Change auditing has become an important activity in business networks using Microsoft Active Directory. In general, Active Directory’s native auditing features are insufficient to adequately support business needs such as troubleshooting, compliance enforcement, security auditing, and change management. These inadequacies in Windows’ native auditing are evidenced by the robust third-party market that has grown to fill this functional gap. The products and services of that third-party market offer customers a variety of choices and approaches.

Change auditing has become an important activity in business networks using Microsoft Active Directory. In general, Active Directory’s native auditing features are insufficient to adequately support business needs such as troubleshooting, compliance enforcement, security auditing, and change management. These inadequacies in Windows’ native auditing are evidenced by the robust third-party market that has grown to fill this functional gap. The products and services of that third-party market offer customers a variety of choices and approaches.

For this analysis, Concentrated Technology surveyed 1,214 Active Directory administrators and front-line IT managers. We interviewed 18 survey respondents for follow-up questions. We also interviewed four Independent Software Vendors (ISVs) who currently offer products in this space, comparing their products’ feature sets to the capabilities required by our survey respondents and interviewees. Finally, a small focus group was introduced to each of the products and asked for their feedback.

We reviewed shipping versions of all products as of January 2011. All data and statements in this analysis are believed to be accurate as of January 2011.

Respondents to our survey identified an almost uniform set of features they felt were missing in the native Windows and Active Directory auditing architecture. Many of these features have been driven, in recent years, by the need for organizations to comply with external industry and legislative requirements. In the US, for example, legislation such as HIPAA, Sarbanes-Oxley, GLB, and so on were commonly cited, along with industry requirements such as PCI DSS. The commonly-requested features are as follows.

Windows’ native auditing is neither centralized nor particularly secure, since administrators can clear the log at any time. Recent versions of Windows Server now include the ability to forward events to a centralized event log; however, the event forwarding system works on a less-than-realtime basis, and does not adequately fulfill the requirement of a tamperproof or tamper-evident event repository. The native forwarding forwards events to a standard event log, rather than a true database, which means the consolidated log still has many of the other weaknesses of the native log system, which we discuss next.

Windows has no built-in reporting mechanism in its event logs, and provides fairly basic filtering and searching capabilities. Because the native event logs aren’t stored in a relational database, extensive searching can also be time-consuming. Reporting was particularly cited as a weakness, since constructing the reports needed by security auditors is a time-consuming, almost entirely-manual task. Robust reporting is an absolute necessity, including the ability to automatically generate and deliver reports on a subscription basis.

Windows’ native events tend to include detailed technical data which is not always meaningful to an auditor or IT administrator. Many of our respondents indicated a need for more meaningful, “plain-English” events. Events that include “before and after” information about changes was also a request; while this has been partially provided in Windows Server 2008 and later for many Active Directory events, more complete coverage of this feature is desired.

Windows includes features for automatically generating alerts and notifications for specified events, such as changes to critical groups or sensitive directory objects. This kind of alerting was identified as a requirement by most respondents. A weakness in Windows’ native alerting capabilities, however, is the dependence on specific event characteristics. For example, defining an alert for changes to a specific Active Directory group is fairly complicated given the alert criteria that must be specified. Alerts are also not centralized (since the logs themselves aren’t), which is a significant weakness: In order to effective monitor changes to a group (for example), that alert must be configured on every domain controller in the environment.

While not specifically tied to change auditing, the ability to undo or roll back unwanted changes was cited as a highly-desirable feature by respondents. Rollback features imply backup and recovery capabilities. Windows includes basic native backup and recovery features, and Windows Server 2008 R2 introduces an optional Active Directory Recycle Bin feature. However, these features are primarily designed at restoring single objects or groups of objects. They are not intended for use in undoing attribute-level object changes.

Windows provides poor native capabilities for long-term archival of event logs, although many organizations are now required (or desire) to maintain logs for up to 7 years. Windows simply permits you to manually save the log files; scripting is required to automate this process, but it doesn’t provide a true archiving solution.

Most security and compliance policies mandate that auditing systems offer separation of duties functionality. Auditors must be able to access the system in a read-only fashion, and administrators who manage the auditing system must be prevented from tampering with the audit trail. Windows does not provide this separation in its native event logging capabilities.

Active Directory is not the only system that needs to be audited within organizations. While not within the scope of this analysis, respondents also indicated a need to audit other Microsoft-based systems, including Exchange Server, SharePoint Server, and SQL Server. Non-Microsoft file storage systems from EMC and NetApp were commonly cited as needing auditing. Where appropriate, we have noted vendors and solutions who offer auditing solutions that include, or that can be extended to include, auditing for these other products and technologies.

Third-party change auditing solutions must typically make two key architectural decisions. Each of these decisions has both upsides and downsides.

First, solutions must gather data from Active Directory. This can be done through an agentless system, or by using locally-installed agents on domain controllers. Agents provide better information-gathering, performance, and often enable more robust features, but require deployment and ongoing maintenance. Agentless systems can create less overall impact on the environment (although they do not necessarily offer better performance), but typically offer less functionality. The solutions we evaluated for this analysis all offer an agent-based approach, although some also offer an agentless deployment option that includes reduced functionality.

Second, solutions must decide where they will gather data. The main choices are to either rely on the native event logs, to connect directly to Active Directory Application Programming Interfaces (APIs), or a combination of the two. The API approach often offers better performance and an increased amount of information. If well-implemented, it can also offer the option to disable native logging capabilities (which are not renowned for their high performance and low impact).

While many organizations are willing to consider third-party software tools to fill the gap left by Windows’ native features, organizations are increasingly concerned about the stability and robustness of the ISVs they choose to deal with. Our respondents indicated a desire to work with ISVs that have a robust and responsive support organization. Manageriallevel respondents indicated an additional desire to work with vendors who show signs of financial and organizational stability, suggesting that they will be able to weather economic downturns and remain in business to continue supporting their products in the long-term.

Product licensing is also a concern. In most cases, auditing solutions are licensed either per enabled directory account or per heartbeat; the latter model requires one license per human being in the environment, without regard to the number of user accounts in the directory, meaning service accounts and other accounts not tied to a human being are not required to be licensed.

Blackbird Group has been in business since 2002, and has offered an Active Directory auditing solution since 2009. Approximately 500 customers have deployed the solution to date, with an average customer size of 3,000-5,000 users with the largest customer having more than 5 million users. Blackbird Group employs approximately 30 people worldwide, and claims to have a strong financial position with no significant debt. The company is privately held.

Blackbird Management Suite is an internally-developed suite of applications, including Blackbird Auditor for Active Directory, Blackbird Recovery for Active Directory, Blackbird Protector, and Blackbird Privilege Explorer. The products are licensed per heartbeat.

Blackbird Management Suite relies on locally-installed agents connecting to native Windows APIs instead of the event logs, which is a common approach in this product category. The product’s management console provides a means of centrally deploying or updating the agent, which helps to reduce the maintenance overhead often associated with the agentbased approach.

Events are forwarded to a secured SQL Server database in near-realtime (also common in this product category), providing a tamper-evident audit trail and the opportunity for separation of duties. Blackbird also supports database encryption.

Archiving is accomplished through SQL Server database archiving. Because the product is fairly new, no customers are currently retaining more than a couple of years’ worth of data, so the efficacy of Blackbird’s archival approach remains to be seen over the long term. While SQL Server can absolutely be relied upon to manage enormous databases in the multi-terabyte range, conducting backup and restore operations of very large databases are operationally challenging.

Real-time alerts are provided through e-mail.

The product provides full change rollback capability, and does so in a way that is betterintegrated and more intuitive than most products in this category. When viewing the change log, a “rollback” button is available for each change listed. Overall, we feel that the product’s relative newness to the market gives it a “second comer advantage,” meaning the company has had the opportunity to look at existing products and design improvements to things like the user interface. The rollback functionality is an excellent example of this, as it feels more integrated and accessible than is often seen elsewhere.

Blackbird currently uses a proprietary reporting mechanism, but states that reporting will be moved to SQL Server Reporting Services (SSRS) in the future, an increasingly-common approach and one we recommend. SSRS provides automated report generation and subscription delivery, as well as Web-based report delivery. Blackbird currently bundles 74 predefined reports and supports ad-hoc report creation. Reporting is integrated into the main console, enabling report generation through right-click context menus on directory objects. Blackbird also currently supports scheduled report generation and delivery in PDF or XML formats. Note: The Privilege Explorer component already utilizes SSRS for reporting; this component is focused on permissions management and was not reviewed for this analysis.

Blackbird provides an MMC snap-in for management, but also integrates functionality into native Microsoft snap-ins, including Active Directory Users and Computers, GPMC, ADSIEdit, and so forth.

Blackbird Management Suite has had one major release and two minor releases in the past eighteen months, with five patch releases that also included new functionality. This frequency suggests a product that is fairly stable and mature.

Blackbird does not currently support direct integration with standard monitoring frameworks such as System Center Operations Manager, OpenView, Tivoli, etc. The company notes that its email alerts can be used to funnel information into those systems, and they are planning both SNMP support and Operations Manager management packs for future releases.

The company offers similar auditing support for the Windows file system, and is in the process of developing components to cover SharePoint and Exchange.

We believe the Blackbird Management Suite reflects a strong, clear vision for the market segment. Because of its relative newness in the market, the company has been able to create a product that has a modern user interface, which integrates tightly with native Windows consoles, and which offers deeply-integrated functionality across the product’s feature set.

The Blackbird Management Suite product is competitive from an Active Directory perspective. It also has a good roadmap. The Management Suite’s various components look and feel like a single, integrated product, rather than separate products that have specific integration points. Cross-market analysis, however, suggests that its feature set lags behind the competition in other areas, such as support for SQL Server, Exchange, SharePoint, and so on.

NetWrix has been in business since 2006, offering their first Active Directory change auditing solution in 2007. The product is in use by approximately 600 customers. An averagesized deployment is 1,000 to 2,000 directory users across 5-10 domain controllers in 2-3 sites; the largest deployment is 60,000 users, 300 domain controllers, and 30 sites.