SysAdmin

Magazine
 Contents SysAdmin Magazine December 2019

SysAdmin Contents
Magazine

03 Network devices explained

07 Christmas Quiz: Which Christmas character are you?

№ 54 December ‘19

08 Set up a hybrid Office 365 and migrate to Exchange Online

10 Top 10 Group Policy PowerShell commands

SysAdmin Magazine is a free
source of knowledge for IT Pros
14 How to enable SQL server audit and review the audit log
who are eager to keep a tight
grip on network security and do
the job faster. 18 Managing SharePoint item-level permissions

21 Top 3 audit challenges and how to overcome them

23 Free tool of the month: Netwrix Account Lockout Examiner

24 How- to: How to get user login history

The Sysadmin Magazine team

sysadmin.magazine@netwrix.com

2
 Contents SysAdmin Magazine December 2019

Network Devices ▪ Hub

▪ Switch
they just send data packets to all connected devices. Hubs
operate at the Physical layer of the Open Systems Intercon-

Explained
▪ Router nection (OSI) model. There are two types of hubs: simple and
▪ Bridge multiple port.
▪ Gateway
▪ Modem
▪ Repeater
Jeff Melnick
IT Security Expert, Blogger
▪ Access Point Switch
Switches generally have a more intelligent role than hubs. A
switch is a multiport device that improves network efficien-

Hub cy. The switch maintains limited routing information about

To build a strong network and defend it, you need to under-
stand the devices that comprise it.
Hubs connect multiple computer networking devices togeth-
er. A hub also acts as a repeater in that it amplifies signals
that deteriorate after traveling long distances over connect-
ing cables. A hub is the simplest in the family of network con-
nodes in the internal network, and it allows connections to
systems like hubs or routers. Strands of LANs are usually
connected using switches. Generally, switches can read the
hardware addresses of incoming packets to transmit them to
the appropriate destination.

What are network devices?
Network devices, or networking hardware, are physical de-
vices that are required for communication and interaction
between hardware on a computer network.
Types of network devices
Here is the common network device list:
necting devices because it connects LAN components with
identical protocols.
A hub can be used with both digital and analog data, provid-
ed its settings have been configured to prepare for the for-
matting of the incoming data. For example, if the incoming
data is in digital format, the hub must pass it on as packets;
however, if the incoming data is analog, then the hub passes
it on in signal form.
Hubs do not perform packet filtering or addressing functions;
Using switches improves network efficiency over hubs or
routers because of the virtual circuit capability. Switches also
improve network security because the virtual circuits are
more difficult to examine with network monitors. You can
think of a switch as a device that has some of the best ca-
pabilities of routers and hubs combined. A switch can work
at either the Data Link layer or the Network layer of the OSI
model. A multilayer switch is one that can operate at both
layers, which means that it can operate as both a switch and
a router. A multilayer switch is a high-performance device

3
 Contents
that supports the same routing protocols as routers.
Switches can be subject to distributed denial of service
(DDoS) attacks; flood guards are used to prevent malicious
traffic from bringing the switch to a halt. Switch port secu-
rity is important so be sure to secure switches: Disable all
unused ports and use DHCP snooping, ARP inspection and
MAC address filtering.
Router
Routers help transmit packets to their destinations by
charting a path through the sea of interconnected network-
ing devices using different network topologies. Routers
are intelligent devices, and they store information about
the networks they’re connected to. Most routers can be
configured to operate as packet-filtering firewalls and use
access control lists (ACLs). Routers, in conjunction with a
channel service unit/data service unit (CSU/DSU), are also
used to translate from LAN framing to WAN framing. This
is needed because LANs and WANs use different network
protocols. Such routers are known as border routers. They
serve as the outside connection of a LAN to a WAN, and
they operate at the border of your network.
Router are also used to divide internal networks into two
4
or more subnetworks. Routers can also be connected in-
ternally to other routers, creating zones that operate in-
dependently. Routers establish communication by main-
taining tables about destinations and local connections. A
router contains information about the systems connected
to it and where to send requests if the destination isn’t
known. Routers usually communicate routing and other
information using one of three standard protocols: Rout-
ing Information Protocol (RIP), Border Gateway Protocol
(BGP) or Open Shortest Path First (OSPF).
Routers are your first line of defense, and they must be con-
figured to pass only traffic that is authorized by network ad-
ministrators. The routes themselves can be configured as
static or dynamic. If they are static, they can only be config-
ured manually and stay that way until changed. If they are
dynamic, they learn of other routers around them and use
information about those routers to build their routing tables.
Routers are general-purpose devices that interconnect
two or more heterogeneous networks. They are usually
dedicated to special-purpose computers, with separate in-
put and output network interfaces for each connected net-
work. Because routers and gateways are the backbone of
large computer networks like the internet, they have spe-
cial features that give them the flexibility and the ability to
cope with varying network addressing schemes and frame
sizes through segmentation of big packets into smaller siz-
SysAdmin Magazine December 2019
es that fit the new network components. Each router inter-
face has its own Address Resolution Protocol (ARP) module,
its own LAN address (network card address) and its own In-
ternet Protocol (IP) address. The router, with the help of a
routing table, has knowledge of routes a packet could take
from its source to its destination. The routing table, like in
the bridge and switch, grows dynamically. Upon receipt of
a packet, the router removes the packet headers and trail-
ers and analyzes the IP header by determining the source
and destination addresses and data type, and noting the
arrival time. It also updates the router table with new ad-
dresses not already in the table. The IP header and arrival
time information is entered in the routing table. Routers
normally work at the Network layer of the OSI model.
Bridge
Bridges are used to connect two or more hosts or network
segments together. The basic role of bridges in network
architecture is storing and forwarding frames between
the different segments that the bridge connects. They
use hardware Media Access Control (MAC) addresses for
transferring frames. By looking at the MAC address of the
devices connected to each segment, bridges can forward
the data or block it from crossing. Bridges can also be used
to connect two physical LANs into a larger logical LAN.
 Contents
Bridges work only at the Physical and Data Link layers of
the OSI model. Bridges are used to divide larger networks
into smaller sections by sitting between two physical net-
work segments and managing the flow of data between
the two.
Bridges are like hubs in many respects, including the fact
that they connect LAN components with identical proto-
cols. However, bridges filter incoming data packets, known
as frames, for addresses before they are forwarded. As it
filters the data packets, the bridge makes no modifications
to the format or content of the incoming data. The bridge
filters and forwards frames on the network with the help
of a dynamic bridge table. The bridge table, which is initial-
ly empty, maintains the LAN addresses for each computer
in the LAN and the addresses of each bridge interface that
connects the LAN to other LANs. Bridges, like hubs, can be
either simple or multiple port.
Bridges have mostly fallen out of favor in recent years and
have been replaced by switches, which offer more func-
tionality. In fact, switches are sometimes referred to as
“multiport bridges” because of how they operate.
5
Gateway
Gateways normally work at the Transport and Session lay-
ers of the OSI model. At the Transport layer and above,
there are numerous protocols and standards from differ-
ent vendors; gateways are used to deal with them. Gate-
ways provide translation between networking technologies
such as Open System Interconnection (OSI) and Transmis-
sion Control Protocol/Internet Protocol (TCP/IP). Because
of this, gateways connect two or more autonomous net-
works, each with its own routing algorithms, protocols, to-
pology, domain name service, and network administration
procedures and policies.
Gateways perform all of the functions of routers and more.
In fact, a router with added translation functionality is a gate-
way. The function that does the translation between differ-
ent network technologies is called a protocol converter.
Modem
Modems (modulators-demodulators) are used to transmit
digital signals over analog telephone lines. Thus, digital
signals are converted by the modem into analog signals
of different frequencies and transmitted to a modem at
the receiving location. The receiving modem performs the
SysAdmin Magazine December 2019
reverse transformation and provides a digital output to a
device connected to a modem, usually a computer. The dig-
ital data is usually transferred to or from the modem over
a serial line through an industry standard interface, RS-232.
Many telephone companies offer DSL services, and many
cable operators use modems as end terminals for identi-
fication and recognition of home and personal users. Mo-
dems work on both the Physical and Data Link layers.
Repeater
A repeater is an electronic device that amplifies the signal
it receives. You can think of repeater as a device which re-
ceives a signal and retransmits it at a higher level or higher
power so that the signal can cover longer distances, more
than 100 meters for standard LAN cables. Repeaters work
on the Physical layer.
Access Point
While an access point (AP) can technically involve either a
wired or wireless connection, it commonly means a wireless
device. An AP works at the second OSI layer, the Data Link
layer, and it can operate either as a bridge connecting a stan-
 Contents SysAdmin Magazine December 2019

dard wired network to wireless devices or as a router passing

data transmissions from one access point to another.
Having a solid understanding of the types of network devices
available can help you design and built a network that is se-
Wireless access points (WAPs) consist of a transmitter and
cure and serves your organization well. However, to ensure
receiver (transceiver) device used to create a wireless LAN
the ongoing security and availability of your network, you
(WLAN). Access points typically are separate network de-
should carefully monitor your network devices and activity
vices with a built-in antenna, transmitter and adapter. APs FREE TOOL
around them, so you can quickly spot hardware issues, con-
use the wireless infrastructure network mode to provide

Stay on top of
figuration issues and attacks.
a connection point between WLANs and a wired Ethernet
LAN. They also have several ports, giving you a way to ex-

what’s happening
pand the network to support additional clients. Depend-
ing on the size of the network, one or more APs might be
required to provide full coverage. Additional APs are used
to allow access to more wireless clients and to expand the
range of the wireless network. Each AP is limited by its on your network
devices
transmission range — the distance a client can be from an
AP and still obtain a usable signal and data process speed.
The actual distance depends on the wireless standard, the
obstructions and environmental conditions between the
client and the AP. Higher end APs have high-powered an- Free Download
tennas, enabling them to extend how far the wireless sig-
nal can travel.

6
 Contents SysAdmin Magazine December 2019

New Quiz!
If you’re a sysadmin, you know how to make magic. But as Christmas
approaches, maybe it’s time to learn more about your magical skills:
Exactly which iconic Christmas character are you?

Answer these 7 simple questions to find out.

Let’s start

5 players, picked at random on December 30, 2019,

will each get a $25 Amazon gift card.

7
 Contents
Set Up a Hybrid
Office 365 and
Migrate to
Exchange Online
Jonathan Hassell
Exchange Expert, IT Consultant
So, you’ve set up a a hybrid Microsoft environment, with
Azure Active Directory Connect performing synchroniza-
tion from your on-prem AD to Office 365 as explained in
my post, “Quick Guide: How to Sync Your Active Directory
to Office 365.” What about Exchange? You can choose to
move completely to Exchange Online, or you can choose a
hybrid deployment. Here I’ll explain how to set up a hybrid
Exchange environment and migrate mailboxes from your
on-prem Exchange to Exchange Online.
8
SysAdmin Magazine December 2019
Keep in mind that when you create a hybrid Exchange en- 4. When the wizard has finished installing, it will open.
vironment, you have to leave a single premises Exchange Click Next to begin.
Server machine on your local network for the forseeable
future. This is because of the way the Office 365 system
defers some things to on-premises Exchange Server ma-
chines; some roles that the on-prem machine holds cannot
be moved up to Office 365 in a supported way. Microsoft is
working on changing this so that when all of your mailbox-
es are migrated to Office 365, you can decommission that
last Exchange Server on your network, but for the time be-
ing, it remains a requirement.
How to Set up a Hybrid Exchange/
Office 365 Environment
To complete your hybrid deployment, you need to config-
ure coexistence between your on-prem Exchange and Ex-
change Online. To synchronize the two environments, take Figure 1. The Hybrid Configuration Wizard
the following steps:
1. From the Exchange Admin Center, launch the Hybrid 1. Specify the Exchange Server machine you want to use or
Configuration Wizard. In the left pane, navigate to Hy- accept the one that the wizard has identified automatically.
brid and click Enable.
2. Enter credentials for your on-prem Active Directory de-
2. Sign in with your Office 365 account.
ployment and for your Office 365 tenant.
3. Click Accept. The Hybrid Configuration Wizard tool will
be downloaded and install itself automatically.
 Contents SysAdmin Magazine December 2019

3. The wizard will check the credentials. Once they’ve been cially useful if there is a lot of data to migrate and the process is bound to take a lot of time.
verified, click Next to continue.
To migrate your mailboxes, take the following steps:
4. For our purposes, choose the Configure my Client Ac-
cess and Mailbox servers for secure mail transport 1. Open the Exchange Admin Center at https://outlook.office365.com/ecp and choose Migration in the Recipients settings.
(typical) option and click Next.
2. Click the + icon, and then click Migrate to Exchange Online from the pop-up menu.
5. Choose the right SSL certificates and click Next.

6. Review all of the information you’ve entered and click

Update.

The wizard will run a number of PowerShell commands

behind the scenes to configure your local Exchange Serv-
er machine and Office 365 tenant, make connectors, and
configure remote domains, encryption and so on.

Figure 2. Migrating mailboxes from on-prem Exchange to Exchange Online

How to Migrate Mailboxes from

On-Premises Exchange to Exchange
Online
One of the benefits of a hybrid configuration is that you get
a great way to migrate your mailboxes to the cloud without
having to pay for a third-party solution or do it yourself
manually over many long weekends. This method is espe-
1. Select the remote move migration, and then click through the wizard. You’ll add a mailbox to a migration batch, create an
endpoint if you need to and name the batch. Tell the wizard where to contact you when the migration is complete, and then
wait for that email. Note that the migration could take hours, depending on the size of the mailbox, the bandwidth and laten-
cy on your Internet connection, and how busy Microsoft’s Exchange Online servers are.
2. Launch Outlook on the migrated user’s computer. Autodiscover should realize the mailbox has been moved and do some
reconfiguration. The user’s phone or tablet should also work with no user action required.

9
 Contents
Top 10 Group
Policy PowerShell
Commands
Russell Smith
IT Consultant, PowerShell Expert
In addition to the Group Policy Management Console
(GPMC), Microsoft provides a set of Windows PowerShell
cmdlets you can use to manage Group Policy. To use the
Group Policy PowerShell cmdlets, you must have GPMC in-
stalled on the device where you will run the cmdlets. To
check if the Group Policy PowerShell module is installed
on a device, run the command below, which will display all
the available Group Policy cmdlets available if the module
is installed.
Get-Command -Module GroupPolicy
10
SysAdmin Magazine December 2019
Creating a new Group Policy Object
Let’s start by creating a new Group Policy object (GPO). The
You can optionally link the GPO to a domain, domain con-
troller’s organizational unit (OU) or site using piping. The
command below creates a new GPO and links it to the Cli-
command below creates a new GPO called ‘Netwrix PCs’
ents OU in the ad.contoso.com domain:
and adds a comment to describe the its purpose:
New-GPO -Name "Netwrix PCs" -Comment "Clie-
nt settings for Netwrix PCs"
New-GPO -Name "Netwrix PCs" | New-GPLink
-Target "ou=clients,dc=ad,dc=contoso,dc=com"
The command creates an empty GPO with no settings. If
To unlink a GPO, use the Remove-GPLink cmdlet:
you have starter GPOs configured in your Active Directory
domain, you can create a new GPO based on their settings.
The following command creates a new GPO called ‘Netwrix Remove-GPLink -Name "Netwrix PCs" -Target
PCs’ based on the ‘Windows 10 MS Security Settings’ GPO: "ou=clients,dc=ad,dc=contoso,dc=com"
New-GPO -Name "Netwrix PCs" -StarterGPOName
"Windows 10 MS Security Settings"
 Contents SysAdmin Magazine December 2019

Figure 1. How to link and unlink a GPO

Getting information about a GPO

Once a GPO is created, you can use Get-GPO to return informa-
tion like GPO status, creation time and last modification time:

Get-GPO -Name "Netwrix PCs"

If you want more information, pipe the object created by Get-

GPO to Get-GPOReport. The script below creates an HTML re-
port that gives information about the GPO similar to what you
might see in the Group Policy Management Console:

Figure 2. HTML report with detailed data about a specific GPO

Get-GPO -Name "Netwrix PCs" | Get-GPOReport
-ReportType HTML -Path c:\temp\report.html

11
 Contents SysAdmin Magazine December 2019

Configuring Group Policy settings To get detailed information about a registry key configured in a GPO, use Get-GPRegistryValue:

If you know the location for a registry-based Group Poli-

Get-GPRegistryValue -Name "Netwrix PCs" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop"
cy setting, you can use the Set-GPRegistryValue cmdlet to
configure it. Registry-based Group Policy settings are those
that appear under Administrative Templates in GPMC.
Set-GPRegistryValue can also be used to set registry values
that are not covered by Group Policy settings. For exam-
ple, if you want to configure registry settings for third-party
applications that don’t have an ADMX file for Group Policy,
Set-GPRegistryValue is a quick way to configure the set-
tings you need. The following command sets a screensaver
timeout of 300 seconds for the logged-in user:

Set-GPRegistryValue -Name "Netwrix PCs" -Key

Figure 3. How to get detailed information about a registry key configured in a GPO
"HKCU\Software\Policies\Microsoft\Windows\Con-
trol Panel\Desktop" -ValueName ScreenSaveTime-
Out -Type DWord -Value 300 To remove a registry setting from a GPO, use Remove-GPRegistryValue:

Remove-GPRegistryValue -Name "Netwrix PCs" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\

You can specify either computer configuration or user con-
Desktop" -ValueName ScreenSaveTimeOut
figuration settings using Set- GPRegistryValue The regis-
try path in the -Key parameter below starts with “HKCU"
(which stands for “HKEY_CURRENT_USER”). If you want to The three cmdlets above have Group Policy Preference equivalents if you decide to use Preferences instead of Policies to set
configure a computer setting instead, replace “HKCU” with registry keys: Set-GPPrefRegistryValue, Get-GPPrefRegistryValue, and Remove-GPPrefRegistryValue.
“HKLM” (which expands to HKEY_LOCAL_MACHINE).

12
 Contents SysAdmin Magazine December 2019

Applying Group Policy settings Get-GPResultantSetOfPolicy -Computer dc1 -ReportType HTML -Path c:\temp\dc1rsop.html
Provided that your GPO is linked to a domain, OU or site, it
will apply to user and computer objects below where it is
linked. But if you want to force a Group Policy update on a
remote server or other device, you can use Invoke-GPUp-
date. Running Invoke-GPUpdate without any parameters
will force an update of user and computer configuration
settings on the local computer. The command below forc-
es a Group Policy update on server1 for user configuration
settings only:

Invoke-GPUpdate -Computer "ad\server1" -Target

"User"

Reviewing which GPOs are applied to

a user or computer
To get information about which GPOs are applied to a user
or computer, you can generate a Resultant Set of Policy
(RSoP) report using the Get-GPResultantSetOfPolicy cm-
dlet. The command below generates a report for the com-
puter called “dc1” and writes the results to the c:\temp di-
rectory:

Figure 4. How to get information about which GPOs are applied to a user or computer

13
 Contents SysAdmin Magazine December 2019

How to Enable SQL

• C2 Auditing Common Criteria Compliance is a newer standard that su-
• Common Compliance Criteria persedes C2 auditing. It was developed by the European
• Login Auditing Union and can be enabled in Enterprise and Datacenter

Server Audit and • SQL Server Auditing

• SQL Trace
editions of SQL Server 2008 R2 and later. But it can cause
performance issues if your server isn’t sufficiently spec’d to

Review the Audit

• Extended Events cope with the extra overhead.
• Change Data Capture
• DML, DDL, and Logon Triggers Here’s how to enable C2 auditing in SQL Server 2017:

Log This article is for database administrators (DBAs) who are look-
ing at using C2 auditing, Common Compliance Criteria and
SQL Server Auditing. We will not be looking at any third-party
1. Open the SQL Server Management Studio.

auditing tools, though they can be of great help, especially for 2. Connect to the database engine for which you want to
larger environments and in regulated industries. enable C2 auditing. In the Connect to Server dialog, make
Russell Smith
sure that Server type is set to Database Engine and then
IT Consultant, PowerShell Expert
click Connect.

Enabling C2 Auditing and Common 3. In the Object Explorer panel on the left, right-click your

Auditing Microsoft SQL Server is critical to identifying secu-

rity issues and breaches. In addition, auditing SQL Server
is a requirement for compliance with regulations like PCI
DSS and HIPAA.
The first step is to define what to audit. For example,
you might audit user logins, server configuration, sche-
ma changes and audit data modifications. Next, you have
choose which security auditing features to use. Useful fea-
tures include the following:
Criteria Compliance SQL Server instance at the top and select Properties from
the menu.
If you aren’t currently auditing your SQL Server, the easi-
est place to start is by enabling C2 auditing. C2 auditing is
4. In the Server Properties window, click Security under
an internationally accepted standard that can be turned
Select a page.
on in SQL Server. It audits events like user logins, stored
procedures, and the creation and removal of objects. But
5. On the Security page, you can configure login monitor-
it is all or nothing — you can’t choose what it audits, and it
ing. By default, only failed logins are recorded. Alternative-
can generate a lot of data. Furthermore, C2 auditing is in
ly, you can audit just successful logins, or both failed and
maintenance mode, so it will likely be removed in a future
successful logins.
version of SQL Server.

14
 Contents
Figure 1. Configuring access auditing
6. Check Enable C2 audit tracing under Options.
7. If you want to enable C2 Common Criteria Compliance
auditing, check Enable Common Criteria compliance.
Common Criteria (CC) Compliance is a flexible standard
that can be implemented with different Evaluation Assur-
ance Levels (EALs), from 1 to 7. Higher EALs have a more
demanding verification process. When you check Enable
15
Common Criteria compliance in SQL Server, you are en-
abling CC Compliance EAL1. It is possible to configure SQL
Server manually for EAL4+.
Enabling CC Compliance changes SQL Server behavior.
For example, table-level DENY permissions will take prece-
dence over column-level GRANTs, and both successful and
failed logins will be audited. In addition, Residual Informa-
tion Protection (RIP) is enabled, which over-writes memory
allocations with a pattern of bits before they are used by a
new resource.
8. Click OK.
9. Based on the selected options, you might be prompt-
ed to restart SQL Server. If you get this message, click OK
in the warning dialog. If you enabled C2 Common Criteria
Compliance, reboot the server. Otherwise, right-click your
SQL Server instance in Object Explorer again and select
Restart from the menu. In the warning dialog, click Yes to
confirm that you want to restart SQL Server.
SysAdmin Magazine December 2019
Enabling SQL Server Audit
SQL Server auditing can be enabled instead of C2 auditing;
you can also choose to enable both. SQL Server Audit ob-
jects can be configured to collect events at the server level
or the SQL Server database level.
Create Server Audit Object
Let’s create a server-level SQL Server audit object:
1. In the Object Explorer panel on the left, expand Security.
2. Right-click Audits and select New Audit… from the menu.
This will create a new SQL Server Audit object for serv-
er-level auditing.
3. In the Create Audit window, give the audit settings a
name in the Audit name field.
4. Specify what should happen if SQL Server auditing fails us-
ing the On Audit Log Failure option. You can choose Continue
or choose to shut down the server or stop database opera-
tions that are audited. If you select Fail operation, database
operations that are not audited will continue to work.
 Contents
Figure 2. Creating a server-level SQL Server audit object
5. In the Audit destination dropdown menu, you can choose
to write the SQL audit trail to a file or to audit events in
the Windows Security log or Application event log. If you
choose a file, you must specify a path for the file.
Note that if you want to write to the Windows Security
event log, SQL Server will need to be given permission. For
16
SysAdmin Magazine December 2019
the sake of simplicity, select the Application event log. Ad-
ditionally, you can include a filter as part of the audit object
to provide a narrow set of results; filters must be written in
Transact-SQL (T-SQL).
6. Click OK.
7. You will now find the new audit configuration in Object
Explorer below Audits. Right-click the new audit configura-
tion and select Enable Audit from the menu.
Figure 3. Creating a server audit specification for database-lev-
8. Click Close in the Enable Audit dialog.
el auditing
Create Database Audit Object 3. In the Properties window under Actions, use the dropdown
menus to configure one or more audit action types, selecting
To create a SQL Server audit object for database-level audit-
the statements you want to audit (such as DELETE or INSERT),
ing, the process is a little different and you need to create at
the object class on which the action is performed, and so on.
least one server-level audit object first.
4. When you’re done, click OK and then enable the audit ob-
1. Expand Databases in Object Explorer and expand the da-
ject by right-clicking it and selecting Enable Database Audit
tabase on which you want to configure auditing.
Specification.
2. Expand the Security folder, right click Database Audit
Specifications and select New Database Audit Specifica-
tion… from the menu.
 Contents SysAdmin Magazine December 2019

Viewing SQL Server Audit Logs

C2 Audit SQL Server audit logs are stored in the default
data directory of the SQL Server instance. Each log file can
be a maximum of 200 megabytes. A new file is automati-
cally created when the limit is reached.
A native solution that is recommended to view SQL Server
audit logs called Log File Viewer. To use it, take the follow-
Guide
ing steps:

SQL Server
1. In SQL Server Management Studio, in the Object Explor-
er panel, expand Security and Audit.

2. Right-click the audit object that you want to view and

Security Best
Practices
select View Audit Logs from the menu.

Figure 4. Reviewing SQL Server audit logging in the Log File

3. In the Log File Viewer, the logs will be displayed on the
Viewer
right side. Regardless of whether the logs are written to a
file or to the Windows Event Log, Log File Viewer will dis-
Free Download
play the logs.

4. At the top of Log File Viewer, you can click Filter to cus-
tomize which log entries are displayed. SQL Server file logs
are saved in .sqlaudit format and are not readable, so Log
File Explorer allows you to click Export to save logs to a
comma-delimited .log file format.

17
 Contents SysAdmin Magazine December 2019

How to Use Managing SharePoint Item-Level

Permissions
Managing Permissions Levels

SharePoint Item-
To manage the permission levels for a site, navigate to “Site
Permissions” in the site settings and click the “Permission
You can define which item permissions are available for
Levels” button. Here are the default permission levels:

Level Permissions
a site by using the “User Permissions” menu in the Web
Application settings. Don’t be confused because the name ▪ Full Control — Full control on the site
of the menu is similar to “User Policy; it is a different thing.
▪ Design — View, add, update, delete, approve and cus-
tomize
Removing Permissions
Jeff Melnick To remove item-level permissions from a site, click on the ▪ Edit — Add, edit and delete lists; view, add, update and
IT Security Expert, Blogger “User Permissions” menu and uncheck the permissions delete list items and documents
you don’t want to be available on the site. Then click the
▪ Contribute — View, add, update, and delete list items
“Save” button to apply your changes.
and documents

▪ Read — View pages and list items and download docu-

SharePoint item-level permissions affect the management
ments
of lists, folders and documents and the viewing of items
and application pages. These permissions can be grouped ▪ Limited Access — View specific lists, document libraries,
together to create permission levels, which can be assigned list items, folders, or documents when given permissions
to users and groups directly. These permissions consist of
three groups: To create a custom permission level, click the “Add a Per-
mission Level” button, specify a name and description, and
▪ List Permissions — Permissions for managing Items
select a combination of item-level permissions appropriate
and alerts
for this custom permission level. You can use the “Select All”
▪ Site Permissions — Permissions for managing subsites check box to select or clear all permissions. When you click
the “Create” button, your new permission level will be add-
▪ Personal Permissions — Permissions for managing
ed to the list and you can assign it to any group on the site.
personal views, profiles and personal web parts

18
 Contents SysAdmin Magazine December 2019

Assigning Permissions Directly

Most permissions to objects are obtained from the permis-
sions assigned to SharePoint and Active Directory groups.
However, you can also assign permissions to the items
stored on a SharePoint site directly, by taking the following
steps:

1. Click on the item and then click the “Shared With” button
on the “Files” tab. Click “Advanced” to see what permis-
sions these users or groups have to the item.

You will see the list of users who have access to the item:

This is a To delete a permission level, simply select it and click the “Delete Selected Permission Levels” button. You can delete any custom
permission level and any default permission level except Full Control and Limited Access.

In addition to using Permission Levels, you can also define Site Collection Administrators, who have full control permissions on the site
by default. To do this, simply click the “Site Collection Administrators” button on the “Site Permissions” menu, choose the accounts that
should be able to manage the site, and click “OK”.

19
 Contents SysAdmin Magazine December 2019

1. Break inheritance for the item by clicking the “Stop inherit-

ing permissions” button.

2. Click the “Grant Permissions” button and enter the name of

the user or group you want to grant permissions to.

3. Click “Show Options” and select the permission level you

want to grant to the user or group.

4. Click “Share” and the group or user will be added to the list
and your document will have the specified unique Securing Your
To remove permissions from a user or a group, select the Network Devices
in the Era of Cyber
user or group and click the “Remove User Permissions” but-
ton. To edit the permissions of a user or a group, simply

Threats
select the user or group, click the “Edit User Permissions”
button, select the new permissions, and click “OK”.

Note that assigning unique permission to SharePoint items is not recommended by best practices because it breaks permission inheri-
tance. If you want to remove all unique permissions from a document, click the “Delete Unique Permissions” button.

These are all the ways you can manage SharePoint item-level permissions via the SharePoint Central Administration console. You
can also manage these permissions using Microsoft PowerShell; that’s a topic for another article, but here is a list of the most useful
PowerShell commands for SharePoint. Don’t forget to track and document every change made to permissions in SharePoint to help
keep it secure and compliant.

20
 Contents
Top 3 Audit
Challenges and
How to Overcome
Them
Brian Johnson
IT Security & Risk Consultant, Entrepreneur
No matter what role you play in the audit process, the expe-
rience can be painful. If you’re an external consultant, you
have to work with clients who have limited budgets and high
expectations. And if you’re an internal IT/security auditor,
you might have to wade through a sea of internal politics to
get your work completed and pass internal audits.
In this blog post, I describe the 3 most common audit issues
I’ve faced over the past 15 years and share some tips that
have helped me be more successful in conducting external
audits. I hope they will help you overcome similar challeng-
es you are facing in your work.
21
SysAdmin Magazine December 2019
Lack of communication undermines
your work
• Make friends with IT and security staff. On many
of my audit engagements, my initial conversations
are with a C-level business executive, but the bulk of
the actual assessment is done with a member of the IT
If the organization you are auditing doesn’t understand the
or security staff. Understandably, these folks can feel
scope and purpose of your audit program, you risk creating
threatened and get a little defensive when they have to
an environment in which the people you’re interviewing be-
explain to a stranger how the network is architected and
come less helpful and more tight-lipped with their answers
secured. The two best ways I’ve found to ease the ten-
— even to the point of being hostile. Here are some ways
sion are kindness and food. Bring donuts to your first
to avoid this trap and develop a healthy, trusting work rela-
meeting with the client’s IT/security department. As con-
tionship instead:
versations get rolling, provide some assurances like, “Just
to be clear, my job here isn’t to criticize the work you’re
• Avoid techno-babble; it just leads to confusion and
doing. I want to work together with you to identify risks
lost opportunities. As an auditor, you’re probably su-
and then help you make a remediation plan. And I want
per comfortable with all the acronyms and jargon that go
to hear your insights about what this company needs to
along with your line of work, but don’t assume that your
better protect its people and data. Maybe you’ve want-
clients are. As you ask your audit questions, remember to
ed a SIEM and the security automation capabilities that
keep them in simple terms whenever possible. You could
come with it for years but nobody will listen. Part of my
be asking extremely technical things from staff members
job is to support you and echo these types of requests to
who aren’t extremely technical. If you ask something and
management. Ultimately, I want to try to get you some
get a room full of blank stares, try explaining it a different
of the things you want.” Once the team sees you are on
way or using an example. For instance, when I ask about
their side, your questions will be answered with more
a firm’s network perimeter protections, I don’t mention
honesty, the audit evidence will be more accurate, the
things like “IDS/IPS” and “next-gen AV.” Instead, I start with
audit quality will be higher, and everyone will get more
something like, “Tell me a little about your firewall — is it
value out of the assessment.
just doing traditional blocking or does it include more ad-
vanced technology that does extra things like scanning for
viruses or blocking people from viewing certain websites?”
 Contents
Scope creep costs everyone time and
money
Once an audit starts, it’s easy for discussions to get off topic
and before you know it, you’re spending time talking about
and working on things that are out of scope. It’s natural to
want to help, but after a while, you will likely find that all
these extra little pockets of time can cost you and the orga-
nization you’re auditing a lot of time and money.
Know that there’s nothing wrong with defining your scope
— and sticking to it — during an engagement. Since most
organizations have to comply with one or more regulatory
standards (the Sarbanes-Oxley Act, PCI, HIPAA, GDPR, etc.),
use that to set the internal controls of the organization as
your compass. It will help guide your work and keep every-
body on task and on track.
If the client insists on asking for your opinion and time on
out-of-scope items, clearly they value your expertise. Explain
that any questions out of the initial scope qualify for a new
project, which will cost additional time and money, especial-
ly if your audit fees are billed by project. Make these kinds of
requests easy on clients by having a change order form on
hand so they can approve the additional hours quickly. That
way, it’s a win for everybody.
22
SysAdmin Magazine December 2019
Audits that are full of shame
and blame are demeaning and Unemployment in the audit industry remains extreme low,
and the pool of IT and security auditors is only growing larg-
unproductive er. If you’re an auditor, that means you will have to work even
harder to differentiate yourself in the market. I hope this in-
I think it’s easy — and tempting — to write your audit as-
formation helps you increase your effectiveness and ensure
sessment with a scathing or accusatory tone, thinking that
your future audits have a positive impact while staying within
if you fill the report with enough high severity findings you
scope and budget. Most of all, I hope it provides a great deal
will get management motivated to start remediating things.
of value and makes your organization more secure.
Instead, what often happens is the IT/security staff (the re-
sponsible ones who are actually trying to make things bet-
ter) get reprimanded for your findings, their team morale
takes a hit, and everybody suffers audit fatigue from your ON-DEMAND WEBINAR
thousand-page report.
Instead of focusing on reprimands, focus on remediation. At 5 Expert Tips
to Overcome
the end of the day, most companies know they have issues,
and they’re looking to you for help and guidance. One item
Compliance
I include with my deliverables as a result of the audit is a se-
curity action plan that offers remediation guidance for each
Challenges
identified risk, along with the expected time and costs. That
way, clients can couple the detailed audit report with the se-
curity action plan, and essentially have a playbook they can
follow to actually make the organization better! That’s what
we as consultants and auditors want for our clients and or-
Watch Online
ganizations, and that’s why we got into the audit profession
in the first place, right?
 Contents SysAdmin Magazine December 2019

Want to spend less time handling account lockout issues in AD? Try this freeware account lockout tool that alerts
you to account lockouts in real time and helps you quickly troubleshoot and resolve them.

FREE TOOL OF THE MONTH

Netwrix
Account Lockout
Examiner
Download Free Tool

23
 Contents
How-to for IT Pro
How to Get User Login History
1. Open the PowerShell ISE → Run the following script,
adjusting the timeframe:
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
# Define time for report (default is 1
day)
$startDate = (get-date).AddDays(-1)
# Store successful logon events from se-
curity logs with the specified dates and
workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName
Security -ComputerName $DC.Hostname -af-
ter $startDate | where {$_.eventID -eq
4624 }}
# Crawl through events; print all logon
24
SysAdmin Magazine December 2019
2. Review the results:
history with type, date/time, status,
account name, computer and IP address
if user logged on remotely
foreach ($e in $slogonevents){
# Logon Successful Events
# Local (Logon Type 2)
if (($e.EventID -eq 4624 ) -and
($e.ReplacementStrings[8] -eq 2)){
write-host "Type: Local Logon`t-
Date: "$e.TimeGenerated "`tStatus: Suc-
cess`tUser: "$e.ReplacementStrings[5]
"`tWorkstation: "$e.Replacement-
Strings[11]
}
# Remote (Logon Type 10)
if (($e.EventID -eq 4624 ) -and
($e.ReplacementStrings[8] -eq 10)){
write-host "Type: Remote Logon`t-
Date: "$e.TimeGenerated "`tStatus: Suc-
cess`tUser: "$e.ReplacementStrings[5]
"`tWorkstation: "$e.Replacement-
Strings[11] "`tIP Address: "$e.Replace-
mentStrings[18]
}}
 [On-Demand Webinar]

Active Directory 101 Whether you are an Active Directory novice or an experienced IT professional, enroll in
our free online course prepared by Sander Berkouwer, an Enterprise Mobility MVP, for
step-by-step instructions and industry best practices for AD management. These sessions
are also a great way to get ready for Exam 70-742.

Sander Berkouwer The course consists of free sessions:

Microsoft MVP and MCT
▪ Install and Configure AD Domain Services

Mason Takacs ▪ Manage and Maintain AD Domain Services

Systems Engineer
▪ Create and Manage Group Policy

Watch Now
New Sysadmin Magazine Page
on Facebook

Now on
Facebook

SysAdmin Magazine

Get the best articles from the magazine, along with the freshest
IT news and top tips from the IT community.

Follow the page to streamline your workload and stay on top of

what’s going on in IT.

Learn More
Netwrix Auditor 9.9 is here

INTRODUCING

Netwrix Auditor 9.9

Stop attackers from sneaking around in your IT kingdom.

Visibility into SharePoint Online permissions

Insight into Exchange Online delegation

VMware logon auditing

Add-on for CyberArk Privileged Access Security

Learn More

Corporate Headquarters: Phone: 1-949-407-5125 Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or
300 Spectrum Center Drive, Toll-free: 888-638-9749 one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other
Suite 200 Irvine, CA 92618 EMEA: +44 (0) 203-318-02 countries. All other trademarks and registered trademarks are the property of their respective owners.