Best Practices for Securing Netwrix Auditor

This article describes general steps that can be taken to secure Netwrix Auditor from unauthorized usage and protect sensitive data from leakage
Email It to Me Print this Page
1. Limit access to computer where Netwrix Auditor is installed

Consider using Restricted Groups when applying group membership and User Rights Assignment policy settings to allow access to the Netwrix Auditor computer just for a limited group of users.

2. Maintain roles in Netwrix Auditor carefully

Netwrix Auditor provides a flexible Role Based Access (RBAC) model. Use it to restrict what each user can do in Netwrix Auditor according to her actual responsibilities within the product.
For details about Netwrix Auditor RBAC, refer to the Section 3. Role-Based Access and Delegation of

3. Monitor Netwrix Auditor services

 
Ensure that critical Netwrix Auditor services are always up and running:
  • Netwrix Auditor Configuration Service
  • Netwrix Auditor Archive Service
You can use any tool of your preference for that. For instance, you can use Netwrix Service Monitor - a freeware tool for monitoring critical Windows services. The tool is able to monitor all automatic startup services on multiple servers and send e-mail alerts when one or more services stop unexpectedly.
4. Enable Native Microsoft Security to prevent the data from being restored in case it leaked
 
a) To secure your data in SQL databases, enable Microsoft Transparent SQL Encryption.
b) To secure the Long-Term Archive, use Microsoft BitLocker technology.

5. Use Netwrix Auditor to audit related systems
 
a) SQL Server databases
- Enable configuration and logon auditing on SQL Server used by Netwrix. Enable alerts for logon activity, roles and db_owner changes.
b) Servers with SQL Server and Netwrix Auditor
- Enable Local Users and Groups changes, services and software installations auditing
- Configure alerts on logs clearance and Local Administrator group changes.
- Enable video activity recording on SQL Server and Netwrix Auditor host using UAVR.
- Configure alerts on SQL Management Studio or Netwrix Auditor launch.
- Configure alerts on logons to SQL server and Netwrix Auditor host.
c) Netwrix Long Term Archive
- Enable auditing of the Netwrix Long Term Archive. Exclude Netwrix data processing account from the monitoring scope. Configure alerts for all read/modify/delete events as well as for failed activity.

6. Do offline backups of Long Term Archive regularly
 
This ensures that data will not be lost in case of sudden archive corruption, malicious actions, ransomware, or under other circumstances.
Some of our customers also prefer off-site or cloud backups to ensure integrity of their data.
Was this information helpful?