I’m sure many of IT admins happened to have this poor feeling when they couldn’t get from the logs a piece of information they were looking for. Partly because they didn’t have an appropriate log management tool in place. Partly because the logs themselves didn’t provide the level of details admins expected them to provide. It becomes especially frustrating in the change management world. If logs you rely on can’t give a full picture of the change that was made in the past how can you conduct a thorough change review to make sure that every change is made for a reason and according to your security policies?
Quite a few of the early adopters of OnDemand Log Management echoed this concern. As you know we’ve been listening to your feedback very carefully so we addressed this concern with the recent introduction of the so called Extended Auditing for Active Directory and File Servers. It’s Extended Auditing because it provides additional level of details compared to what you can extract from the native operating system or application logs.
Extended Auditing is instantly available to all of existing and yet to come customers of OnDemand Log Management. It is activated in the agent installation wizard by selecting Extended Auditing option as shown below. Just keep in mind that these options will only show up when you’re installing the agent to the server OS holding the corresponding server role: Active Directory server or file server.
Once you’ve let the agent capture first changes to your Active Directory objects or files and directories you can instantly view them by using one of the predefined searches that end with (Extended Auditing)
In this post I’m going to go through top 5 reasons why Extended Auditing gives you additional piece of mind from the change management standpoint. So, here they go
1. Capturing originator’s IP address
Unlike with Object Access events from the native Security log with Extended Auditing you can trace all changes down to a workstation from which the change originated. So, if multiple people in your organization use the same administrative account to perform their duty you could possibly distinguish between them by looking up the IP address they used.
2. Full Active Directory change auditing down to the attribute level with before and after values
As the screenshot above shows for each change being made to Active Directory Extended Auditing scrupulously seizes all the details including the object attribute and more importantly the before and after values. Not only you can replay a sequence of changes made to Active Directory within a specified time period but also roll them back if they deem inappropriate. Unlike with the native Windows auditing subsystem there is no need to go through a time consuming process of setting up the auditing configuration. Once Extended Auditing for Active Directory is enabled it immediately starts intercepting changes and change attempts to all objects in Active Directory.
3. Group Policy settings change auditing
The only indication of changes ever made to Group Policy configuration that can be found in the native Security log is an event like this below. Unfortunately, no way it’d tell you whether this change concerned one of the security policies like Account Lockout Policy or it just targeted one of the application configuration settings.
Compare this to the event you’d get with a help of Extended Auditing in OnDemand Log Management. In addition to the name of the Group Policy object you would easily see both the name of the affected setting and its before and values!
4. Detailed permission change tracking
Those of you that can’t read with naked eye a lengthy sequence of hexadecimal numbers will have no clue who actually was granted or revoked what permissions to a file or Active Directory object. Simply because this is how Windows stores permissions in the object’s security descriptor and native event logs don’t bother decrypting this format.
Extended Auditing makes things a way easier by breaking each permission change down into a series of events in which you can clearly see what user or group was granted or revoked which permission to the file or Active Directory object in question.
5. Accurate file and share access auditing
As you know due to the implementation details of the Windows auditing subsystem the accuracy of file access audit events really depends on how well behaved the application that works with those files is. It can turn into a real mess when a lot of file activity happens behind the scenes which is the case with Microsoft Word.
Extended Auditing for File Servers brings that mess in order. However complex the underlying file manipulations are it will always capture the real operations performed on a file, directory or share. So instead of having to guess whether this file open event actually resulted in a subsequent file write or not you’ll know for sure when the file was changed, deleted or moved.
And for every file access event you’ll get the entire picture including the file operation, the name and IP of the user who made the change and the application executable that carried out the request on the user’s behalf.
As you might guess there are many other cases where Extended Auditing does a much better job capturing every single aspect of a change being made to files, folders, shares and Active Directory objects. And the best way to feel it is to give it a free try by yourself.
With the help of Extended Auditing you can bring change management processes to an absolutely new level where tight and all encompassing control of changes becomes a reality.
cloudcomputing.info
GoCloudy Blog 
