A policy that forbids the
same or similar password on
particular network devices.
Privileged account management
system that automatically generates
random passwords and assigns
different passwords to different
systems on a scheduled basis.
Privileged Account Manager
Privileged Account Manager
/ User Activity
ACCESS CONTROL: Network Access (Tier I: Objective 4, Tier II: Section B)
Cross-domain network
access monitoring to detect
security incidents and
unauthorized activity.
Not provided, a hardware or software-
based firewall must be used to
separate and audit clearly defined
network segments called domains
(e.g. DMZ and internal network).
Network domains are not Active
Directory domain per the Handbook
(some vendors mistakenly confuse
these concepts).
N/A N/A
ACCESS CONTROL: Operating system access (Tier I: Objective 4, Tier II: Section C)
Restricting and monitoring
privileged access.
Auditing of all types of access to
critical data and security-related
settings in Active Directory, file
servers, virtual machines, databases,
AD Change Reporter
File Server Change Reporter
VMware Change Reporter
SQL Server Change Reporter
AD Change Reporter / All
Active Directory Changes
AD Change Reporter /
Page 35
to make sure no change falls under the
radar.
Object Security Changes
File Server Change Reporter
/ All File Server Changes
File Server Change Reporter
/ Successful File Reads
VMware Change Reporter /
All VMware Changes
SQL Server Change Reporter
/ All SQL Server Changes
Logging and monitoring
user or program access to
sensitive resources and
alerting on security events.
Centralized consolidation and easy to
use reporting of security event with
extensive filtering capabilities and
user-friendly reports. Ability to
subscribe to reports generated on
schedule.
Event Log Manager
File Server Change Reporter
File Server Change Reporter
/ All File Server Changes
File Server Change Reporter/
Successful File Reads
Event Log Manager/All
Events by Date
Update operating systems
with security patches and
using appropriate change
control mechanisms.
Complimentary to a patch
management system such as WSUS,
NetWrix provides a tool to report on
patch compliance for a defined set of
patches and updates. This tool can be
used to verify patch deployment status
on multiple systems in bulk.
NetWrix Patch Reporter N/A
Log user or program access
to sensitive system
resources including files,
Audit trail archiving and
consolidation to track access to files
and programs. Monitoring of user
File Server Change Reporter
Server Configuration Change
Reporter
File Server Change
Reporter/All File Server
Changes
Page 36
programs, processes, or
operating system
parameters.
activities related to changes to system
parameters.
Event Log Manager
File Server Change Reporter/
Successful File Reads
Event Log Manager/All
Events by Date
Server Configuration Change
Reporter/ All Server Changes
Filter logs for potential
security events and provide
adequate reporting and
alerting capabilities.
Extensive event log collection system
with filtering, reporting, and real -
time alerting capabilities to ensure
that critical security events never
happen unnoticed.
Event Log Manager
Event Log Manager / All
Events by Date
Event Log Manager / Real-
time Alerts
Lock or remove external
drives from system consoles
or terminals residing outside
physically secure locations.
Easy to configure policy-based
blocking of external peripheral
devices that requires no routine
management tasks.
USB Blocker N/A
Monitor operating system
access by user, terminal,
date, and time of access.
Auditing of access to all types of
systems with reporting of who did
what and when.
AD Change Reporter
Event Log Manager
File Server Change Reporter
SQL Server Change Reporter
AD Change Reporter/ All
Active Directory Changes
File Server Change
Reporter/All File Server
Changes
File Server Change Reporter/
Successful File Reads
SQL Server Change
Reporter/ All SQL Server
Changes
Page 37
Event Log Manager/All
Events by Date
ACCESS CONTROL: Application access (Tier I: Objective 4, Tier II: Section G)
Monitoring access rights to
ensure they are the
minimum required for the
user's current business
needs.
Monitoring of security group
membership, privileges, and access
rights to ensure that no excessive
rights are given and no rights are
given proper without authorization.
AD Change Reporter
Group Policy Change Reporter
File Server Change Reporter
AD Change Reporter/
Administrative Group
Membership Changes
AD Change Reporter /
Security Group
Modifications
Group Policy Change
Reporter / Security Policy
Changes
File Server Change Reporter
/ Permission Changes
Logging access and security
events.
Auditing of all administrative and
user activities with configurable alerts
and reporting that documents all
security incidents and helps with early
detection and prevention of further
security incidents.
AD Change Reporter
File Server Change Reporter
Event Log Manager
AD Change Reporter /
Administrative Group
Membership Changes
File Server Change Reporter
/ All File Server Changes
File Server Change Reporter/
Successful File Reads
Event Log Manager / All
Events by Date
Using software that enables
rapid analysis of user
Real-time alerting and schedule
reporting of different types of user
Event Log Manager
AD Change Reporter
AD Change Reporter /
Administrative Group
Page 38
activities. activities, such as logons, changes to
files and permissions, changes to
system configurations.
File Server Change Reporter Membership Changes
File Server Change
Reporter/All File Server
Changes
File Server Change Reporter/
Successful File Reads
Event Log Manager/All
Events by Date
Maintaining consistent
processes for promptly
removing access to
departing employees.
Routine detection of inactive user
accounts and automatic deactivation
based specified thresholds to ensure
that no account remain active for
terminated and reassigned employees.
Inactive Users Tracker
Inactive Users Tracker /
Daily report
ACCESS CONTROL: Remote access (Tier I: Objective 4)
Tightly controlling remote
access rights through
management approvals and
subsequent audits.
Regularly review remote
access approvals and
rescind those that no longer
have a compelling business
justification.
Auditing of dial-in and VPN access
on user accounts. Predefined reports
that show newly granted remote
access rights to users. Ability to
review all remote access permissions
granted within specific timeframe.
AD Change Reporter
AD Change Reporter /Dial-in
Access Modifications
Logging and monitoring all
remote access
communications. Log and
monitor the date, time, user,
user location, duration, and
Auditing of logins, remote desktop
connections, and other types of
remote access with full information
on who logged in and when, source IP
address, etc.
Event Log Manager
Logon Reporter
Logon Reporter/All logon
reports
Event Log Manager/All
Events by Date
Page 39
purpose for all remote
access.
SECURITY MONITORING (Tier I, Objective 6, Tier II: Section M)
Analyzing the results of
monitoring to accurately
and quickly identify,
classify, escalate, report,
and guide responses to
security events.
Web-based reporting system with
predefined reports and ability to
create custom reports for specific
analysis needs.
AD Change Reporter
File Server Change Reporter
SQL Server Change Reporter
VMware Change Reporter
Event Log Manager
AD Change Reporter/ All
Active Directory Changes
File Server Change
Reporter/All File Server
Changes
File Server Change Reporter/
Successful File Reads
VMware Change
Reporter/All VMware
Changes
SQL Server Change
Reporter/ All SQL Server
Changes
Monitoring network and
host activity to identify
policy violations and
anomalous behavior.
Complete auditing of user and
administrative activities, including
logons, access to data and
configuration.
AD Change Reporter
File Server Change Reporter
Event Log Manager
Logon Reporter
AD Change Reporter/ All
Active Directory Changes
File Server Change
Reporter/All File Server
Changes
File Server Change Reporter/
Successful File Reads
Logon Reporter/All logon
Page 40
reports
Event Log Manager/All
Events by Date
Monitoring host and
network condition to
identify unauthorized
configuration and other
conditions which increase
the risk of intrusion or other
security events.
Complete auditing of changes in
server configurations, Active Di
rectory, Group Policy to detect
unauthorized or accidental changes
that might open security holes and
other possibilities for attacks.
AD Change Reporter
Group Policy Change Reporter
Server Configuration Change
Reporter
AD Change Reporter /
Administrative Group
Membership Changes
AD Change Reporter /
Security Group
Modifications
Group Policy Change
Reporter / Security Policy
Changes
Server Configuration Change
Reporter/ All Server Changes
Page 41
FISMA Compliance
The Federal Information Act of 2002 (FISMA), enacted as Title III of the E-Government Act of 2002, was established to address the
importance of information security related to both the economic and national security interests of the United States. The Act, which
has forged a thorough structure by which information security controls can be judged on as based upon their effectiveness and
comprehensiveness, maintains minimum security requirements and controls to be abided by all federal agencies.
NetWrix Corporation provides a comprehensive line of auditing solutions that can be used to promote adherence to the following
FISMA requirements:
Control
Number Requirement NetWrix Provides NetWrix Solution Reports
FAMILY: Access Control CLASS: Technical
AC-2
The organization manages
information system accounts,
including establishing, activating,
modifying, reviewing, disabling,
and removing accounts. The
organization reviews information
system accounts at least annually.
Automated and consolidated
auditing and reporting of all
account management activities
in Active Directory, Group
Policy, Exchange, SQL server
database, file server,
SharePoint and virtual
environment changes, as well
as logon activities. Reports
include information about
who made changes to what
accounts, when and where
those changes were made.
Reports include all
established, activated,
modified, disabled, and
removed accounts, and
streamline the annual review
Change Reporter family
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
Page 42
process.
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
AC-3
The information system enforces
assigned authorizations for
controlling access to the system in
accordance with applicable policy.
Complete Active Directory,
Group Policy, and file server
change auditing that notifies
administrators via report in
any instance of user rights
modifications. Reports can be
used as audit trail for auditors.
Active Directory Change
Reporter
Group Policy Change
Reporter
File Server Change
Reporter
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
AC-5
The information system enforces
separation of duties through
assigned access authorizations.
Tracking of all user logons
and separation of duties via
individual user IDs to ensure
clearly identifiable users at all
times, even if the accounts are
shared between multiple
employees.
Logon Reporter
Privileged Account
Manager
Logon Reporter/All logon
reports
Privileged Account
Manager / User Activity
AC-7
The information system enforces a
limit of X consecutive invalid
access attempts by a user during a
NetWrix solutions minimize
costs associated with
implementation of strong
Account Lockout Examiner
Identity Management Suite
Inactive Users Tracker /
Daily report
Page 43
[organization-defined] time
period. The information system
automatically locks the
account/node for an [organization-
defined time period] or delays next
login prompt according to
[organization-defined delay
algorithm] when the maximum
number of unsuccessful attempts is
exceeded.
password policies. Automated
alerts sent to administrators on
all account lockouts,
scheduled reports are sent
with all logon activities,
including failed attempts, self-
service password management
tools allow end user to reset
their passwords securely and
without contacting IT help
desk. Automated monitoring
of policy changes capture all
unauthorized changes to
password policies.
Logon Reporter
Group Policy Change
Reporter
Privileged Account
Manager / User Activity
Password Expiration
Notifier/Daily report,
User notification reports
AD Change Reporter/
User Account
Modifications
Logon Reporter/Failed
Logon Attempts
Group Policy Change
Reporter / Password
Policies
AC-13
The organization supervises and
reviews the activities of users with
respect to the enforcement and
usage of information system
access controls.
Automated reports notify
predetermined report
recipients of all user activities
and can be archived for
historical review or used as
comprehensive audit trail for
FISMA auditors.
Change Reporter family
Logon Reporter
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Page 44
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
Logon Reporter/All logon
reports
AC-19
The organization: (i) establishes
usage restrictions and
implementation guidance for
organization-controlled portable
and mobile devices; and (ii)
authorizes, monitors, and controls
device access to organizational
information systems.
Complete reporting and audit
trails that audit and optionally
all mobile devices that
connect to peripheral ports.
USB Blocker N/A
FAMILY: Audit and Accountability CLASS: Technical
AU-2
The information system generates
audit records for the following
events: [organization-defined
auditable events].
Auditing and reporting of all
types of events, including
login events, access control,
identity management
administration, file access
Change Reporter family
Identity Management Suite
Event Log Manager
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Page 45
events, and other generic
events defined by
organization.
Logon Reporter Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
Inactive Users Tracker /
Daily report
Privileged Account
Manager / User Activity
Password Expiration
Page 46
Notifier/Daily report,
User notification reports
Event Log Manager/All
Events by Date
Logon Reporter/All logon
reports
AU-3
The information system produces
audit records that contain
sufficient information to establish
what events occurred, the sources
of the events, and the outcomes of
the events.
Complete reports include who,
what, when and where each
change occurred, as well as
the current and new values of
every system modification.
Change Reporter family
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Page 47
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
AU-4
The organization allocates
sufficient audit record storage
capacity and configures auditing to
reduce the likelihood of such
capacity being exceeded.
Automated auditing and
reporting at custom intervals.
All reports are consolidated,
compressed and stored in a
centralized location to
minimize CPU and memory
usage. Additional tool is
provided to monitor available
disk space and alert on low
disk space conditions.
Disk Space Monitor
Disk Space Monitor daily
report
AU-5
The information system alerts
appropriate organizational officials
in the event of an audit processing
failure and takes the following
additional actions: [organization-
defined actions to be taken (e.g.,
shut down information system,
overwrite oldest audit records,
stop generating audit records)].
Alerts are sent when audit log
overwrite occurs or any
changes in audit log overwrite
policies are detected. In
addition to that, all audit data
is archived for a specified
period of time for viewing at a
later date even if the original
event logs are lost.
Event Log Manager
Server Configuration
Change Reporter
Event Log Manager/All
Events by Date
Event Log Manager/
Audit Log Cleared
Server Configuration
Change Reporter / All
Server Changes by Date
AU-6
The organization regularly
reviews/analyzes information
system audit records for
indications of inappropriate or
unusual activity, investigates
suspicious activity or suspected
violations, reports findings to
appropriate officials, and takes
All significant activities are
audited, reported and sent in
daily E-mails for review of
any unusual activity.
Extensive collection of
predefined reports is available
out of the box with ability to
create custom reports and
Active Directory Change
Reporter
Change Reporter Suite
Event Log Manager
Logon Reporter
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Page 48
necessary actions. make them available for
regular reviews.
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
Event Log Manager/All
Events by Date
Logon Reporter/All logon
reports
AU-7
The information system provides
an audit reduction and report
generation capability.
All change management
solutions produce automated
audit reports for E-mail or
inconsole viewing. The
change auditing solutions
Change Reporter family
Event Log Manager
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Page 49
remove unnecessary "noise"
events that administrators
deem insignificant, allowing
for simplified manual review.
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
Event Log Manager/All
Events by Date
AU-8
The information system provides
time stamps for use in audit record
generation.
Timestamps are available for
every audited event and alert.
Change Reporter family
Event Log Manager
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Page 50
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
Event Log Manager/All
Events by Date
AU-9
The information system protects
audit information and audit tools
from unauthorized access,
modification, and deletion.
Protection via permissions and
access rights that audit
information maintained by all
NetWrix solutions.
All NetWrix Products N/A
Page 51
AU-10
The information system provides
the capability to determine
whether a given individual took a
particular action.
Audit reports notify
administrators of exactly who
took what actions and made
what changes or took what
action.
Change Reporter family
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
AU-11
The organization retains audit
records for [organization-defined
time period] to provide support for
Reports can be archived for a
specified amount of time for
viewing at a later date. 10
Change Reporter family
AD Change Reporter/ All
Active Directory Changes
Page 52
after-the-fact investigations of
security incidents and to meet
regulatory and organizational
information retention
requirements.
years and more can be kept in
long-term archive and quickly
made available for after-the-
fact investigations or security
incidents.
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
FAMILY: Certification, Accreditation, and Security Assessments CLASS: Management
CA-7
The organization monitors the
security controls in the
information system on an ongoing
Daily reports show all changes
to security controls and
policies. Many predefined
Change Reporter family
AD Change Reporter/ All
Active Directory Changes
Page 53
basis. reports are available to
simplify the ongoing review
processes.
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
FAMILY: Configuration Management CLASS: Operational
CM-3
The organization authorizes,
documents, and controls changes
to the information system.
All changes to the information
system are documented and
archived in easy to read audit
Change Reporter family
AD Change Reporter/ All
Active Directory Changes
Page 54
reports that show who
changed what, when, and
where and show full details
about all changes. Some types
of unauthorized changes can
be automatically rolled back
to their original states.
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
CM-4
The organization monitors changes
to the information system
conducting security impact
analyses to determine the effects
of the changes.
Convenient change
monitoring capabilities,
ensuring that all modifications
are available for security
impact analysis in an easy to
understand format showing
Change Reporter family
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Policy Changes
Page 55
what was changed and what
configuration settings existed
before changes.
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
CM-5
The organization: (i) approves
individual access privileges and
enforces physical and logical
access restrictions associated with
changes to the information system;
and (ii) generates, retains, and
reviews records reflecting all such
changes.
Workflow-based approvals
and access right granting to
monitor access privileges and
changes.
Self-Service Group
Manager N/A
Page 56
CM-6
The organization: (i) establishes
mandatory configuration settings
for information technology
products employed within the
information system; (ii) configures
the security settings of information
technology products to the most
restrictive mode consistent with
operational requirements; (iii)
documents the configuration
settings; and (iv) enforces the
configuration settings in all
components of the information
system.
Adherence to all Group Policy
and event log management
configuration settings. All
changes to policy settings are
detected and highlighted in
detailed reports for granular
control and enforcement
policies.
Change Reporter family
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
FAMILY: Media Protection CLASS: Operational
Page 57
MP-2
The organization restricts access to
information system media to
authorized individuals.
Audits and reports all file
serves access and changes,
and blocks both import and
export of data through
peripheral device restriction.
USB Blocker
File Server Change
Reporter
File Server Change
Reporter / All File Server
Changes
FAMILY: Personnel Security CLASS: Operational
PS-4
The organization, upon
termination of individual
employment, terminates
information system access,
conducts exit interviews, retrieves
all organizational information
system-related property, and
provides appropriate personnel
with access to official records
created by the terminated
employee that are stored on
organizational information
systems.
Automated tracking of all
dormant user accounts,
deactivating those that are
inactive for a specified
amount of time. Archiving of
electronic records of
communication with full-text
search capabilities.
Inactive Users Tracker
Inactive Users Tracker /
Daily report
PS-5
The organization reviews
information systems/facilities
access authorizations when
personnel are reassigned or
transferred to other positions
within the organization and
initiates appropriate actions.
Provides tracking of access
authorizations, reporting on
changes to permissions and
user movements between
departments in organizational
units. Automated user
provisioning tools ensure that
right access is granted to the
right people at the right time
based on organizational
structure.
Self-Service Group
Manager N/A
PS-7 The organization establishes Accurate auditing and Change Reporter family AD Change Reporter/ All
Page 58
personnel security requirements
including security roles and
responsibilities for third-party
providers and monitors provider
compliance.
reporting of all user events,
including login activity,
Active Directory
modifications, and server,
object or USB device access.
Event Log Manager
Logon Reporter
USB Blocker
Active Directory Changes
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
SharePoint Change
Reporter/ All SharePoint
Changes
Event Log Manager/All
Events by Date
Page 59
Logon Reporter/All logon
reports
FAMILY: System and Information Integrity CLASS: Operational
SI-4
The organization employs tools
and techniques to monitor events
on the information system, detect
attacks, and provide identification
of unauthorized use of the system.
Centralized collection and
consolidation of all types of
events, including login
activity, Active Directory
modifications, and server,
object or USB device access
to identify unauthorized use.
Change Reporter family
Event Log Manager
Logon Reporter
USB Blocker
AD Change Reporter/ All
Active Directory Changes
Group Policy Change
Reporter / All Group
Policy Changes
File Server Change
Reporter / All File Server
Changes
Server Configuration
Change Reporter/ All
Server Changes
SQL Server Change
Reporter/ All SQL Server
Changes
VMware Change
Reporter/All VMware
Changes
Exchange Change
Reporter/ All MS
Exchange Changes
Page 60
SharePoint Change
Reporter/ All SharePoint
Changes
Event Log Manager/All
Events by Date
Logon Reporter/All logon
reports
Page 61
Appendix A: NetWrix Event Log Manager Reports
Account Management Reports
Account Management
Shows account management operations: creation and deletion of accounts and groups and group membership.
Account Management Changes
Lists account management changes grouped by user according to the specified filter.
Administrative Password Resets
Shows all admin-initiated password resets.
Password Changes by User
Lists all password changes initiated by users. Password resets made by administrators are not included in this report.
Auditing Reports
Audit Log Access
Lists all audit log access grouped by user according to the specified filter.
Audit Log Cleared
Shows audit trail cleanup operations. Such operations should never be done without good justification and must be carefully reviewed for security and compliance purposes.
Audit Policy Changes
Page 62
Shows changes to audit policy settings. Audit policy shall be clearly defined in every organization and change only after explicit approval by management.
Logon Reports
Failed Logon Attempts
Shows failed authentication attempts in Active Directory. This report is crucial to security and compliance of every organization.
Failed User Account Validation
Lists all unsuccessful user account validations grouped by user according to the specified filter.
Successful User Account Validation
Lists all successful user account validations grouped by user according to the specified filter.
Successful User Logoffs
Lists all successful user logoffs grouped by user according to the specified filter.
Successful User Logons
Shows logons made by users. This report is one of the most important security reports and can be used to track user activity during security and compliance reviews.
User Logoffs
Shows user logoffs filtered by user name. User logoff information can be analyzed to detect the exact time users stopped using the system in order to exclude certain users from security investigations related to unauthorized access
Event Reports
Page 63
All Events by Computer
Shows all events grouped by computer, filtered by date range and other parameters.
All Events by Date
Shows all events grouped by date, filtered by date range and other parameters.
All Events by Source
Shows all events grouped by source (e.g. 'Security', 'Application Management'), filtered by date range and other parameters.
All Events by User
Shows all events grouped by user, filtered by date range and other parameters.
All Object Access Events by User
Shows all object access events, e.g. file and folder access, registry, and other system objects. Object access auditing must be enabled for this report to work.
All System Events by User
Shows all system events.
Miscellaneous Reports
Host Session Status
Lists all host session statuses grouped by user according to the specified filter.
Remote Desktop Sessions
Page 64
Shows remote desktop sessions, initiated, terminates, and reconnected.
Security Group Membership Changes
Security groups control access to data and resources and all changes must be carefully reviewed on a regular basis in order to ensure overall security and sustain compliance with regulations.
Real-Time Alerts
Provides alerts for specific events in real-time
Page 65
Appendix B: NetWrix Logon Reporter Reports
Events, Logons, Logoffs, Lockouts and more
All Events by Computer
Shows all events grouped by computer, filtered by date range and other parameters.
All Events by Date
Shows all events grouped by date, filtered by date range and other parameters.
All Events by User
Shows all events grouped by user, filtered by date range and other parameters.
Administrative Password Resets
Shows all admin-initiated password resets.
Failed Logon Attempts
Shows failed authentication attempts in Active Directory. This report is crucial to security and compliance of every organization.
Password Changes by User
Lists all password changes initiated by users. Password resets made by administrators are not included in this report.
Successful User Logons
Shows logons made by users. This report is one of the most important security reports and can be used to track user activity during security and
Page 66
compliance reviews.
User Account Lockouts
This report shows all account lockout events. Account lockouts can have many possible reasons and surges in the numbers of account lockouts
must be carefully analyzed to detect and prevent security incidents.
User Accounts Unlocked
This report show manually unlocked user accounts. Account unlocking should be performed only by designated help desk personnel or
automated software tools and this report can be used to detect violations of this recommended policy.
User Logoffs
Shows user logoffs filtered by user name. User logoff information can be analyzed to detect the exact time users stopped using the system in
order to exclude certain users from security investigations related to unauthorized access
Page 67
Appendix C: NetWrix Active Directory Change Reporter Reports
All Changes Reports
All Active Directory Changes
Shows all changes made to AD objects, permissions, and configuration, filtered by date range and user name who made changes.
All Active Directory Configuration Changes
Shows all changes made inside the AD configuration container, such as domains and trusts, domain controllers, sites, etc. Changes in the
configuration container can adversely affect AD functionality and must be regularly reviewed to detect mistakes and unauthorized changes.
All Active Directory Schema Changes
Shows all changes made to AD schema (classes and attributes). Schema change auditing is disabled by default and must be explictly enabled.
All Active Directory Changes by Object Type
Shows all changes to AD objects, permissions, and configuration grouped by date. You can filter by date range and user name who made changes.
All Active Directory Changes by User
Shows all changes to AD objects, permissions, and configuration grouped by users who made changes. You can filter by date range and user
name who made changes.
All Active Directory Changes by Date
Shows all changes to AD objects, permissions, and configuration grouped by date. You can filter by date range and user name who made
changes.
Page 68
All Active Directory Changes by Date (Chart)
Graphics representation of all changes to AD objects, permissions, and configuration grouped by date. You can filter by date range and user
name who made changes.
All Active Directory Changes by User (Chart)
Graphics representation of all changes to AD objects, permissions, and configuration grouped by users who made changes. You can filter by
preferred date range.
All Active Directory Site Changes
Shows all changes made to AD sites. AD sites rarely change and this report should be reviewed to detect accidental and unauthorized changes.
AD Structure Reports
Group Members
This report shows all users, groups and etc. located in the selected groups
Organizational Unit Accounts
This report shows users from the selected OUs and 'Users' and 'Built-In' containers including their usernames and account statuses
(enabled/disabled)
Sensitive Group Members
This report displays users, groups and etc. located only in the Domain Admins group and Enterprise Admins group
Object security
Administrative Group Membership Changes
Administrative groups like Domain Admins and Enterprise Admins should be very well-defined and rarely change. Changes to group memberships must be closely monitored.
Page 69
Object Security Changes
Shows changes to object permissions and audit settings. Changes to object permissions usually reflect delegation of rights to organizational units and other objects.
Group membership
Security Group Modifications
Shows all types changes made to security groups, including name, description, membership, and permissions.
User Account
Dial-in Access Modifications
Shows changes to dial-in and VPN access rights. Normally only remote employees should be granted dial-in and VPN access and all changes to dial-in access must be reviewed by management.
Users Disabled
Shows all disabled user accounts. User accounts are normally disabled when employees leave the organization and this report can be used to ensure that all recently terminated employees have their accounts properly deactivated and no longer have access to the network.
Users Enabled
Shows all enabled user accounts. User accounts are rarely enabled and usually enabling means that some previously terminated employee joined the organization once again (e.g. as a part of their new contract engagement). All recently enabled accounts must be carefully reviewed for security purposes.
User Account Modifications
Shows changes made to all user account attributes (e.g. name, contact info, dial-in permissions, manager, etc).
Page 70
User Accounts Renamed
Shows all account name operations. Accounts are rarely renamed (usually only if user changes his or her name) and this report should be
reviewed from time to time to verify accurateness.
User Accounts Created
Shows all newly created user accounts. Creation of new accounts shall reflect hiring of new employees and addition of new services and
applications.
Password Changes by User
Shows all successful password updates made by users by entering their existing passwords, as opposed to password resets done by administrators without knowing a current password. Password change auditing is disabled by default, you to explicitly enable in program settings.
Administrative Password Resets
Administrative password resets are usually done by IT help desk personnel who have access rights to make password resets without knowing
current passwords. Password resets may result in gaining of unauthorized access and therefore must be reviewed on e regular basis.
Best Practice Reports
AD Structure
Organizational Unit Setting Modifications
Shows changes made to organizational units (e.g. name, description, delegation), excluding changes made to child objects.
Organizational Units Created
Shows newly created organizational units. Creation of organizational units must be well-planned according to the organization structure and
business practices.
Page 71
Organizational Units Removed
Shows deleted AD organizational units. Use this report for early detection of accidentally deleted OUs and use the Restore Wizard to quickly
recover OUs and their child objects.
Computer Account
Computer Account Modifications
Shows all changes to computer account (e.g renames, delegation settings, etc). Computer accounts are normally controlled by domain members
(servers and workstations).
Computer Accounts Created
Shows computer accounts created when workstations and servers are joined into domains.
Computer Accounts Removed
Shows deleted computer accounts. Deletion of computer accounts is a typical cleanup operation, but it should be reviewed from time to time to
ensure that no computer accounts are being mistakenly deleted.
Service Packs Applied to Computers
Shows changes to service pack installations on DCs, member servers and workstations. This report can be used to analyze effects of system
failures related to service pack updates.
Domain Controller
Domain Controller Modifications
Shows changes to DC configurations. Accidental and unathorized changes can break AD operation and must be carefully monitored.
Domain Controllers Demoted
Page 72
DC demotion is a privileged operation and must be done wisely to avoid disruptions in operations.
Domain Controllers Promoted
Promoted Shows addition of new domain controllers to domains. All DC promotions must be planned and reviewed for accuracy and security.
Group Membership
Administrative Group Membership Changes
Administrative groups like Domain Admins and Enterprise Admins should be very well-defined and rarely change. Changes to group
memberships must be closely monitored.
All Changes by Group Members
This report displays all changes made by Members from the selected Groups
Distribution Group Modifications
Shows modifications to distribution group properties, including group membership. Changes to distribution groups must be reviewed on a
regular basis because distribution groups control recipients of information and unauthorized changes can result in disclose and leakage of
confidential information inside and outside an organization.
Distribution Groups Created
Shows newly create distribution groups. Structure of distribution groups should reflect your organization’s information flow.
Distribution Groups Removed
Shows deleted distribution groups. Use this report for early detection of accidentally deleted groups and use the Restore Wizard to quickly
recover them.
Security Group Membership Changes
Page 73
Shows addition and removal of members from security groups, including local, global, and universal groups. Security groups control who has
access to what and therefore must closely monitored for changes as requires by major compliance regulations.
Security Group Modifications
Shows all types changes made to security groups, including name, description, membership, and permissions.
Security Groups Created
Shows newly created security groups, including local, global, and universal groups. Creation of security groups should reflect major changes to
security access roles structure and therefore should be carefully reviewed for accurateness.
Object Security
Administrative Group Membership Changes
Administrative groups like Domain Admins and Enterprise Admins should be very well-defined and rarely change. Changes to group
memberships must be closely monitored.
All Changes by Group Members
This report displays all changes made by Members from the selected Groups
Object Security Changes
Shows changes to object permissions and audit settings. Changes to object permissions usually reflect delegation of rights to organizational units
and other objects.
User Account
Account Expiration Modifications
Shows modifications to account expiration settings. For example, somebody when turned off account expiration for a set of accounts, which
might indicate security issue (e.g. account expiration should never be turned off for temporary contractor accounts).
Page 74
Accounts Enabled or Disabled
Accounts are usually disabled for terminated employees and can be re-enabled back when employees join the company again. All such
operations should be carefully monitored to make no unathorized accounts remain active.
Administrative Password Resets
Administrative password resets are usually done by IT help desk personnel who have access rights to make password resets without knowing
current passwords. Password resets may result in gaining of unauthorized access and therefore must be reviewed on e regular basis.
Administrative Password Resets by User
Administrative password resets are usually done by IT help desk personnel who have access rights to make password resets without knowing
current passwords. Password resets may result in gaining of unauthorized access and therefore must be reviewed on e regular basis.
Dial-in Access Modifications
Shows changes to dial-in and VPN access rights. Normally only remote employees should be granted dial-in and VPN access and all changes to
dial-in access must be reviewed by management.
Logon Hours Modifications
Logon hours setting controls allowed logon times and usually prevents access during non-business hours. Changes to this setting may indicate
potential security issues. Logon Workstations Modifications: This setting specifies a list of workstation the user is allowed to login to.
Logon Workstations Modifications
Shows modifications to allowed login workstations on the user account level. Workstation access restrictions are usually mandated by
compliance and security requirements and changes to these restrictions must be audited.
Password Changes by User
Page 75
Shows all successful password updates made by users by entering their existing passwords, as opposed to password resets done by
administrators without knowing a current password. Password change auditing is disabled by default, you to explicitly enable in program
settings.
User Account Modifications
Shows changes made to all user account attributes (e.g. name, contact info, dial-in permissions, manager, etc).
User Accounts Created
Shows all newly created user accounts. Creation of new accounts shall reflect hiring of new employees and addition of new services and
applications.
User Accounts Created With Details
Shows all newly created user accounts. Creation of new accounts shall reflect hiring of new employees and addition of new services and
applications.
User Accounts Deleted
Shows all deleted user accounts. According to best practices, accounts should be first disabled and then deleted after some time frame. This
report should be reviewed regularly to detect accidentally deleted accounts and restore them using the AD Object Restore Wizard.
User Accounts Deleted With Details
Shows all deleted user accounts. According to best practices, accounts should be first disabled and then deleted after some time frame. This
report should be reviewed regularly to detect accidentally deleted accounts and restore them using the AD Object Restore Wizard.
User Accounts Lockouts
This report shows all account lockout events. Account lockouts can have many possible reasons and surges in the numbers of account lockouts
must be carefully analyzed to detect and prevent security incidents.
User Accounts Renamed
Page 76
Shows all account name operations. Accounts are rarely renamed (usually only if user changes his or her name) and this report should be
reviewed from time to time to verify accurateness.
User Accounts Unlocked
This report show manually unlocked user accounts. Account unlocking should be performed only by designated help desk personnel or
automated software tools and this report can be used to detect violations of this recommended policy.
Users Disabled
Shows all disabled user accounts. User accounts are normally disabled when employees leave the organization and this report can be used to
ensure that all recently terminated employees have their accounts properly deactivated and no longer have access to the network.
Users Enabled
Shows all enabled user accounts. User accounts are rarely enabled and usually enabling means that some previously terminated employee
joined the organization once again (e.g. as a part of their new contract engagement). All recently enabled accounts must be carefully reviewed
for security purposes.
Appendix D: NetWrix Group Policy Change Reporter
All Changes Reports
All Group Policy Changes
Shows all changes made to Group Policy objects, setting values, GPO links, and permissions. Filtered by date range and user name who made changes.
All Group Policy Changes (Chart)
Shows all changes made to Group Policy objects, setting values, GPO links, and permissions. Filtered by date range and user name who made changes.
Page 77
Account Lockout Policy
Account Lockout Policy Changes
Shows all changes made to account lockout policy settings. For example, changes to lockout threshold and duration. Unathorized changes of account lockout settings may indicate attempts to compromise system security.
Lockout Duration Policy Changes
Shows modifications of account lockout duration setting. Changes to this setting should be done wisely and always reviewed for accurateness.
Local Policies
Audit Policy Changes
Audit policy defines what types of actions are logged to audit trails by the system. Every organization should have clearly defined audit policy that changes only after management approval.
Interactive Logon Policy Changes
Shows changes to interactive logon rights. Interactive logon is a privileged operation and granting of this right should be always justified and approved by security specialists.
Rename Administrator and Guest Policy Changes
Administrator and Guest accounts can be renamed for security purposes. Modification of this policy can indicate potential security incidents (e.g. someone renamed accounts back to simplify network intrusion attempts).
Security Settings
Security Policy Changes
Shows all changes made to security policies (e.g. Local Policy, Account Policy, Password Policy, etc). All such changes must be reviewed on a regular basis to mitigate security risks.
Page 78
Software Installation
Software Installation Policy Changes
This report shows all changes made to GPO software deployment settings. Organization's deployment policies should be clearly defined and all changes carefully reviewed as they are made.
Password Policy
All Password Policy Changes
Password policy includes password history, expiration, complexity, and other settings that affect password security as mandated by organization's policy. No change to password policy must never fall under the radar.
Password Age Policy Changes
Shows changes to minimum and maximum password age settings. Such changes shall never be done without careful planning and approval by security and compliance managers.
Password Complexity Policy Changes
Password complexity policy defines requirements for user passwords and changes to this policy shall never be implemented without management approval.
Password Encryption Policy Changes
This policy defines whether passwords are stored using reversible encryption or not. This settings should never be changed.
Password History Policy Changes
Password history defines how many previous passwords are remembered to disallow usage of 'favorite' passwords and ensure that user use a new password every time they change it.
Page 79
Appendix E: NetWrix Exchange Change Reporter
All Changes Reports
All MS Exchange Changes
Shows all changes made to Exchange permissions and configuration, filtered by date range and username who made changes.
All MS Exchange Changes by Date
Shows all changes made to Exchange permissions and configuration grouped by date. Filtered by date range and user name who made changes.
All MS Exchange Changes by Date (Chart)
Graphics representation of all changes made to Exchange permissions and configuration grouped by date. Filtered by preferred date range.
All MS Exchange Changes by Object Type
Shows all changes made to Exchange objects grouped by object type (Store, Server, Address List, etc). Filtered by date range and user name who made changes.
All MS Exchange Changes by User
Shows all changes made to Exchange objects grouped by user who made changes. Filtered by date range and user name who made changes.
All MS Exchange Changes by User (Chart)
Graphics representation of all changes to Exchange objects grouped by user who made changes. You can filter by preferred date range.
Mailbox
Mailbox Quota Changes
Shows all changes in mailbox quota settings. Changes to mailbox quotas shall be regularly reviewed by Exchange administrators to control storage usage.
Page 80
Mailbox Settings and Permission Changes
Shows changes to user mailboxes. All changes made to mailboxes must be regularly reviewed for accuracy.
Mailboxes Created
Shows creation of new mailboxes that usually reflects hiring of new employees. Newly created mailboxes must be reviewed to detect unauthorized activity.
Mailboxes Removed
Shows deleted mailboxes. This report should be reviewed to detect accidental destruction of mailboxes and ensure their fast recovery from backup storage.
Recipient
Recipient Policies Added
Shows newly created recipient policies. New policies should be reviewed for accuracy on a regular basis.
Recipient Policies Removed
Shows deleted recipient policies. This report can be used to detect accidental and unauthorized deletions before they affect organization's e-mail system.
Recipient Policy Changes
Show all changes made to recipient policy settings and permissions. Changes to security policy must be monitored for security and compliance.
Recipient Update Service Changes
Lists all recipient update service changes grouped by user (Exchange 2003 only)
Recipient Update Services Added
Lists all added recipient update services grouped by user (Exchange 2003 only)
Page 81
Recipient Update Services Removed
Lists all removed recipient update services grouped by user (Exchange 2003 only)
Server
MS Exchange Servers Added
Shows addition of new servers to Exchange organizations. Installation of new servers must be reviewed to make sure no rogue servers are installed.
Storage Group
MS Exchange Storage Group Changes
Storage groups contain all Exchange stores and modifications of storage group settings can affect the entire Exchange organization.
MS Exchange Storage Groups Added
Storage group creation is usually a carefully planned operation and this report can be used to review the process.
MS Exchange Storage Groups Removed
Storage groups are rarely removed and this report should be reviewed regularly to detect any unplanned actions.
Store
MS Exchange Store Changes
Exchange stores hold all exchange data, such as messages, contacts, tasks, etc. This report shows modification of store settings and permissions, without changes made to stored content.
MS Exchange Stores Added
Shows all new created stores. Creation of new stores should be carefully planned and reviewed to avoid unnecessary creation of new stores.
Page 82
MS Exchange Stores Removed
Shows all deleted stores. Stores are rarely deleted and this report can be used to detect all accidental and unauthorized deletions before they impact the operations.
Page 83
Appendix F: NetWrix SharePoint Change Reporter Reports
All Changes Reports
All SharePoint Changes
Shows all created, deleted and modified items.
All SharePoint Changes by Server
Shows all created, deleted, and modified items, grouped by file server name.
Page 84
Appendix G: NetWrix File Server Change Reporter Reports
Successful Modifications
All File Server Changes
Shows all created, deleted, and modified files, folders, shares, and permissions.
Permission Changes
Shows changes in file, folder, and share permissions in the specified time frame. This report must be reviewed on a regular basis to detect unauthorized access and verify that only allowed groups of people have access to sensitive data.
All File Server Changes by Date
Shows all created, deleted, and modified files, folders, shares, and permissions, grouped by modification date. This report is very useful for compliance audits to show that all data modifications are traceable and auditable.
All File Server Changes by Type
Lists all file server changes grouped by object type according to specified filter.
All File Server Changes by User
Shows all created, deleted, and modified files, folders, shares, and permissions, grouped by user name who made changes.
All File Server Changes by Server
Shows all created, deleted, and modified files, folders, shares, and permissions, grouped by file server name.
Files and Folders Created
Shows all newly created files and folders for a specified period of time. This report can be used to analyze growth of disk space usage.
Files and Folders Deleted
Page 85
Lists all file server changes where the action is "Removed", grouped according to the specified filter.
Files Folders and Shares Modified
Shows who changed what files, folders and shares, and when, including permission changes. You can restore modified files to their previous versions if file versioning is enabled in program options.
Successful Reads
Successful File Reads
Shows all file read attempts that were successful. This report can be used for compliance audits to show that all access to sensitive information is traceable and auditable.
Successful File Reads by Date
Successful File Reads by DateShows all file read attempts that were successful, grouped by date. This report can be used for compliance audits to show that all access to sensitive information is traceable and auditable.
Successful File Reads by Server
Shows all file read attempts that were successful, grouped by server name. This report can be used to analyze what servers are being accessed.
Successful File Reads by User
Reports what users read what files and when, grouped by user. This report can be used to analyze all access attempts by specific users.
Failed Modification Attempts
Failed Modification Attempts
Reports all attempts to change files, folders, and permissions that failed due to lack of access rights. This report must be regularly reviewed to track unauthorized access attempts
Failed Modification Attempts by Date
Page 86
Shows all failed attempts to write to files and change permissions, grouped by date.
Failed Modification Attempts by Server
Shows all failed attempts to write to files and change permissions, grouped by server name.
Failed Modification Attempts by User
Shows all failed attempts to write to files and change permissions, grouped by user name. This report can be used to show what users were trying to gain unauthorized access.
Failed Read Attempts
Failed Read Attempts
Reports all unauthorized file access attempts. This report can be used for compliance audits to show that all unauthorized data access activities are traceable and easily auditable.
Failed Read Attempts by Date
Reports all unauthorized file access attempts, grouped by date. This report can be used for compliance audits to show that all unauthorized data access activities are traceable and easily auditable.
Failed Read Attempts by Server
Reports all unauthorized file access attempts, grouped by server name. This report can be used to analyze what file servers are subject to unauthorized access attempts.
Failed Read Attempts by User
Reports all unauthorized file access attempts. This report can be used for compliance audits to show that all unauthorized data access activities are traceable and easily auditable.
Page 87
Appendix H: NetWrix Server Configuration Change Reporter Reports
All Server Changes
Shows all configuration changes filtered by date, server name, and object name
All Server Changes by Date
Shows all configuration changes grouped by date. Changes can be filtered by date, server name, and object name
All Server Changes by Object Type
Shows all configuration changes filtered by date, server name and configuration grouped by Object Type. You can filter
All Server Changes by User
Shows all configuration changes filtered by date, server name and configuration grouped by users who made changes. You can filter by date range and user name who made changes.
Appendix I: NetWrix SQL Server Change Reporter Reports
All Change Reports
All SQL Server Changes
Shows all changes made to SQL server objects and permissions, including created, modified, and deleted server instances, roles, tables, columns, stored procedures, and all other types of objects. This report can be used for compliance audits to show that all changes are traceable and auditable.
All SQL Server Changes By Date
Page 88
Shows all changes made to SQL server objects and permissions, including created, modified, and deleted server instances, roles, tables, columns, stored procedures, and all other types of objects. This report can be used for compliance audits to show that all changes are traceable and auditable.
All SQL Server Changes By Object Type
Shows all changes made to SQL server objects and permissions, including newly created objects, modified objects, and deleted objects. Changes are grouped by object type: server, database, role, table, column, etc.
All SQL Server Changes By User
Shows all changes to SQL server object grouped by user name who made changes. This report can be used to analyze user activities for specific users.
Object changes
Server Instance Changes
Lists changes to SQL Server instances.
Login Changes
Shows creation and deletion of database logins, and modification of login attributes. This report must be reviewed on a regular basis because database logins control access to sensitive data.
User Changes
Shows creations, deletions, and modifications or users in databases. This report must be reviewed on a regular basis because user accounts control access to sensitive data.
Credential Changes
Shows all credential changes made within specified timeframe. This report must be reviewed on a regular basis to unauthorized access attempts.
Role Changes
Page 89
Shows all changes in roles, such as creation and deletion of roles, and changes in role properties and memberships. This report must be carefully reviewed on a regular basis, because roles control security access to databases.
Application Role Changes
Lists changes to database application roles.
Database Changes
Shows all changes in databases and their properties, such newly created and deleted databases, data file locations, and other attributes, excluding changes in the inner objects (such as tables, columns, and stored procedures).
Database Column Changes
Lists changes to database columns.
Database Schema Changes
Shows all changes in database schema, such creation and deletion of schemas, and changes in schema properties (e.g. modification of dbo schema).
Database View Column Changes
Lists changes to database view columns.
Database View Index Column Changes
Lists changes to database view index columns.
Server Role Changes
Shows creation and deletion of server roles and changes of role properties and memberships. This report must be reviewed on a regular basis because roles control server-wide access to sensitive data.
Stored Procedure Changes
Page 90
Shows creations, deletions, and modifications of stored procedures. Such changes must be carefully reviewed, because applications rely on stored procedures.
Table Changes
Shows creations, deletions, and modifications of tables in databases, excluding changes in table columns. This report must be carefully reviewed to detect unauthorized changes that can severely impact database applications
View Changes
Shows created, deleted, and modified database views. This report must be carefully reviewed to detect unauthorized changes that can severely impact database applications.
View Index Changes
Shows created, deleted, and modified database views indices. This report must be carefully reviewed to detect unauthorized changes that can severely impact database applications.
Page 91
Appendix J: NetWrix VMware Change Reporter Reports
All Changes By User (Chart)
Graphical representation of user-made changes percentage. The data may be filtered by date range.
All Guest OS (Chart)
Graphical representation of operational systems amount. The data may be filtered by virtual center and snapshot date.
All Proccessors Types (Chart)
Graphics representation of all processor types and their amount.You can filter by virtual center and snapshot date.
VMware Inventory Report
This report displays properties and their values for all the objects. You can filter the contents by properties or object names.
All Change Reports
All VMware Changes
Shows who made what changes to VMware infrastructure objects and settings, including hosts, containers, resource pools, virtual machines. Filtered by date range and user name who made changes.
All VMware Changes by Date
Shows who made what changes to VMware infrastructure objects and settings, including hosts, containers, resource pools, virtual machines. Filtered by date range and user name who made changes.
All VMware Changes by Object Type
Shows who made what changes to VMware infrastructure objects and settings grouped by object type (e.g. host, container, resource pool, etc). Filtered by date range and user name who made changes.
Page 92
All VMware Changes by User
Shows who made what changes to VMware infrastructure objects and setting grouped by user who made changes. Filtered by date range and user name who made changes.
Cluster
Clusters Removed
Shows deleted clusters. This report can be used to detect accidentally deleted objects before deletion affects the entire infrastructure.
Cluster Changes
Shows changes made to clusters. Such changes must be carefully reviewed as they usually affect the entire virtual infrastructure.
Clusters Added
Shows newly created clusters. Such additions must be well-planned and reviewed.
Datacenter
Datacenter Added
Shows newly created data centers. Such additions must be well-planned reviewed and reviewed.
Datacenter Changes
Shows changes made to data centers. Such changes must be carefully reviewed as they usually affect the entire virtual infrastructure.
Datacenter Removed
Shows deleted data centers. This report can be used to detect accidentally deleted objects to be restored from backup before deletion affects the entire infrastructure.
Page 93
Datastore
Datastore Added
Shows newly created data stores. Creation of new data stores must be well-planned and reviewed.
Datastore Removed
Shows deleted data stores. This report can be used to detect accidentally deleted objects to be restored from backup before deletion affects the production infrastructure.
Folder
Folder Changes
Shows changes made to folder objects (e.g. folder renamed, permissions changes), without showing changes to child objects.
Folder Permission Changes
Shows changes to folder permission. This report must be reviewed on a regular basis to detect unauthorized assignment of permissions to virtual machines and other objects.
Folder Permissions Added
Lists all folder permissions added according to the specified filter.
Folder Permissions Removed
Lists all folder permissions removed according to the specified filter.
Folders Added
Shows newly created folders. Creation of new folders should reflect the environment-specific details and reviewed on a regular basis.
Folders Removed
Page 94
Shows deleted folders. Deletion of folders should be monitored to detect accidental deletions and initiate restore from backup timely.
Host
Host System Changes
Shows changes made to host systems (ESX and ESXi servers). Reconfiguration of host system can affect managed virtual machines and such changes must be carefully reviewed.
Host Systems Added
Shows creation of new host systems (ESX and ESXi servers). Addition of new physical servers should be well-planned and this report can be used to review such operations.
Host Systems Removed
Shows physical hosts removed from the virtual infrastructure. Removal of host systems should be planned in advance and this reports can be used for reviews.
Resource Pool
Resource Pool Changes
Shows changes to resource pools. Resource pools control how resources are allocated to virtual machine and uncontrolled changes can lead to major disruptions in virtual machine operations.
Resource Pools Added
Shows newly added resource pools. Resource pools are usually created when new resources are added to the virtual environment and this report can be used to review new resource pools.
Resource Pools Removed
Shows deleted resource pools. This report can be used to detect unplanned and accidental operations affecting the overall operations of virtual machines.
Page 95
Role
Role Changes
Shows changes to security roles. Security roles control access and must be regularly reviewed according to major compliance regulations.
Roles Added
Shows new created security roles. Creation of new roles should reflect organizational changes in the company and this report can be used to review and control such changes.
Roles Removed
Shows removed roles. Removal of roles should reflect organizational changes in the company and this report can be used to review and control such changes.
Snapshot
Snapshot Changes
Shows creation, modification, and deletion of virtual machine snapshots. This report can be used to control changes to snapshots and prevent loss of important data and settings.
Power State Changes
Shows virtual machine power on, pause, resume, and power off events on managed virtual machines. This report can be used to review planned maintenance operations of virtual machines.
Virtual machine
Virtual Machine Changes
Show changes made to individual virtual machine configurations, such as virtual hardware, settings, and permissions.
Page 96
Virtual Machine Permission Changes
Show changes made to virtual machine permissions. Permissions affect who can access virtual machines and all changes must be reviewed on a regular basis.
Virtual Machine Permissions Added
Lists all virtual machine permissions added according to the specified filter.
Virtual Machine Permissions Removed
Lists all virtual machine permissions removed according to the specified filter.
Virtual Machines Removed
Shows removal of virtual machines. This report can be used to detect unplanned removals to initiate their restore from backup.
Virtual Machines Sprawl
Shows creation of new virtual machines over time. This report is very important to analyze and control the virtual machine sprawl and prevent
excessive use of computing power by unused and inactive virtual machines.
Top Related