The auditor of auditors: 'LepideAuditor Suite'
Today, in modern days of technology, the concept of auditing has become one of the interesting facts in Information Technology (IT). Back in days, when I was probably playing with my SNES, the concept of auditing was so hard to follow with built-in applications and consoles, but today, you can find many applications which either covers a specific part of auditing or support a huge number of services and applications. Among them, it is rare to find a solution which covers a whole range of services and audits, but ‘LepideAuditor Suite’ is one of those rare. In this article we will talk about this application.
First step, I have to say that the number of services and applications and features which are covered by ‘LepideAuditor’ is numerous and writing about each all feature and elements of it, requires us to write a book, but from an Active Directory\Security perspective, we will cover the main audits and key features of ‘LepideAuditor’. Also, in this article, installation and configuration parts are skipped, because the guide which comes with the application is comprehensive and there is no need for me to repeat the process all over again.
When you open up ‘LepideAuditor Suite’ for the first time, you will notice that the main menu is designed in a way to give you a whole bunch of information in your environment and committed changes within your infrastructure. These changes vary from user delete, user changed, computer delete, policy change and etc. This is the main window that will pop up once you open the software:
As I said, each element in this window, represent a complete set of data. For example in the picture, as you can see, there are 32 changes in Active Directory ranging from creating, modifying, removing objects. ‘LepideAuditor Suite’ covers a whole range of objects like user accounts, computers, groups, organizational units and so on.
The good point in main GUI is being interactive, meaning once you click each element, the windows will be redirected to actual audits and you can see the whole changes in your environment along with necessary information like time, date, targeted DC and etc.
Since this software can collect information with help of agents (agentless is also supported), it can query the health of your domain controllers based on different criteria in a visible and user friendly format. The image below shows the health monitors of one of my domain controllers.
The health of a server can be gathered by several probes like CPU usage, memory usage, server availability, LDAP and so on. The image below shows the server availability:
Group policy coverage are also one of the key features of ‘LepideAuditor Suite’. I have been working with different change management solutions, but either they are hard to implement or they do not provide valuable data, but here you can have both them together.
As an Active Directory administrator, you would love to see who has changed your Group Policy settings and in most important way, which settings has been altered. Using ‘Group Policy Audits’ of LepideAuditor, you can find out what new policies have been created in your Active Directory, which one of them modified or which one is deleted.
Being able to audit what setting has changed in one of your GPO is highly valuable because in case of a wrong configuration, you can revert the settings back to the previous and functional state by comparing the ‘New’ and ‘Old’ value.
Image below shows a group policy which I created to see the results:
As you can see, from the image above, it is possible to find some valuable information like the person who created the GPO. This is very crucial because if you have multi-tier administration level or GPO management is done using another group of administrators, you need to have a good understanding of what is going on within your GPMC console so you can inform your GPO administrators in case the tasks were done inappropriately.
However, Creating and Deleting group policies are not the only thing that can be monitored using ‘LepideAuditor’. One of the good features of ‘LepideAuditor’ is the ability to see what has been changed within a single GPO. For example, your users change their password with a password policy of 8 characters, but the next day, they can set it with 7 characters. Because ‘Password Policy’ is done inside ‘Default Domain Policy’, you know that there might be some changes withing your ‘Password Policy’, so taking a look at this policy, you will be able to view what has been changed, and that is the time when auditing comes into play. Take a look at image below:
Looking at image above, you can clearly understand that ‘Default Domain Policy’ settings has been altered with a new value.
Also, if you have been working with Active Directory, you must know that some changes in Active Directory are more important than the others. While creating a user account may not be a critical change in your AD database, deleting a computer account can have catastrophe impacts, especially if it is a server which serves quite number of clients.
In this case it is really necessary to see who has committed the changes based on criticality. The chart below shows the changes based on criticality:
There are three types of severity in this diagram. The criticalty rates are either ‘High’, ‘Low’ or ‘Medium’. Again the interesting fact about these charts is that they are interactive user interfaces. If you are worried about ‘High’ critical changes in your Active Directory, click on ‘High’ and you will be redirected to another view which shows all sort of ‘High’ critical events. For a better understanding, take a look at below image:
Following the image from ‘High’ critical changes view, we can see that there are two critical changes (User Deletes), where we can view the name of user accounts and the time it was deleted.
The story is not finished yet, if you are willing to see the changes based on sensitive accounts like ‘Domain Administrators’ you should navigate to ‘Top Admins’. Taking a look at ‘Top Admins’ sections, you can see all changes based on criticalty and the user who did perform the action at the same time! Frankly saying, if you have a naughty administrator and would like to see what he has done and what sort of actions he had performed within your Active Directory, this is the place where you should look at:
Since the UI is again interactive, you can click on the naughty user to see what he/she has altered:
As we said the reports varies from different objects and time. If you are willing to find reports of a specific type of object, take a look at the reports section in which you can find numerous number of predefined reports. Using these predefined reports, the only thing which needs to be done is to choose the time frame in which you want to run the query. The image below shows different types of predefined reports:
Once you click your desired report and choosing your favorite time frame, the report will be generated. An example of that report can be seen here:
This was a report based on the users created, but if you are interested to generate reports based on other objects, I have to inform you that common objects in Active Directory are completely covered. By common objects I mean Organizational Unit, Groups, and Computers.
However the tasks which I mentioned are not the only tasks which can be monitored and audited by ‘LepideAuditor Suite’ and there are far more features to utilize and the only thing is possible to do is to install the trial version and test the features on your own. But just as a side note, the ‘Logon/Logoff’ feature of ‘Lepide Auditor Suite’ is one of those lovely audits which will attract the administrators. It is always good to know who has logged in to which workstations in an efficient way without the need to wait for long time to run your query or having cups of coffees while waiting for your Event Viewer to open.
However the tasks which I mentioned are not the only tasks which can be monitored and audited by ‘LepideAuditor Suite’ and there are far more features to utilize and the only thing is possible to do is to install the trial version and test the features on your own. But just as a side note, the ‘Logon/Logoff’ feature of ‘LepideAuditor Suite’ is one of those lovely audits which will attract the administrators. It is always good to know who has logged in to which workstations in an efficient way without the need to wait for long time to run your query or having cups of coffees while waiting for your Event Viewer to open.
- To know more for LepideAuditor Suite - https://www.lepide.com/lepideauditor/
- To download LepideAuditor Suite - https://www.lepide.com/lepideauditor/download.html