Netwrix Auditor, your super hero to the rescue
Updated October 18, 2019
Netwrix Auditor, your super hero to the rescue
Score 9 out of 10
Vetted Review
Verified User
Overall Satisfaction with Netwrix Auditor
It is used by two departments, the User Department where I belong and the Security Team along with our Manager and CIO. It addresses auditing who did a change and what changes accounts are privileged do and can review a session of a user who logged into a server at maybe odd hours which could be suspicious.
- Who has done the changes on systems
- Password lockouts where it will tell you exactly where a person is locking which can be frustrating if it occurs too many times for one user.
- It can show you things we rarely look at in our environment e.g on Active Directory things like duplicate group policy settings, empty security groups, computers which have not logged in in a long time thus helping you with your computer inventory.
- Being able to get the actual device a user is locking in from Exchange Server because if a user is found to be locking out from an Exchange Server we have to look at Exchange Server IIS logs and parse through them using other tools like Log Parser looking for wrong password report. We need to use one product and that is Netwrix Auditor.
- The software could also show when a server was restarted or rebooted.
- Standby people no longer have to struggle to know where the user's account is locking.
- Group policies were able to be troubleshot better due to being able to see duplicate settings from other group policies which avoided the clashing of group policies.
- Removing clutter and risks on Active Directory e.g empty security groups, privileged accounts that shouldn't have privileges in the first place.
This was using its logs e.g IIS logs and loading them to Log Parser. Netwrix Auditor has all the audit tools you need, there are no fetching logs somewhere and loading to it manually. The reporting is robust and you can see an executive summary of risks in your environment in one screen. The software is modular which means you can add other systems e.g Sharepoint, SQL Server, etc as systems you want to monitor and have a one-stop-shop software for your organization without having disparate systems to audit other software packages.
Do you think Netwrix Auditor delivers good value for the price?
Yes
Are you happy with Netwrix Auditor's feature set?
Yes
Did Netwrix Auditor live up to sales and marketing promises?
Yes
Did implementation of Netwrix Auditor go as expected?
Yes
Would you buy Netwrix Auditor again?
Yes
Using Netwrix Auditor
10 - Security Team - To do the auditing e.g users who hasn't logged for past 30 days, privilege account group membership changes, track what privilege users change and do (auditing Infrastructure Analysts)
Infrastructure Analysts - to do auditing on AD and Exchange Changes. Keep on check who is created and when they are disabled when a user is terminated, checking things like empty security groups to reduce clutter in AD including duplicate Group policies which can help troubleshoot our group policy issues
Help Desk - Use the tool to be sure where a user account locks out, to be on alert of any user they create and disable for termination. They are the user account creators in the organisation
Infrastructure Analysts - to do auditing on AD and Exchange Changes. Keep on check who is created and when they are disabled when a user is terminated, checking things like empty security groups to reduce clutter in AD including duplicate Group policies which can help troubleshoot our group policy issues
Help Desk - Use the tool to be sure where a user account locks out, to be on alert of any user they create and disable for termination. They are the user account creators in the organisation
Skills on managing all the modules we have - all minus SQL Server and Oracle Database
People whose main job is IT auditing which we dont have
Security training in things like intrusion detection
People whose main job is IT auditing which we dont have
Security training in things like intrusion detection
- Easily see where an account is locking
- Refer back to changes made if YOU MADE A MISTAKE IN THAT CONFIGURATION TO EASILY ROLL BACK!
- Reconcile users who have left the organisation to check whether they are not on AD
- Troubleshoot duplicates on Group Policies which can lead to problems. It works nicely
- Clear old data and clutter, as far as 5 years ago (e.g old service accounts and old users who have left the organisation!)
- After account is disabled (when a person is terminated) we use the report to delete them after 60 days and this is helpful in reconciling our user account inventory to make sure that terminated users are removed
- Our privileged account users are kept on check, this makes sure that there are no unauthorized changes (we have a change management process)
- We are able to see "problem users" who require account unlocks frequently and most are locked on the Exchange server from their devices by not updating new password, but to tell what device we have to use a 3rd party tool (Log Parser) with Exchange IIS logs
- Better risk definitions on the product
Evaluating Netwrix Auditor and Competitors
- Product Features
- Product Usability
- Product Reputation
Product features - There was so much to offer in terms of predefined queries from AD or Exchange or User Activity. Most Exchange and AD queries were difficult to get because native Microsoft tools required you to have knowledge of Powershell and complex Powershell queries. Netwrix Auditor takes care of that from the logs it gets from the Domain Controllers.
You didnt have to have knowledge of powershell
Queries were off the shelf
Could record user activity during internal investigations
You didnt have to have knowledge of powershell
Queries were off the shelf
Could record user activity during internal investigations
Check first if sometimes you won't require another product to further dig deeper on an investigation. The one in question is as stated before when a user gets locked out (our threshold is 10 times of bad password) from a device e.g IPad the product won't tell you BUT will tell you it is from the Exchange Server and you don't have sufficient information, you only get the final piece of the puzzle by using a third party tool (Log Parser) and Exchange Server IIS log files to parse through for password errors and you get the answer including the device name and software version
Netwrix Auditor Implementation
- Implemented in-house
Yes - It was initially used to check where accounts lock
Then other modules were licensed such as Exchange Server and further usage of the AD module, User Activity and this was difficult because there was a lot of trial and error and with the help of Netwrix Support then the software became user friendly to our eyes as we saw it and realised that it was actually easy to use. Therefore there were two phases 1. Setting up AD Maintenance Plan ourselves 2. The rest of the modules with the assistance of Netwrix Support
Then other modules were licensed such as Exchange Server and further usage of the AD module, User Activity and this was difficult because there was a lot of trial and error and with the help of Netwrix Support then the software became user friendly to our eyes as we saw it and realised that it was actually easy to use. Therefore there were two phases 1. Setting up AD Maintenance Plan ourselves 2. The rest of the modules with the assistance of Netwrix Support
Change management was a small part of the implementation and was well-handled - Management was supportive looking at the fact that we chose the product from research on the Internet. Management also wanted to have a product that will help us with easy report generation for IT audits as mostly it was a manual process and the IT audit team felt we were taking long to provide information. Netwrix Auditor enabled us to get instant reporting for IT Audits and there is a very fast turn around time for IT Audit report requests
- Lack of Training or Trialing before buying
- Finding the product difficult at first as we didn't quite understand the way it really works e.g it has to get the event log from the Domain Controller
- Learning the product through the Netwrix Support
- Lack of interest from some team members in using it at the beginning
Netwrix Auditor Support
| Pros | Cons |
|---|---|
Quick Resolution Good followup Knowledgeable team Problems get solved Kept well informed No escalation required Immediate help available Support understands my problem Support cares about my success Quick Initial Response | None |
Yes - Because we don't have anyone clearly trained. The training is not done in the country BUT we do watch some training webinars on the Netwrix website. We do try first line of all else fails we escalate to Netwrix Support.
When the software was first installed and learned from the first support call and it was the initial response which didnt take long, it was how to trace where a user account is locking. We were not using the correct pre-defined report!
Using Netwrix Auditor
| Pros | Cons |
|---|---|
Like to use Relatively simple Easy to use Well integrated Feel confident using | Inconsistent Lots to learn |
- Pre-Defined Reports
- User Activity Monitoring
- Executive Dashboard
- Ascertaining a device (e.g IPad, Samsung, iPhone) which user account is locking on
- Executive Dashboard sometimes not accurate e.g last time user logged in
- Database management