FISMA Compliance with Netwrix

FISMA Compliance with Netwrix
Guidelines for applying Netwrix solutions and products to implement security controls of NIST SP 800-53
FISMA Compliance
Any Federal agency, its subcontractors, service providers and any organizations that operate IT systems on behalf of Federal agencies must be compliant with FISMA
regulation. FISMA was signed into law as a part of the Electronic Government Act of 2002.
FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to
FISMA. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS Publication 199,
Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance
with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal
Information Systems and Organizations.
Organizations have flexibility in applying the baseline security controls in accordance with the guidance provided in Special Publication 800-53. This allows organizations to
tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements and environments of operation.
FISMA requirements Overview
The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal
information systems and the information processed, stored, and transmitted by those systems.
Netwrix assists with implementation and validation of the selected controls from the following security domains:
Access Control, Audit and Accountability, Security Assessment and Authorization, Configuration Management, Contingency Planning,
Identification and Authentication, Incident Response, Maintenance, Media Protection, Personal Security, Risk Assessment, System and
Communications Protection, System and Information Integrity
Netwrix provides minimal or zero assistance with the following domains:
Awareness and Training, Physical and Environmental Protection , Planning, System and Services Acquisition
Please note that the suggested mechanisms to support compliance efforts for each particular control may vary in different organizations depending on their systems
configuration, internal procedures, nature of business, and other factors. Reports mentioned in one section may be useful for implementation of another control but
may be omitted. The table below is not a complete reference guide for NIST SP800-53 implementation, but a sample mapping that outlines features and capabilities
of Netwrix product and indicates areas of applicability. In order to achieve compliance various additional measures must be applied. For your convenience see
complete Netwrix Auditor Report List
2|P a g e
NIST 800-53 rev4
How Netwrix Helps
Netwrix Solution/Product/Report
FAMILY: ACCESS CONTROL
AC-2 ACCOUNT MANAGEMENT
AC-3 ACCESS ENFORCEMENT
AC-5 SEPARATION OF DUTIES
Audit all information system
accounts creation, removal,
enablement, disablement and
modifications, for compliance
with organization-defined
procedures and conditions.
Configurable email alerts and
daily reports on relevant activities
to ensure FISMA compliance.
Netwrix Auditor for Active Directory
Auditing of user access rights,
files folders and their
permissions across the entire IT
infrastructure. Validate that all
changes are done in accordance
with internal policies.
Netwrix Auditor for Active Directory
Audit state and changes to
password and other account
policies.
Netwrix Auditor for Exchange











Active Directory Change Tracking/User Accounts/Changes to User Accounts
Active Directory Change Tracking/User Accounts/New User Accounts
Active Directory Change Tracking/User Accounts/Deleted User Accounts
AD State-in-Time Assessment/User Accounts/User Accounts with Group Membership
Inactive User Tracking/Actions & Notifications
Active Directory Change Tracking/Groups/Changes to Security Groups
Active Directory Change Tracking/Security/Changes to Objects Security
GP State-in-Time Assessment/Policy Settings/Account Policies
GP State-in-Time Assessment/Group Policy Objects/All Linked and Unlinked GPOs
GP Change Tracking/Account Policies/Changes to Account Policies
Mailboxes/Changes to Mailbox Permissions
Netwrix Auditor for File Servers


Snapshot Reports/Users Object Access Permissions by Object Path
Successful Modifications/Permission Changes
Netwrix Auditor for SharePoint

All Changes/All SharePoint Permission Changes by User
Netwrix Auditor for SQL Server

All Changes/All SQL Server Changes by User
Netwrix Auditor for Windows Server

Windows Server System and Security/Local Users and Groups Changes
3|P a g e
AC-6 LEAST PRIVILEGE
AC-7 UNSUCCESSFUL LOGON
ATTEMPTS
Audit all privileged accounts
activities and cross-check with
internal policies to determine the
validity of given privileges and
prevent and mitigate malicious
and risky activities. (Filter by
groups with privileged members)
Netwrix Auditor Enterprise Overview
Audit logon activities. Alerts and
reports on account lockouts.
Netwrix Auditor for Active Directory
AC-9 PREVIOUS LOGON
(ACCESS) NOTIFICATION

Netwrix Auditor for Active Directory





AC-11 SESSION LOCK
AD State-in-Time Assessment/Groups/Administrative Groups with Their Members
AD Change Tracking/All Changes/All AD Changes by Groups with Originating Workstation
AD Change Tracking/Groups/Changes to Administrative Groups Membership
AD State-in-Time Assessment/User Accounts/User Accounts with Last Logon Time
Active Directory Change Tracking/User Accounts/User Accounts Lockouts
Netwrix Auditor for Windows Server



AC-8 SYSTEM USE NOTIFICATION
Enterprise-Wide Reports/All Changes/All Changes by User
For sensitive systems and/or
selected user accounts screen
activity video recording feature of
Netwrix Auditor can be used with
customized dialog notification on
logon.
Event Log Management/Best Practice Reports/Logon Reporter/Failed Logon Attempts
Event Log Management/Best Practice Reports/Logon Reporter/Successful User Logons
Event Log Management/Best Practice Reports/Logon Reporter/User Logoffs
Netwrix Auditor for Windows Server


User Session Activity/All Users Activity/All Users Activity by Server
User Activity Video Recording
Audit state and changes to AD
“Screen saver timeout” policy,
Remote Desktop session timeout,
and other relevant policies.
Netwrix Auditor for Active Directory
AC-14 PERMITTED ACTIONS
WITHOUT IDENTIFICATION OR
AUTHENTICATION
Audit all activities of users across
entire IT infrastructure to
determine/prove validity of
changes.
Netwrix Auditor Enterprise Overview
AC-17 REMOTE ACCESS
In addition to the monitoring of
the states and changes to related
policies (see AC-11, AC-12 above),
audit all remote desktop
sessions.
Netwrix Auditor for Windows Server
AC-12 SESSION TERMINATION




GP State-in-Time Assessment/Group Policy Objects/All GPOs with Their Settings
Group Policy Change Tracking/All Changes/All Group Policy Changes
Enterprise-Wide Reports/All Changes/All Changes by User
Event Log Management/Best Practice Reports/Logon Reporter/Remote Desktop Sessions
4|P a g e
AC-21 INFORMATION SHARING
AC-22 PUBLICLY ACCESSIBLE
CONTENT
To ensure FISMA compliance
audit access and modifications to
the data stored in MS SQL,
Fileservers and SharePoint.
AC-23 DATA MINING
PROTECTION
Netwrix Auditor for File Servers

Successful Modifications/All File Server Changes
Netwrix Auditor for SharePoint

All Changes/All SharePoint Changes
Netwrix Auditor for SQL Server

All Changes/All SQL Server Changes
FAMILY: AUDIT AND ACCOUNTABILITY
AU-2 AUDIT EVENTS
AU-3 CONTENT OF AUDIT
RECORDS
AU-4 AUDIT STORAGE
CAPACITY
AU-7 AUDIT REDUCTION AND
REPORT GENERATION
AU-8 TIME STAMPS
AU-9 PROTECTION OF AUDIT
INFORMATION
AU-11 AUDIT RECORD
RETENTION
AU-12 AUDIT GENERATION
Variety of reports and features
can be used for successful FISMA
compliance audit. Netwrix
Auditor collects configurations
states, captures changes and
access events, provides complete
audit trail for report and analysis,
including who, when, where, what
data with before and after values,
consolidated within two-tiered
(file-based and SQL database)
solution, storing of up to and
beyond 10 years of audit data.
Built-in archiving capabilities with
configurable retention policies.
AU-5 RESPONSE TO AUDIT
PROCESSING FAILURES
Netwrix Auditor will deliver daily
summary report with indication if
there were any failures of audit
collecting, processing, etc.
AU-6 AUDIT REVIEW,
ANALYSIS, AND REPORTING
In addition to over 200 built-in
reports with filtering capabilities
that can be reviewed for specific
purposes, simplify burden of
systematic reviews of audit trails
ALL REPORTS FOR THE FOLLOWING SOLUTIONS:
Netwrix Auditor for Active Directory
Netwrix Auditor for Exchange
Netwrix Auditor for File Servers
Netwrix Auditor for SharePoint
Netwrix Auditor for SQL Server
Netwrix Auditor for VMware
Netwrix Auditor for Windows Server
Netwrix Auditor for Active Directory
 Active Directory Change Tracking/Change Management/Change Review History (AD)
 Group Policy Change Tracking/Change Management/Change Review History(GP)
5|P a g e
AU-10 NON-REPUDIATION
by using Change Review History
mechanism of Netwrix Auditor.
Real-Time alerts for AD and
Windows Server can be
configured to provide timely
notifications.
Netwrix Auditor for Exchange
 Change Management/Change Review History(EX)
Netwrix Auditor for SharePoint
 Change Management/Change Review History(SP)
Netwrix Auditor for Windows Server
 Windows Server Change Management/Change Review History (WS)
Utilize variety of ready to use
reports of user activities across
all audited systems. Built-in
reports for every particular
system, for all changes or specific
activity. Apply report filtering to
increase relevancy of events.
Netwrix Auditor Enterprise Overview

Enterprise-Wide Reports/All Changes/All Changes by User
Netwrix Auditor for Exchange

All Changes/All MS Exchange Changes by User with Originating Workstation
Netwrix Auditor for File Servers


Successful Modifications/All File Server Changes by User
Successful Reads/Successful File Reads by User
Netwrix Auditor for SharePoint


All Changes/All SharePoint Content Changes by User
All Changes/All SharePoint Permission Changes by User
Netwrix Auditor for SQL Server

All Changes/All SQL Server Changes by User
Netwrix Auditor for VMware

All VMware Changes/All VMware Changes by User
Netwrix Auditor for Windows Server

AU-14 SESSION AUDIT
Use screen activity video
recording for critical systems and
high privileged users.
Windows Server Overall Changes/All Server Changes by User
Netwrix Auditor for Windows Server

User Session Activity/All Users Activity/All Users Activity by User
6|P a g e
FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION
CA-2 SECURITY
ASSESSMENTS
CA-7 CONTINUOUS
MONITORING
CA-8 PENETRATION TESTING
Variety of reports can be used in
order to determine effectiveness
of security controls and in
support of security assessment.
VARIOUS REPORTS FOR THE FOLLOWING SOLUTIONS:
Netwrix Auditor for Active Directory
Netwrix Auditor for Exchange
Netwrix Auditor for File Servers
Configure Netwrix Auditor
auditing policies according to
organization-defined metrics and
strategies. Validate audit trails by
cross-checking against security
baselines to assess conformance
with FISMA compliance
requirements. Verify that only
authorized use of systems by
authorized personnel is taking
place.
Netwrix Auditor for SharePoint
Netwrix Auditor for SQL Server
Netwrix Auditor for VMware
Netwrix Auditor for Windows Server
FAMILY: CONFIGURATION MANAGEMENT
CM-2 BASELINE
CONFIGURATION
CM-6 CONFIGURATION
SETTINGS
Compare organization-defined
baseline configuration to
configuration snapshots and
track configuration changes for
deviations/violations in Active
Directory and Fileservers
Netwrix Auditor for Active Directory





AD State-in-Time Assessment/Groups/Groups with Members
AD State-in-Time Assessment/Organizational Units/Organizational Units with Accounts
GP State-in-Time Assessment/Group Policy Objects/All GPOs with Their Status
GP Change Tracking/All Changes/All GP Changes by Groups with Originating Workstation
AD Change Tracking/All Changes/All AD Changes by User with Originating Workstation
Netwrix Auditor for File Servers



Snapshot Reports/Accounts Access Permissions by Folders
Successful Modifications/Permission Changes
Successful Modifications/Shares Changes
7|P a g e
CM-3 CONFIGURATION
CHANGE CONTROL
Review audit trail of configuration
changes to IT infrastructure
components. Use reports with all
changes or choose only relevant
ones. Setup retention policies for
audit storage. Configure alerts
and subscribe for reports on
critical (organization-defined)
changes.
Netwrix Auditor for Active Directory


Active Directory Change Tracking/All Changes/All Active Directory Changes
Group Policy Change Tracking/All Changes/All Group Policy Changes
Netwrix Auditor for Exchange

All Changes/All MS Exchange Changes
Netwrix Auditor for File Servers

Successful Modifications/All File Server Changes
Netwrix Auditor for SharePoint

All Changes/All SharePoint Configuration Changes
Netwrix Auditor for SQL Server

All Changes/All SQL Server Changes
Netwrix Auditor for VMware

All Changes/All VMware Changes
Netwrix Auditor for Windows Server

CM-4 SECURITY IMPACT
ANALYSIS
CM-5 ACCESS RESTRICTIONS
FOR CHANGE
CM-7 LEAST FUNCTIONALITY
CM-9 CONFIGURATION
MANAGEMENT PLAN
CM-10 SOFTWARE USAGE
RESTRICTIONS
CM-11 USER-INSTALLED
SOFTWARE
Windows Server Overall Changes/All Server Changes
Audit all changes across the
entire IT infrastructure to validate
that only authorized users
allowed to make sensitive
changes.
Netwrix Auditor Enterprise Overview
Some aspects of these controls
can be assisted with variety of
reports by auditing for violations
of properly configured systems.
Including Group and Local
policies changes, access and
permissions modifications,
workstations audit, registry
monitoring, and other
configuration assets that can be
critical for maintaining FISMA
compliance.
VARIOUS REPORTS FOR THE FOLLOWING SOLUTIONS:

Enterprise-Wide Reports/All Changes/All Changes by User
Netwrix Auditor for Active Directory
Netwrix Auditor for Exchange
Netwrix Auditor for File Servers
Netwrix Auditor for SharePoint
Netwrix Auditor for SQL Server
Netwrix Auditor for VMware
Netwrix Auditor for Windows Server
8|P a g e
FAMILY: CONTINGENCY PLANNING
CP-4 CONTINGENCY PLAN
TESTING
CP-6 ALTERNATE STORAGE
SITE
CP-12 SAFE MODE
Test IT systems in various modes
of operations and analyze audit
trails for incidents and other
problems to validate
effectiveness of the system
functions.
VARIOUS REPORTS FOR THE FOLLOWING SOLUTIONS:
Netwrix Auditor for Active Directory
Netwrix Auditor for Exchange
Netwrix Auditor for File Servers
Netwrix Auditor for SharePoint
Netwrix Auditor for SQL Server
CP-13 ALTERNATIVE
SECURITY MECHANISMS
CP-10 INFORMATION SYSTEM
RECOVERY AND
RECONSTITUTION
Netwrix Auditor for VMware
Netwrix Auditor for Windows Server
In addition to the analysis of
historic data on configuration
states and changes to Active
Directory, use built-in restore
feature with object-level and
attribute-level recovery wizard.
Netwrix Auditor for Active Directory






AD State-in-Time Assessment/Computer Accounts/Computer Accounts with Status
AD State-in-Time Assessment/Organizational Units/Organizational Units with Accounts
AD State-in-Time Assessment/User Accounts/User Accounts with Group Membership
GP State-in-Time Assessment/Group Policy Objects/All GPOs with Their Delegation Settings
Active Directory Change Tracking/All Changes/All Active Directory Changes
Active Directory Object Restore
FAMILY: IDENTIFICATION AND AUTHENTICATION
IA-2 IDENTIFICATION AND
AUTHENTICATION
(ORGANIZATIONAL USERS)
IA-4 IDENTIFIER
MANAGEMENT
IA-5 AUTHENTICATOR
MANAGEMENT
Full auditing of user accounts
state, creations, deletions and
modifications in Active Directory,
SQL Server, Windows server to
validate conformance with NIST
SP 800-53 guidelines and
organization-defined
requirements to support FISMA
compliance. Auditing of password
policies and changes. Automatic
password expiration notifications.
Netwrix Auditor for Active Directory









AD State-in-Time Assessment/User Accounts/User Accounts with Status
AD State-in-Time Assessment/User Accounts/Expired User Accounts
Active Directory Change Tracking/User Accounts/Changes to User Accounts
Active Directory Change Tracking/User Accounts/Deleted User Accounts
Active Directory Change Tracking/User Accounts/New User Accounts
GP State-in-Time Assessment/Policy Settings/Account Policies
GP Change Tracking/Account Policies/Changes to Password Policy Settings
Inactive User Tracking
Password Expiration Alerting
9|P a g e
IA-6 AUTHENTICATOR
FEEDBACK
Password management with
challenge-response system.
IA-8 IDENTIFICATION AND
AUTHENTICATION (NONORGANIZATIONAL USERS)
Netwrix Auditor for SQL Server


Object Changes/Login Changes
Object Changes/User Changes
Netwrix Auditor for Windows Server

Windows Server System and Security/Local Users and Groups Changes
Netwrix Password Manager

Policies & Features
Additionally Netwrix assists with various aspects of the following controls:
FAMILY: INCIDENT RESPONSE
IR-4 INCIDENT HANDLING (monitor systems operations, and use on-demand reporting to perform root cause analysis of incidents)
IR-5 INCIDENT MONITORING (audit and analyze data collection)
IR-6 INCIDENT REPORTING (utilize scheduled reporting and real-time alerts)
IR-9 INFORMATION SPILLAGE RESPONSE (audit of all data creations to identify violations)
FAMILY: MAINTENANCE
MA-2 CONTROLLED MAINTENANCE (capture audit trail of activities during maintenance and validate proper systems functionality afterward)
MA-4 NONLOCAL MAINTENANCE (audit remote access sessions and activities)
FAMILY: MEDIA PROTECTION
MP-2 MEDIA ACCESS and
MP-7 MEDIA USE (audit access and changes to content on Fileservers and modifications in SQL and SharePoint for violations)
10 | P a g e
FAMILY: PERSONNEL SECURITY
PS-4 PERSONNEL TERMINATION (revocation of authenticators/credentials associated with the individual)
PS-5 PERSONNEL TRANSFER (access authorization modifications audit)
FAMILY: RISK ASSESSMENT
RA-3 RISK ASSESSMENT and
RA-5 VULNERABILITY SCANNING (monitor for unauthorized access, changes and related consequences, use audit trail for reporting)
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
SC-2 APPLICATION PARTITIONING and
SC-3 SECURITY FUNCTION ISOLATION (audit of privileged users, access control and systems management activities)
SC-5 DENIAL OF SERVICE PROTECTION (monitor for user restrictions violations and irregularities in systems function)
SC-6 RESOURCE AVAILABILITY (monitor for interruptions of user access, activities, and systems availability)
FAMILY: SYSTEM AND INFORMATION INTEGRITY
SI-4 INFORMATION SYSTEM MONITORING (monitor systems for illegal access and suspicious activities, audit privileged users)
SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES (use alerts for violations and compromise indicators, notifications and reports)
SI-6 SECURITY FUNCTION VERIFICATION (verify correctness of systems functioning by looking for deviations from baseline)
SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY (monitor critical changes to the systems, workstations registry audit)
SI-12 INFORMATION HANDLING AND RETENTION (audit all operations with data for compliance with policies and regulations)
11 | P a g e