Frequently Asked Questions

Does Netwrix Active Directory Object Restore Wizard support Forest-Level Recovery?

In the Active Directory Object Restore Wizard functionality, we do not support the Active Directory forest-level recovery (e.g. when domain controller crashes), because the right forest recovery is a manually intensive operation and per Microsoft's recommendation, professional service team should be engaged to facilitate and this operation should not be performed in-house, especially with 3rd party tools. There is a risk of discontinued support and/or lack of any integrity or stability guarantees.

Invasive agent technologies: do Netwrix products require the use of such technologies to gather data?

Netwrix offers both agentless and agent-based audit data collection. A non-intrusive lightweight agent technology is employed and does not "hook" into the domain controller core. Instead uses only well-documented mechanisms supported and recommended by Microsoft and other vendors (such as VMware). Netwrix agents are used mostly for network traffic compression to improve performance and require zero deployment efforts, nearly equivalent to agent-less data collection.

Competing solutions may claim that not making any use of native auditing is a benefit and this is not true. By not taking advantage of native auditing, the use of intrusive agents are required that in essence replace the native functionality with a proprietary one. This may risk system stability and support problems should a normal system update disrupt the custom agent. Furthermore, it can be falsely perceived that using native events requires additional resources, and contributes to maintaining unnecessary log events rendering the final output as inefficient.

Netwrix uses AuditAssurance™ technology to consolidate and normalize only the important data for each event into a single, human-readable data entry. This is done by combining multiple streams of data to compose each change record such as snapshots, event logs, and trace logs. It does not impose additional resources or storage requirements instead adding value by combining stable native events and log activity with Microsoft approved approaches that present no stability risks to the host system.

Agents in Netwrix products are 100% optional and no functionality is lost by not using them.

What makes the Netwrix approach more accurate than its alternatives?

Employed in all of our tools, Netwrix AuditAssurance™ technology is an innovative combination of multiple audit trails with snapshot-based audit data collection, making it nearly impossible to omit any audit events that take place and even when events are not recorded to audit logs. Snapshots also provide the additional benefit of acting as a backup with the ability to facilitate restore functionality.

Competing solutions may claim that not making any use of native auditing is a benefit and this is not true. By not taking advantage of native auditing, the use of intrusive agents are required that in essence replace the native functionality with a proprietary one. This may risk system stability should a normal system update disrupt the custom intrusive agent.

Furthermore, it can be falsely perceived that using native events requires additional resources, and contributes to maintaining unnecessary log events rendering the final output as inefficient. Netwrix uses AuditAssurance™ technology to consolidate and normalize only the important data for each event into a single, human-readable data entry.

This is done by combining multiple streams of data to compose these change records and does not impose additional resources or storage requirements and instead adds value by combining stable native event log activity with Microsoft approved approaches that present no stability risk to the host system. Only changes are written to the database and not the full events. This serves to further improve performance and make efficient use of storage.

Can Netwrix help me detect when a file is moved or copied?

File system auditing does not detect file copy/move operations as such and instead reports source file as read and destination file as created (and source file deleted – in the case of a move). We do not support this because it is relatively easy to trick the auditing system and instead of copying files in Windows Explorer just open it and do "Save As" operation.

This is essentially equivalent to making a copy of a file elsewhere. File copy and move operations are generally treated similar to read-here/create-there operations and have to be handled accordingly.

Does Netwrix use of native event logs carry any performance or stability disadvantages?

No. Using native event logs is a tremendous benefit that does not carry any performance or stability risks whatsoever. By not using native logging, the use of intrusive agents are required that in essence replace the native functionality with a proprietary one. This may risk system stability should a normal system update disrupt a custom agent. Furthermore, it can be falsely perceived that using native events requires additional resources, and contributes to maintaining unnecessary log events rendering the final output as inefficient. Also, one common issue with proprietary agents if when they fail to start or crash, the auditing stops completely, which is not the case with native auditing, which cannot be stopped (because it's built-in into the OS core) and it never fails; too simple to fail.

Netwrix uses AuditAssurance™ technology to consolidate and normalize only the important data for each event into a single, human-readable data entry. This is done by combining multiple streams of data to compose these change records and does not impose additional resources or storage requirements instead adding value by combining stable native event log activity with Microsoft approved approaches that present no stability risk to the host system.

This is done using not only event logs and Exchange events but also audit trails such as Active Directory replication, trace logs and snapshots. Only changes are recorded and no redundant full events which further serves to make efficient use of storage and reduces resource utilization.

Native auditing: does it capture excessive amounts of 'noise' that will render reports unreadable?

Not true. All Netwrix products use AuditAssurance™ technology and audit settings that only use what is needed, eliminating redundancy and prunes this raw data for only the information that is of value making report output entirely human-readable. This method of capturing data is far superior to native capabilities without any compromises in performance.

Furthermore, Netwrix provides the centralized storage and reporting capabilities that are missing from native auditing. As well, native auditing cannot capture before and after values, for example, if a Group Policy is changed, or file permissions are modified, or a group membership changes. No noticeable audit data ‘noise’ is captured because the technology removed it long before reaching storage including any redundant information related to events and changes.

Active Directory recovery functionality: does Netwrix charge extra for it?

Absolutely not. This is included at no cost as long you purchase Netwrix Auditor licenses for Active Directory as well as All-in-One Suite that includes Netwrix Auditor. This tool may also be used to restore Group Policy changes.

Installation time: does Netwrix software require hours or days to implement?

No. 10-minutes are all that is needed to install Netwrix software provided that the required auditing settings were implemented using the included wizards with each product and SQL Server is installed in advance.

Professional services: does Netwrix software installation require contracting professional services?

No. Netwrix software can be installed by anyone in 10-minutes or less with sufficient administrator access over the objects to audit and the system upon which the software will operate.

Protection of critical objects: does Netwrix offer it?

Anyone who has rights to modify or delete an object can do so and to claim that objects or settings can be protected is inaccurate. Claims of protecting objects often require intrusive agent solutions that 'hook' into the Windows API to prevent an object from being deleted or modified, however, this is not a security feature simply because having the rights to disable or tamper with these same agents can negate any benefit they may claim to provide.

Native Windows mechanisms can deliver object protection simply via a standard 'deny' setting, however, with the proper rights, these protections can also be circumvented thus making any claims of object protection misleading.

The only exception to this is the Windows 2008 Active Directory object protection feature however this is only available for newly created objects. Netwrix plans to add simplified object protection management based on natively available mechanisms into its product lines in the future.

Some vendors claim that native logs can be easily purged or overwritten and are less secure?

Native event logs can be deleted and so can proprietary ones. So long as the user has permissions over the file system, any log (or locally cached log data) can be deleted and to claim otherwise is entirely misleading. To address event log overwrites, Netwrix Event Log Manager supports the native Windows auto-backup feature for logs once enabled so no events are lost. Netwrix also reports on event log clean-up activity.

Real-time alerting: does Netwrix provide such capabilities?

Yes. Netwrix offers real-time reporting on object changes or deletions. Implementing real-time alerting traditionally requires intrusive methods that require a continuous, steady burn of resources including processor time and network bandwidth. For these reasons, this method of facilitating real-time alerts is inefficient.

Netwrix delivers real-time alerting capabilities using a far more sensible and efficient approach. Real-time alerting is resource intensive which is why the Netwrix approach instead schedules real-time alerting of events in 10-minute intervals. This means resources are not constantly being dedicated to alerting operations saving the resource overhead to deliver them. By doing so, alerting operates within the existing managed flow of event analysis consuming no additional resources.

Additionally, 10-minute intervals are far more practical for busy environments. Flooding e-mail and text messages with instant alerts is a gross misuse of time and resources when the same intelligence can be delivered with a timed delay that uses no additional overhead with functionally identical results. This becomes especially true in large environments where hundreds of alerts could trigger each day and only enough staff to respond to a portion of them.

Can Netwrix solutions monitor changes to registry settings, Local Users and Groups, and Services?

Absolutely. Netwrix Windows Server Change Reporter can facilitate monitoring of these changes and much more. This product is also included in Netwrix Auditor. Other platforms that can be monitored include NetApp Filer, EMC Cellera and network devices from Cisco, CheckPoint and most devices that employ the SNMP protocol may also be monitored and reported on for changes in the Netwrix Network Infrastructure Change Reporter. In addition, platforms such as Oracle and UNIX/Linux systems are also on our product roadmap to facilitate change reporting and monitoring on these popular platforms to further extend change reporting throughout the enterprise.

Some vendors claim they can report on file moves or when copies are made. Is this true?

This is completely false. In Windows (2000, 2003, 2008 or 2012) there is no way to determine if a file has been moved or copied. Windows will only reveal that a file was created, deleted or modified. No cross-correlation is available and thus there is no way to track these actions. In the event of a file move, a file is created and another is destroyed after the new file has been confirmed created.

When a file is copied, only an event is recorded that the file were accessed and no logging mechanism can record that a file opened were saved to an alternate location, such as a when a Word document is opened on a file server and using Save As to save it to a USB drive or other storage media. In these situations, there will not even be a file created event recorded unless the destination of the saved file is also audited.

Monitoring and reporting changes: does Netwrix rely solely on native events?

No. Native auditing is not enough. AuditAssurance™ technology developed by Netwrix aims to ensure no event goes unmonitored. To achieve this goal, it is essential to acknowledge no native auditing of any kind is 100% accurate and reflective of all changes. While some native auditing is robust and detailed, only combining all the available streams of auditable information can guarantee the integrity of changes.

Our technology combines these multiple streams of information into human-readable form eliminating the typical 'noise' associated with log and audit events accurately and efficiently. SIEM solutions that attempt to claim that native-only logging is superior or even sufficient is untrue.