ChangeAuditor for Exchange

• 显示概览：追踪用户和管理员的活动，提供关于变更事件的具体信息，包括变更的执行人员、内容、时间、地点、工作站以及变更原因，另外还提供所有变更的原始数据和当前数据。
• 非本人邮箱访问审核：可详细了解非本人访问过的邮箱所发生的任何变动，因而大大提高了安全性与合规性。
• 实时和智能提示：当重要项目发生变更或产生特定模式的变更时，立即发出提示，从而使管理员能够立即应对。
• 服务器配置变更审核：追踪Exchange Server配置参数的变更，例如策略变更（消息大小、邮箱大小），以防出现系统性能问题及意外的安全漏洞。
• 公共文件夹支持：追踪Exchange公共文件夹的变更，加快故障排查速度，保证合规性。
• 配置审核：可启用或禁用事件的生成，使管理员可以避免对使用频繁的账户或安全账户进行审核，从而使审核数据库不会因不必要的事件信息而出现过载。
• 无需本机审核：无需本机审核日志即可捕捉变更信息，从而大大节省存储资源。
• 报告：利用内置报告和全面的合规性报告库，使管理员能够灵活、快速地生成预设定报告或自定义报告。
• 基于角色的访问：设置访问权限，使审核员可以运行搜索或报告，而无需改变应用程序的配置，也无需管理员协助。

Before installing ChangeAuditor, ensure your system meets the following minimum hardware and software requirements:

ChangeAuditor Client (Client-side Component)

The ChangeAuditor Client connects to a ChangeAuditor Coordinator and queries the audited event database for the desired results.

Client Hardware	Minimum: P4 2.0 GHz or better; 1 GB RAM or better Recommended: P4 3.0 GHz or better; 2 GB RAM or better A machine running on any x86 or x64 editions of the following minimum platforms: Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 Windows XP SP2 Windows Vista Windows 7 Screen resolution of at least 1024 x 768 with at least 256 colors
Client Software and Configuration	x86 or x64 versions of Microsoft's .NET Framework v3.5 SP1 or higher NOTE: To verify that you are running the appropriate version of Microsoft's .NET Framework use Add/Remove Programs (Start | Control Panel | Add or Remove Programs). Microsoft Data Access Components (MDAC) 2.8 SP1 X86 or x64 versions of Microsoft XML Parser (MSXML) 6.0 X86 or x64 versions of Microsoft SQLXML 4.0 Internet Explorer 6.0 (or higher)
Client Footprint	Estimated hard disk space usage of 70 MB Estimated RAM physical memory of 100 - 200 MB NOTE: Queries that return a lot of data can cause the client to use as much memory as required to store the results in RAM.

 

ChangeAuditor Coordinator (Server-side component)

The ChangeAuditor Coordinator is responsible for fulfilling client and agent requests and generating alerts.

Coordinator Hardware	Minimum: P4 2.0 GHz or better; 1 GB RAM or better Recommended: P4 3.0 GHz or better; 2 GB RAM or better Member server running on any x86 or x64 editions of the following minimum platforms: Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2
Coordinator Software and Configuration	Coordinator Software and Configuration: For the best performance Quest recommends: The ChangeAuditor Coordinator be installed on a dedicated member server. The ChangeAuditor database be configured on a separate, dedicated SQL server instance. Supported SQL Server versions: Microsoft SQL Server 2005 SP2 or higher service pack Microsoft SQL Server 2008 Microsoft SQL Server 2008 R2 The Coordinator must have LDAP and GC connectivity to all domain controllers in the local domain and the  forest root domain. x86 or x64 versions of Microsoft's .NET Framework v3.5 SP1 (or higher) X86 or x64 versions of Microsoft XML Parser (MSXML) 6.0 X86 or x64 versions of Microsoft SQLXML 4.0 Microsoft Data Access Components (MDAC) 2.8. SP1
Coordinator Footprint	Estimated hard disk space used: 40 MB Estimated RAM physical memory of 100 MB Additional 80 MB disk space used by Agent MSI's Estimated database size will vary depending on the number of agents deployed and audited events captured.
Minimum Permissions	User account performing the coordinator installation: The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server: Windows permissions to create and modify registry values. Windows administrative permissions to install software and stop/start services. * It is recommended that the user account performing the installation, be a member of the Domain Admins group in the domain where the coordinator is being installed. Service account running the coordinator service (LocalSystem by default): Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running a ChangeAuditor Coordinator. Local Administrator permissions on the coordinator server. SQL Server database access account specified during installation: An account must be created to be used by the Coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions: Must be assigned the db_owner role on the ChangeAuditor database Must be assigned the SQL Server role of dbcreator Must be assigned the following database roles in the msdb database: db_datareader db_datawriter SQLAgentUserRole

 

Quest ChangeAuditor Agent (Server-side component)

A ChangeAuditor Agent can be deployed to domain controllers (DCs) and member servers to monitor the configuration changes made on these servers. These agents will then report these audit events to the SQL database or ChangeAuditor Coordinator.

Agent Hardware	Minimum: PIII 1.0 GHz or better; 512 MB RAM or better Recommended: P4 2.0 GHz or better; 2 GB RAM or better Server running on any x86 or x64 editions of the following minimum platforms: Windows Server 2003 SP1 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 Core Windows Server 2008 R2 Windows Server 2008 R2 Core ChangeAuditor Agent requires File and Printer Sharing on Windows Server 2008. By default, File and Printer sharing is not enabled on Windows Server 2008 installations. In order to remotely deploy agents to Windows Server 2008 (Full UI and Server Core), enable the File and Printer sharing (SMB-in) Inbound rule in the Windows Firewall (Port 445) on the target host machine. The File and Printer Sharing for Microsoft Networks service on the network adapter must also be enabled for remote deployment. Auditing of some Exchange events require the latest Exchange service pack to be installed. Please refer to the ChangeAuditor for Exchange Events Reference Guide for the minimum service packs required for Exchange events. The ChangeAuditor Agent uses the COM+ and Distributed Transaction Coordinator (DTC) services locally on the host server for detecting Exchange Server message created, moved, copied and deleted events. If the COM+ or DTC services are disabled or inoperative, these events will not be detected but the Agent will otherwise run normally. Network access to DTC is not required. When enabling the COM+ service, a ChangeAuditor Agent restart is required, because COM+ service registration occurs at agent startup time.
Agent Software and Configuration	Microsoft .NET Framework 3.5 SP1 – ONLY where the agent is installed on Exchange servers with the CAS (OWA) role Microsoft Data Access Components (MDAC) 2.8. Requires an active Global Catalog ChangeAuditor Agents must be able to reach a global catalog (GC) server to resolve SIDs and mailbox names. If a GC is not available, the agent will temporarily use a DC to perform GC functions. The agent will attempt to connect to a GC every nine hours or on restart. The following events will not be captured while the GC is unavailable: Exchange Mailbox events Linked GPO changed events QAS configuration events
Minimum Permissions	ChangeAuditor Agent must run as localsystem.
Exchange Monitoring Minimum Service Pack Requirements	Microsoft Exchange Server 2003 Service Pack 2 Microsoft Exchange Server 2007 x64 Service Pack 1 Microsoft Exchange Server 2010 RTM and Service Pack 1
Agent Footprint	Estimated hard disk space used: 500 MB or greater Estimated RAM used: Core Agent: 25 MB CAAD: 25 MB CAADAM: 3 MB CAEX: 20 MB CAWFS: 20 MB CASQL: 15 MB CALDAP: 15 MB CAEMC: 10MB CANETAPP: 10MB

Language Supported:

• US English

• ChangeAuditor for Exchange Overview Video

  Watch the Video »

• Microsoft Audit Collection Services: How Does It Stack Up as a Security Log Solution?

  Watch the Webcast »

• Change Auditing Your Exchange Environment with ChangeAuditor

  Watch the Webcast »