Frequently Asked Questions
Invasive agent technologies: do NetWrix products require the use of such technologies to gather data?
NetWrix offers both agentless and agent-based audit data collection. A non-intrusive lightweight agent technology is employed and does not "hook" into the domain controller core. Instead uses only well-documented mechanisms supported and recommended by Microsoft and other vendors (such as VMware). NetWrix agents are used mostly for network traffic compression to improve performance and require zero deployment efforts, nearly equivalent to agent-less data collection.
Competing solutions may claim that not making any use of native auditing is a benefit and this is not true. By not taking advantage of native auditing, the use of intrusive agents are required that in essence replace the native functionality with a proprietary one. This may risk system stability and support problems should a normal system update disrupt the custom agent. Furthermore, it can be falsely perceived that using native events requires additional resources, and contributes to maintaining unnecessary log events rendering the final output as inefficient.
NetWrix uses AuditAssurance™ technology to consolidate and normalize only the important data for each event into a single, human-readable data entry. This is done by combining multiple streams of data to compose each change record such as snapshots, event logs, and trace logs. It does not impose additional resources or storage requirements instead adding value by combining stable native events and log activity with Microsoft approved approaches that present no stability risks to the host system.
Agents in NetWrix products are 100% optional and no functionality is lost by not using them.
Change management solutions: does NetWrix offer change management in addition to change auditing tools?
Currently, our goal is to facilitate change auditing for an enterprise, and not change management. If every product that is somehow related to change management provided its own change management system, users might find themselves in a situation when they will be employing numerous disintegrated change management tools. This can negate any efficiency gains realized through change management, as in this scenario one challenge (change management) would merely be exchanged for a new challenge (maintaining multiple disintegrated change management systems).
At NetWrix, our firm belief is that using a general change management system that covers all aspects of an IT infrastructure in combination with flexible products like ours that deliver extensive platform-specific change monitoring and reporting capabilities, is the most cost-effective and efficient approach. Moreover, implementing a change management system will not add value to larger organizations, as many of these already employ similar systems from well-known vendors, such as BMC Remedy. Also, we have found that smaller organizations do not need change management systems because they lack the business requirements and do not have the resources (hardware and/or manpower) to use and maintain one effectively.
Our approach is to integrate with existing change management systems, which may add value, for example, by the ability to correlate detected audit records with change requests.
Employed in all of our tools, NetWrix AuditAssurance™ technology is an innovative combination of multiple audit trails with snapshot-based audit data collection, making it nearly impossible to omit any audit events that take place and even when events are not recorded to audit logs. Snapshots also provide the additional benefit of acting as a backup with the ability to facilitate restore functionality.
Competing solutions may claim that not making any use of native auditing is a benefit and this is not true. By not taking advantage of native auditing, the use of intrusive agents are required that in essence replace the native functionality with a proprietary one. This may risk system stability should a normal system update disrupt the custom intrusive agent.
Furthermore, it can be falsely perceived that using native events requires additional resources, and contributes to maintaining unnecessary log events rendering the final output as inefficient. NetWrix uses AuditAssurance™ technology to consolidate and normalize only the important data for each event into a single, human-readable data entry.
This is done by combining multiple streams of data to compose these change records and does not impose additional resources or storage requirements and instead adds value by combining stable native event log activity with Microsoft approved approaches that present no stability risk to the host system. Only changes are written to the database and not the full events. This serves to further improve performance and make efficient use of storage.
No. Using native event logs is a tremendous benefit that does not carry any performance or stability risks whatsoever. By not using native logging, the use of intrusive agents are required that in essence replace the native functionality with a proprietary one. This may risk system stability should a normal system update disrupt a custom agent. Furthermore, it can be falsely perceived that using native events requires additional resources, and contributes to maintaining unnecessary log events rendering the final output as inefficient. Also, one common issue with proprietary agents if when they fail to start or crash, the auditing stops completely, which is not the case with native auditing, which cannot be stopped (because it's built-in into the OS core) and it never fails; too simple to fail.
NetWrix uses AuditAssurance™ technology to consolidate and normalize only the important data for each event into a single, human-readable data entry. This is done by combining multiple streams of data to compose these change records and does not impose additional resources or storage requirements instead adding value by combining stable native event log activity with Microsoft approved approaches that present no stability risk to the host system.
This is done using not only event logs and Exchange events but also audit trails such as Active Directory replication, trace logs and snapshots. Only changes are recorded and no redundant full events which further serves to make efficient use of storage and reduces resource utilization.
Not true. All NetWrix products use AuditAssurance™ technology and audit settings that only use what is needed, eliminating redundancy and prunes this raw data for only the information that is of value making report output entirely human-readable. This method of capturing data is far superior to native capabilities without any compromises in performance.
Furthermore, NetWrix provides the centralized storage and reporting capabilities that are missing from native auditing. As well, native auditing cannot capture before and after values, for example, if a Group Policy is changed, or file permissions are modified, or a group membership changes. No noticeable audit data ‘noise’ is captured because the technology removed it long before reaching storage including any redundant information related to events and changes.
No. 10-minutes are all that is needed to install NetWrix software provided that the required auditing settings were implemented using the included wizards with each product and SQL Server is installed in advance.
Professional services: does NetWrix software installation require contracting professional services?
No. NetWrix software can be installed by anyone in 10-minutes or less with sufficient administrator access over the objects to audit and the system upon which the software will operate.
Anyone who has rights to modify or delete an object can do so and to claim that objects or settings can be protected is inaccurate. Claims of protecting objects often require intrusive agent solutions that 'hook' into the Windows API to prevent an object from being deleted or modified, however, this is not a security feature simply because having the rights to disable or tamper with these same agents can negate any benefit they may claim to provide.
Native Windows mechanisms can deliver object protection simply via a standard 'deny' setting, however, with the proper rights, these protections can also be circumvented thus making any claims of object protection misleading.
The only exception to this is the Windows 2008 Active Directory object protection feature however this is only available for newly created objects. NetWrix plans to add simplified object protection management based on natively available mechanisms into its product lines in the future.
Native event logs can be deleted and so can proprietary ones. So long as the user has permissions over the file system, any log (or locally cached log data) can be deleted and to claim otherwise is entirely misleading. To address event log overwrites, NetWrix Event Log Manager supports the native Windows auto-backup feature for logs once enabled so no events are lost. NetWrix also reports on event log clean-up activity.
Yes. NetWrix offers real-time reporting on object changes or deletions. Implementing real-time alerting traditionally requires intrusive methods that require a continuous, steady burn of resources including processor time and network bandwidth. For these reasons, this method of facilitating real-time alerts is inefficient.
NetWrix delivers real-time alerting capabilities using a far more sensible and efficient approach. Real-time alerting is resource intensive which is why the NetWrix approach instead schedules real-time alerting of events in 10-minute intervals. This means resources are not constantly being dedicated to alerting operations saving the resource overhead to deliver them. By doing so, alerting operates within the existing managed flow of event analysis consuming no additional resources.
Additionally, 10-minute intervals are far more practical for busy environments. Flooding e-mail and text messages with instant alerts is a gross misuse of time and resources when the same intelligence can be delivered with a timed delay that uses no additional overhead with functionally identical results. This becomes especially true in large environments where hundreds of alerts could trigger each day and only enough staff to respond to a portion of them.
Absolutely. NetWrix Windows Server Change Reporter can facilitate monitoring of these changes and much more. This product is also included in NetWrix Change Reporter Suite. Other platforms that can be monitored include NetApp Filer, EMC Cellera and network devices from Cisco, CheckPoint and most devices that employ the SNMP protocol may also be monitored and reported on for changes in the NetWrix Network Infrastructure Change Reporter. In addition, platforms such as Oracle and UNIX/Linux systems are also on our product roadmap to facilitate change reporting and monitoring on these popular platforms to further extend change reporting throughout the enterprise.
No. Native auditing is not enough. AuditAssurance™ technology developed by NetWrix aims to ensure no event goes unmonitored. To achieve this goal, it is essential to acknowledge no native auditing of any kind is 100% accurate and reflective of all changes. While some native auditing is robust and detailed, only combining all the available streams of auditable information can guarantee the integrity of changes.
Our technology combines these multiple streams of information into human-readable form eliminating the typical 'noise' associated with log and audit events accurately and efficiently. SIEM solutions that attempt to claim that native-only logging is superior or even sufficient is untrue.
No, they don't. You cannot stop a user who has the administrator's rights from making any changes to your environment. Even with the self-auditing feature, if someone who has the administrator's rights wanted to make unauthorized changes to a NetWrix product's configuration (e.g. disable real-time alerts, modify Managed Objects, etc.), this could still be achieved by disabling audit, removing information from the system that auditing was turned off, making the changes and then turning it back on.
The only way to safeguard the configuration of your NetWrix products is not to grant administrator's permissions to the system that you want to protect (i.e. where NetWrix change auditing products are running) to unauthorized persons. We do recognize, however, that auditing administrative activity on a system running NetWrix products may offer value under some circumstances, so we are working on including self-auditing capabilities in our future releases.