Review: Ensim Unify Audit Manager
Use Windows Server 2008 functionality to capture and track Active Directory and Group Policy changes.
January 16, 2011
Microsoft is great at providing new, basic functionality with every version of Windows Server—but it’s up to third-party software vendors to enhance that functionality. Ensim does just that with Unify Audit Manager.
The product’s robust ability to capture and track changes to Active Directory (AD) starts with brand-new functionality in Windows Server 2008 R2 and Windows Server 2008. According to Microsoft’s “AD DS Auditing Step-by-Step Guide.”
Server 2008 R2 and Server 2008’s Active Directory Domain Services (AD DS) now audits “old and new values when changes are made to objects and their attributes.” Windows Server 2003 and Windows 2000 Server didn’t have this ability—which is an important distinction, because if you have an earlier version of AD, you need to update your schema to support Server 2008 and add at least one Server 2008 domain controller (DC) in order to use Unify Audit Manager.
Although this limitation is a big drawback for companies still running earlier versions of AD, it allowed Ensim to create an extremely lightweight agent that doesn’t try to recreate the wheel. Instead, it simply utilizes and extends Server 2008’s built-in functionality.
Unify Audit Manager is installed on a dedicated audit server and requires a SQL Server database to store the logged activities. The SQL Server instance can run on the audit server itself or on a separate server. SQL Server 2008 Express and SQL Server 2005 Express are supported, but full SQL Server is recommended for most implementations.
Which SQL Server edition you choose depends on the size of your database. The Installation and Configuration Guide (provided as a PDF) provides a matrix that shows what you can expect in a typical environment (based on number of users, number of events generated, etc.). SQL Server 2005 Express supports up to 4GB, whereas SQL Server 2008 Express supports up to 10GB. Unless I had an extremely small environment, I would choose full SQL Server, with its unlimited database size, over Express—just to be safe.
How fast will the database grow? There isn’t an exact answer to this question, but the Installation and Configuration Guide attempts to answer to this question with some simple math. Each action in AD (e.g., add, delete, move, change) generates about 10 events in the event log and takes up approximately 2KB per action. If you had 10,000 events per week, the database might grow 1GB per year.
As soon as the audit server is prepped with an instance of SQL Server, a standalone application, UAMDBSetup.exe, creates the database tables, views, and stored procedures that are needed to store the event logs. This process was slick and easy compared with other applications I’ve used that needed to create a back-end database.
The next step is to install the agents onto each DC in the domain. I was pleased to find that the agent is included as an MSI file, so this step could easily be automated by configuring Group Policy on the DC’s organizational unit (OU). This approach would ensure that every DC in your domain had the agent.
After the agent is installed, you need to enable auditing on the domain. The installation guide walks you through this simple process, which you must complete only once (not for each DC).
You must also configure the event log to set the maximum log size so that the logs don’t grow out of control. The installation guide walks you through this process as well. You need to configure the event log on each DC, so you should consider using Group Policy on the DC’s OU to automate the settings domain-wide. (Using Group Policy would also prevent a rouge administrator from altering the event log settings.)
The most challenging step is getting the agent to connect to the SQL Server system. Be sure that the SQL Server Browser service is started and that the TCP/IP protocol is enabled on the SQL Server system, because this isn’t the default on current versions of SQL Server or SQL Server Express.
The web UI provides a web portal into the events that you want to query. To configure the web UI, install UAMWebUISetup.msi. Note that IIS is required. The Report Scheduler service is also installed, preferably on the SQL Server system (to avoid excessive network traffic). Microsoft Excel 2007 on the Report Scheduler server is a prerequisite.
I found the installation to be simple, yet involved. The Installation and Configuration Guide walks you through every step and even provides useful troubleshooting tips if you run into a snag.
The tool itself, which Figure 1 shows, is extremely simple to navigate. With just a couple of clicks you can quickly query by a specific date or by domain (if monitoring multiple domains), object type (e.g., User, Computer, Group), object name, or operation (e.g., created, deleted, modified). Three built-in queries are included: Show all Directory Service changes, Show all changes within last 24 hours, and Show all User object changes.
In addition to AD changes, Unify Audit Manager also tracks Group Policy changes. The top of the Unify Audit Manager console continually shows the latest statistics and other useful information, including number of Directory Service changes, number of Group Policy changes, current database size, and date of last change.
The console provides another very important piece of information: the database server time zone. Knowing this time zone is imperative because all events are logged within the database server’s time zone, not the DC’s time zone.
In reviewing Unify Audit Manager, the only negative I could find (other than the fact that it works only on Server 2008 or later domains) is the lack of a way to manage what will eventually become years and years worth of event logs. Although just deleting old data would probably be foolish, a mechanism to archive unneeded logs would be a great future addition.
Unify Audit Manager is extremely simple to set up, and the product uses functionality that’s already built into Server 2008. The queries are easy to master, and the information that systems administrators, security analysts, or pesky auditors need is right at your fingertips. And at only $5 a user, it’s affordable for even a small company.
Unify Audit Manager
PROS: Simple query tool; easy to use; rock-bottom price
CONS: Requires Windows Server 2008 R2 or Windows Server 2008; no built-in ability to archive old data
RATING: 4.5
PRICE: $5 per user; discounts available
RECOMMENDATION: If you’re running Active Directory 2008 or later and need auditing that doesn’t require SQL Server certification, download a trial copy of Unify Audit Manager and kick the tires.
CONTACT: Ensim • 877-693-6746 • www.ensim.com
Unify Audit Manager
PROS: Simple query tool; easy to use; rock-bottom price
CONS: Requires Windows Server 2008 R2 or Windows Server 2008; no built-in ability to archive old data
RATING: 4.5
PRICE: $5 per user; discounts available
RECOMMENDATION: If you’re running Active Directory 2008 or later and need auditing that doesn’t require SQL Server certification, download a trial copy of Unify Audit Manager and kick the tires.
CONTACT: Ensim • 877-693-6746 • www.ensim.com
About the Author
You May Also Like