6.4 Configuring Windows Monitoring

Change Guardian monitors the following in Windows:

  • File integrity

  • File shares

  • File systems

  • Local users and groups

  • Processes

  • Registry

  • Removable media

This section provides the following information:

6.4.1 Implementation Checklist

Complete the following tasks to start monitoring Windows events:

Task

See

Complete the prerequisites

Prerequisites

Add a license key

Adding License for Applications

Configure Change Guardian for monitoring

Categories of Change Guardian Policies for Windows

Assigning Policies and Policy Sets

Triage events

Section 8.0, Configuring Events

Section 9.0, Configuring Alerts

NOTE:Change Guardian monitors removable media events only on USB flash drives. To monitor external hard disk drive (HDD), create a file system monitoring policy on the mounted drive.

6.4.2 Prerequisites

Ensure that you have completed the following:

6.4.3 Categories of Change Guardian Policies for Windows

File integrity: Policies about changes to critical startup file

File shares: Policies about creating file shares and monitoring permission changes

File systems: Policies about monitoring binary files and permission changes to system directories, privileged profiles, and security analysis database

Local users and groups: Policies about the following:

  • Changes to administrator group membership and administrator group privileges

  • Creating, deleting user account, and changes to password

  • Enabling, disabling, modifying administrator, and changing administrator privilege

Processes: Policies about executing undesirable processes

Registry: Policies about changes to application installation, changes to service registration, and so on.

Removable media: Policies about attaching removable media and file writing to the removable media

For Change Guardian to monitor the registry enable the Registry Browser. Set the HKLM\Software\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled flag to 1 and restart the agent. If you do not manually set the flag to 1, Registry Browser displays the error message: Could not connect to Windows Data Source.

To create a policy to monitor Local Users and Groups, in Policy Definition, select event list, or Privilegelist, or both.

For information about creating policies, see Creating Policies.

After creating policies, you can assign them to assets. For information about assigning policies, see Assigning Policies and Policy Sets.