Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

Prerequisites

Ensure that the following settings and components are configured prior to deploying ADAudit Plus.

Configuring audit policies and object-level auditing

Audit policy settings specify categories of security-related events that you want to audit. Advanced audit policy settings help administrators exercise granular control over which activities get recorded in the logs, helping reduce event noise.

Object-level auditing settings (referred to as system access control list [SACL] in this document), log attempts to access a secured object.

Audit policies or advanced audit policies (recommended for computers running Windows 7, Windows Server 2008, and later) must be configured for computers, while object-level auditing must be configured for secured objects to ensure that security-related events get logged whenever any relevant activity occurs.

Note: The required audit policy and object-level auditing settings can be configured automatically via the ADAudit Plus console, by following the steps found under the Automatic configuration section in each of the links found below.

To audit Active Directory:

  1. Configure the Default Domain Controller policy.
  2. Configure object-level auditing.

To audit Windows file servers:

  1. Configure audit policies for the Windows file servers that need to be audited.
  2. Configure object-level auditing for the shares that need to be audited.

To audit Windows member servers:

  1. Configure audit policies for the Windows servers that need to be audited.

To audit Windows workstations:

  1. Configure audit policies for the Windows workstations that need to be audited.

To audit NetApp Filers

  1. Configure audit policies and SACLs for the NetApp Filers that need to be audited.

To audit NetApp clusters:

  1. Configure audit policies and SACLs for the NetApp clusters that need to be audited.

To audit EMC servers:

  1. Configure audit policies and SACLs for the EMC servers that need to be audited.

To audit EMC Isilon:

  1. Configure audit policies and SACLs for the EMC Isilon nodes that need to be audited.

To enable File Integrity Monitoring (FIM):

  1. Configure audit policies for the domain controllers, Windows servers, and Windows workstations on which file integrity needs to be monitored.
  2. Configure object-level auditing for the shares that need to be audited.

To audit Group Policy Objects (GPOs):

  1. Configure the Default Domain Controller policy.
  2. Configure object-level auditing.

To audit removable storage devices:

  1. Configure audit policies for the domain controllers, Windows servers, and Windows workstations on which removable storage activity needs to be audited.

To audit Windows PowerShell:

  1. Configure audit policies for the domain controllers, Windows servers, and Windows workstations on which PowerShell activity needs to be audited.

To audit Active Directory Federation Service (AD FS):

  1. Configure audit policies for the domain controllers and Windows servers on which AD FS activity needs to be audited.

Configuring security log size and retention settings

Security log size and retention settings must be configured to prevent loss of audit data due to overwriting of events.

Follow these recommendations to configure appropriate security log settings.

Ports to be opened

Ports must be opened to allow exchange of data between computers.

Here is the list of default ports used by ADAudit Plus and the ports that should be opened on the destination computers.

Setting-up a service account

After the Domain Admin credentials are entered, ADAudit Plus starts to audit activities.

If you do not want to provide Domain Admin credentials, follow these steps to set up the service account to have only the least privileges required for auditing your environment.

ADAudit Plus Trusted By