Best Practices for Securing Netwrix Auditor

Setup and Configuration
Copy Article URL Copied
1. Limit access to computer where Netwrix Auditor is installed

Consider using Restricted Groups when applying group membership and User Rights Assignment policy settings to allow access to the Netwrix Auditor computer just for a limited group of users.


2. Maintain roles in Netwrix Auditor carefully Netwrix Auditor provides a flexible Role Based Access (RBAC) model. Use it to restrict what each user can do in Netwrix Auditor according to her actual responsibilities within the product.
For details about Netwrix Auditor RBAC, refer to the Section 3. Role-Based Access and Delegation of


3. Monitor Netwrix Auditor services Ensure that critical Netwrix Auditor services are always up and running:
Netwrix Auditor Configuration Service Netwrix Auditor Archive Service
You can use any tool of your preference for that. For instance, you can use Netwrix Service Monitor – a freeware tool for monitoring critical Windows services. The tool is able to monitor all automatic startup services on multiple servers and send e-mail alerts when one or more services stop unexpectedly. Download here


4. Enable Native Microsoft Security to prevent the data from being restored in case it leaked a) To secure your data in SQL databases, enable Microsoft Transparent SQL Encryption.
b) To secure the Long-Term Archive, use Microsoft BitLocker technology.


5. Use Netwrix Auditor to audit related systems a) SQL Server databases
– Enable configuration and logon auditing on SQL Server used by Netwrix. Enable alerts for logon activity, roles and db_owner changes.
b) Servers with SQL Server and Netwrix Auditor
– Enable Local Users and Groups changes, services and software installations auditing
– Configure alerts on logs clearance and Local Administrator group changes.
– Enable video activity recording on SQL Server and Netwrix Auditor host using UAVR.
– Configure alerts on SQL Management Studio or Netwrix Auditor launch.
– Configure alerts on logons to SQL server and Netwrix Auditor host.
c) Netwrix Long Term Archive
– Enable auditing of the Netwrix Long Term Archive. Exclude Netwrix data processing account from the monitoring scope. Configure alerts for all read/modify/delete events as well as for failed activity.


6. Do offline backups of Long Term Archive regularly This ensures that data will not be lost in case of sudden archive corruption, malicious actions, ransomware, or under other circumstances.
Some of our customers also prefer off-site or cloud backups to ensure integrity of their data.



Go Up