Fine-tune Change Auditor for NTLM events

Welcome. This is Quest Unscripted. A vlog series on trending topics-- And Quest solutions related to Active Directory-- Office 365-- --oh, and don't forget Azure AD. You're here because you have questions. We're here because we have answers-- I think. We will address questions we've received from customers-- Who experience the same challenges as you. All with the goal of helping you confidently move-- --manage-- --and secure-- Your Microsoft environment. We call the show Quest Unscripted because-- Except for this intro-- Nothing we say is scripted or rehearsed. And we're pretty sure you'll notice that right away. Hey, folks. This Ghazwan Khairi, and I'm joined by Bryan Patton with Quest. And Bryan I can't remember when we had the last discussion about what's new in Change Auditor 7.1, but one of the things that was mentioned was NTLM authentication, NTLM version one, version two capturing of events. One thing that came to my mind, and I want to ask you about, is can you talk to us a little about how noisy is this going to be? And how do we prevent that noise from happening so that we still see value in auditing these type of events? Well, hopefully it's not very noisy for NTLM version one, but that will vary environment by environment. So by recommendation by default the event is disabled. We can enable the event, check to see if there is any NTLM version one activity. And if there is, we can kind of get that source and hopefully remediate because you should not be using NTLM version one in your environment. Now, if you go a period of time there is no activity, I would recommend set an alert so if you ever do see any activity, you can be aware of it. But if you start seeing some activity on NTLM version one, I would pause it after a little while because it may be generating an enormous amount of data, and then remediate. And then go back and turn on, and see if all of the problems have been remediated. OK. We all know but Change Auditor purging capabilities in purge jobs, how does that fit into this picture? Well, it all depends on the value of the different data you're looking at. So let's say you did the latest version of Change Auditor for log on, and you're auditing all intel on version one and version two. You may expect a big database size growth if those efforts were enabled, which they are not by default. So if you had them enabled, and you forgot about it for a little while, your SQL size is going to start having high growth if you are in fact using those different protocols. So if you decide that you want to clean that up and do a purge job, well let's say it's been about a month and your database size has grown by 20 gig, well, just because you purge it doesn't mean your database size is going to go down. Because there's going to be all different whitespace within the SQL server. So you may have to work with your DBA to actually reclaim that space if space becomes an issue. OK. Well, let me ask you this then, so the job-- the events are by default disabled. We just talked about urged jobs. Can I set up a purge job before I enable these events? So that as soon as I enable these events, I get a day, two days, whatever the threshold I want to see to capture where these authentication are coming from. And then I don't have to worry about purging anything, but then I will get the information and I will go and remediate. So I guess the question is purge jobs, before or after enabling the events? You could definitely set that before or immediately after you've enabled the event and see how big the volume starts occurring within that. But the one thing I would keep in mind, if you are generating a lot more activity because you are using NTLM authentication, you may need to consider your hardware requirements. For example, if you're deploying this out to all different servers and it's an enormous amount of data, you would definitely want to make sure your coordinators are adequately spec'd out. OK. Here's the last question that I know nobody asked before. So how would IT Security Search data warehouse come into play in this? Can it be of help from a noise reduction in the amount of data that we may possibly get from enabling these events? Well, it can help out in the searchability later if we have a chance to be able to index it with an IT Security Search. Removing it from a more expensive data source, such as Microsoft SQL into IT security search, it could be a better together story. But keep in mind, you still need a rate the value of the different data. If it's not very valuable to you, you may not want to keep it whatsoever. So just keep that in mind. Yeah. Cool. Well, I appreciate your time today. Thank you. Thanks.