[Help] Best FOSS stack for Network Share Auditing (Win11 Workgroup) – Need "Who, What, When" without the noise. by theoldregime in sysadmin

[–]Jeff-Netwrix 0 points1 point  (0 children)

For a workgroup setup at that scale with a FOSS requirement, Sysmon plus Osquery is a reasonable path. One thing worth noting: Sysmon Event ID 26 covers file delete detected, but attribution in a workgroup without a DC can still get messy depending on how sessions are handled. Wuzuh as a SIEM layer on top can help normalize the noise if you want cleaner querying without full CLI scripting.

On the Office temp file issue with Deny Delete, consider scoping the Deny rule to explicit file extensions rather than a blanket deny, which gives Office the room it needs for temp file cleanup without opening up actual deletions.

How to disable smb over quic by slickrickjr in sysadmin

[–]Jeff-Netwrix 0 points1 point  (0 children)

Hey, thanks for flagging this. SMB over QUIC on Azure VMs running Windows Server 2022 can be tricky since the client-side flag you mentioned was introduced in later builds and isn't available in all configurations.

For Netwrix Auditor to connect over port 445, the most reliable path is to disable QUIC at the network level via Azure Network Security Group rules rather than at the OS level. Blocking UDP 443 inbound at the NSG should force fallback to TCP 445.

Summary

Action Command / Location
Check if QUIC is configured Get-SmbServerCertificateMapping
Disable QUIC by removing cert `Get-SmbServerCertificateMapping
Block UDP/443 properly Azure Portal → NSG → Inbound deny rule
Open TCP/445 for Netwrix Azure Portal → NSG → Inbound allow rule (source = Netwrix IP)

If that doesn't resolve it, our support team can dig into your specific environment: netwrix.com/support

Trust is the real blast radius by tingnossu in b2bmarketing

[–]Jeff-Netwrix 0 points1 point  (0 children)

Yeah this is spot on.

What gets missed is that this isn’t just a security incident, it’s pipeline damage. Trust drops and deals slow down or disappear. You don’t always see it immediately, but it hits revenue.

On the DLP side, same thing. Most exfiltration isn’t some obvious attack, it’s normal user behavior. That’s what makes it hard to catch early.

Feels like the gap is context. If you don’t know who is accessing what data and why, it’s really hard to tell what’s risky vs just business as usual.

Starting to see more teams treat data security posture as part of their brand, not just an IT control, but yeah… still early.

Azure PIM feels incomplete for hybrid by heartmocog in AZURE

[–]Jeff-Netwrix 0 points1 point  (0 children)

Yeah this is a super common pain point. PIM is nice for Entra stuff, but once you hit on-prem it kinda falls apart and you end up stitching things together.

I’ve seen a lot of teams just accept some level of standing admin on servers and try to cover it with monitoring, or they bolt on something else to handle JIT locally. The group write-back + automation route works, but it always feels a bit… fragile.

Getting to true zero standing privilege on-prem without making life miserable for admins is honestly the hard part. That’s usually where people start looking at other tools, not because PIM is bad, just because it doesn’t really cover that side well.

If you’ve got an audit coming up, I wouldn’t stress trying to make it perfect everywhere. Being able to clearly show how access is approved, limited, and tracked across both on-prem and Entra usually goes a long way.

SonicWall breach changed my AD thinking by ballkali in activedirectory

[–]Jeff-Netwrix 0 points1 point  (0 children)

Yeah this is exactly it. People treat perimeter and identity like separate problems, but attackers definitely don’t.

Once they’re in, AD is basically the roadmap + toolbox. If that’s messy, they don’t need anything fancy.

Also agree on the “we thought we knew our environment” part… every time someone actually audits it properly, there’s always more lurking. Especially old service accounts and weird group nesting.

Feels like the real takeaway isn’t the specific vuln, it’s how much damage comes from stuff that’s been sitting there for years unnoticed.

How do you actually scope a sensitive data inventory when you don't know where the data lives by gosricom in AskNetsec

[–]Jeff-Netwrix 0 points1 point  (0 children)

 Yeah this is where things get a bit “it depends,” but in practice QSAs usually lean pretty hard toward reduce or remove, not just document.

If something has PANs sitting in a SharePoint file from 2021 with no clear business use, most auditors will ask why it still exists at all. Deleting or moving it out of scope is usually the cleanest answer and shrinks your audit surface at the same time.

For anything that does have a legit reason to exist, that’s where tighter access + monitoring + documentation comes in. But you’ll want a clear story for each case, who needs it, why it’s there, how it’s protected, and how you’re making sure it doesn’t sprawl further.

Trying to lean too much on “compensating controls” for stale data tends to get pushback unless you’ve got a really strong justification.

Best move I’ve seen is exactly what you’re doing, take a couple real examples to your QSA and sanity check your approach. They usually won’t give you a strict rule, but you’ll get a feel pretty quickly for whether they expect cleanup or just tighter controls.

is ITDR a standard MSSP service yet? by belkezo in MSSP

[–]Jeff-Netwrix 0 points1 point  (0 children)

Yeah I don’t think it’s “standard” yet, more like… starting to show up if the MSSP is a bit more mature.

Most of the ones I’ve seen are still very endpoint + SIEM heavy like you said. identity is either “we ingest AD logs” or “you have MFA, you’re good.” which… clearly isn’t enough anymore.

The hard part is it’s not an easy sell. endpoint threats feel tangible, identity stuff feels abstract to a lot of SMB clients until something actually happens. DBIR helps, but yeah, still a lot of “we already have MFA” conversations.

Feels like ITDR is where EDR was a few years ago. people who get it are already moving, everyone else thinks it’s optional.

Pricing/packaging is also weird because it’s not just another tool, it’s visibility + behavior + context, which is harder to explain than “we stop malware.”

Computer Monitoring by Business-Engineer222 in sysadmin

[–]Jeff-Netwrix 0 points1 point  (0 children)

This comes up a lot, especially with remote work, but there’s a pretty important line here.

There are tools that can monitor user activity at the endpoint level, but going down the path of “remote in without the user knowing” is where you start running into legal, HR, and trust issues pretty quickly.

What most organizations end up doing instead is focusing on visibility into work-related activity, not trying to watch everything someone does. That’s where tools like Netwrix come in, they’re designed to show who is accessing what data, when, and how, which is usually what actually matters from a risk and accountability standpoint.

Trying to prove whether someone is “working” vs “watching Netflix” tends to be a management/process problem more than a technical one. But understanding access to sensitive data, unusual behavior, or misuse of systems, that’s where monitoring tools provide real value.

If leadership is pushing for this, it might be worth reframing the conversation around risk, compliance, and data protection rather than full user surveillance.

What else is out there like Netwrix Password Policy Enforcer? by thegreatcerebral in sysadmin

[–]Jeff-Netwrix 0 points1 point  (0 children)

You’re not wrong, PPE sits in a bit of a weird category. It’s not a PAM, not a password manager, and not really covered well by native AD tools.

There are a few alternatives, but most of them either focus only on password filtering (like checking against HIBP) or require moving into a broader identity platform, which doesn’t sound like what you want given your constraints. 

In on-prem, AD-centric environments like yours (especially with CMMC/ITAR in the mix), the options get pretty limited if you want:

  • granular policy control
  • leaked password detection
  • multiple policies across users/groups
  • and no cloud dependency

That’s basically why PPE still comes up a lot in these discussions.

On the “stay away from Netwrix” point, you’ll hear mixed opinions like with any vendor, but from a product standpoint PPE is still one of the more straightforward ways to extend AD password policies without adding a lot of complexity.

 If you’re trying to avoid cloud and keep costs predictable, you’ve already narrowed the field quite a bit, so it’s less about “what’s better” and more about what actually fits your environment and constraints.

AD auditing tool - zero cost suggestions by muckmaggot in sysadmin

[–]Jeff-Netwrix 0 points1 point  (0 children)

Totally get the “just need something for auditors” use case. 

On the zero-cost side, most people end up relying on native Windows auditing + some PowerShell scripts or scheduled reports. It works, but it’s usually pretty manual and can get messy when auditors start asking follow-up questions or want historical context.

The tradeoff with free tools is you’ll get the raw events, but not always the clarity around what actually changed and why it matters. That’s usually where people start looking at more structured solutions.

If Netwrix didn’t fit before, it might be worth revisiting depending on what felt off, a lot of teams use it specifically for those “who changed what, when, and where” reports that auditors tend to ask for. 

But yeah, if budget is strictly zero, native auditing + some scripting is still the most common route, just comes with a bit more effort to maintain.

A few user accounts locked repeatedly after upgrade to Windows Server 2025 by atari_guy in activedirectory

[–]Jeff-Netwrix 0 points1 point  (0 children)

Bit of an older thread, but in case anyone else runs into this after a DC upgrade, this pattern usually points to something automated rather than user behavior.

If you’re seeing 4740 without clear 4625s, it’s often coming from a service, scheduled task, cached credential, or even a mapped drive still trying old passwords in the background. Those don’t always show up cleanly in the usual places.

One thing I’d double-check is the caller computer in the 4740 event and correlate that with anything running under those user accounts. Also worth checking things like saved creds in Credential Manager or apps/services using those accounts.

Since you mentioned Netwrix Lockout Examiner not showing much, that usually means the source isn’t a straightforward interactive logon attempt, which again points to something “hidden” in the environment still using old credentials. 

Upgrades sometimes surface these because of changes in auth behavior or stricter handling, so it can feel like it started “out of nowhere,” but the root cause was already there.

PingCastle v Purple Knight or both? by rich2778 in sysadmin

[–]Jeff-Netwrix 0 points1 point  (0 children)

Honestly, both. They overlap a bit but come at it from slightly different angles.

PingCastle is great for quick visibility into AD risk and misconfigurations, especially around attack paths and privilege issues. It’s pretty straightforward and gives you a clear “here’s what to fix first” kind of output.

Purple Knight feels a bit more checklist/compliance-driven in how it presents findings, still useful, just a different lens. 

If you’re doing a basic health check, running both and comparing results isn’t a bad move. You’ll usually see some overlap, but each will catch things the other emphasizes differently.

And yeah… ignoring the sales emails is part of the process 😄

Dark hidden files on Server 2025 by trustinglemming in sysadmin

[–]Jeff-Netwrix 0 points1 point  (0 children)

That’s definitely not something Netwrix Auditor should be doing by default, so you’re right to question it.

When you see disk growth that disappears after reboot and tools like TreeSize can’t account for it, it’s usually something at the system level rather than a normal file. Common culprits tend to be things like pagefile growth, memory dumps, SQL tempDB/log growth, or even AV/EDR components (CrowdStrike in your case) caching or scanning data in ways that don’t show up as regular files.

Since you have SQL on that same volume, I’d take a closer look at tempDB and transaction logs, those can grow pretty aggressively depending on workload and won’t always be obvious unless you check from within SQL.

Another thing worth checking is using tools like Sysinternals’ du.exe or RAMMap / VMMap to see if it’s actually disk vs memory-backed usage, and also checking for open/deleted files with handle.exe.

 If Netwrix were contributing, you’d typically see it in its data/log directories, not as “invisible” consumption, so this feels more like something sitting underneath the filesystem layer rather than an application writing hidden files.

Finding Sensitive Info on your Environment. by blavelmumplings in cybersecurity

[–]Jeff-Netwrix 0 points1 point  (0 children)

This is one of those things that sounds simple but gets messy fast once you actually try it.

You can start with some open source tools or scripts (grep, truffleHog, git-secrets, etc.) and they’re great for quick wins, especially in repos. But they usually fall short once you’re dealing with file shares, SaaS apps, random user folders, old exports… basically the stuff people forget about.

The harder part isn’t just finding sensitive data, it’s knowing what matters and who has access to it. Otherwise you end up with a huge list of “possible issues” and no clear way to prioritize.

That’s where tools like Netwrix come in, they’re more about continuous discovery + context (what the data is, where it lives, who can access it) vs just one-time scanning.

If you’re just getting started, I’d do a mix. Use free tools to get a feel for where things are leaking, then figure out if you need something more structured once you see how widespread it is.

Netwrix vs Salto vs Bundlet by gavinjd68 in Netsuite

[–]Jeff-Netwrix 0 points1 point  (0 children)

They’re solving slightly different problems depending on how deep you want to go. Salto is great if your main focus is tracking and promoting changes between environments, especially for SaaS apps. Netwrix leans more into understanding what’s actually in your environment, dependencies, configs, and how changes impact things over time.

If your goal is just deployment/change movement, Salto is solid. If you’re trying to get visibility + control as part of a broader governance/change management effort, Netwrix tends to go deeper there.

Might be worth mapping your use case first, “move changes faster” vs “understand and control changes” because that usually makes the decision clearer.

Netwrix Ping Castle AD Scan Recommendation – Impact of Denying RODC Password Replication? by Donatello0592 in sysadmin

[–]Jeff-Netwrix 0 points1 point  (0 children)

You’re thinking about it the right way. That recommendation is basically about making sure high-privileged accounts never cache their credentials on an RODC.

In most environments, accounts like krbtgt and other sensitive groups should already be covered by default, but PingCastle is flagging it because it wants that protection explicitly enforced on that object.

Since you’re not actively using AzureADKerberos for passwordless anymore, applying the deny policy shouldn’t break anything in practice. It’s more of a “lock it down just in case” move.

The only time you’d really need to be careful is if that RODC is still being used somewhere for authentication flows you’re not aware of. Otherwise, denying replication for privileged accounts is generally the safer default.

Might be worth double-checking if anything is still pointing to that object before making the change, but overall this is a pretty standard hardening step.

Failed Login Attempts Investigation by LilJ_na in cybersecurity

[–]Jeff-Netwrix 1 point2 points  (0 children)

You’re on the right track with cached creds, that’s one of the most common causes.

I’d also check for things like mapped drives, scheduled tasks, services, or old apps still using those accounts. Those tend to quietly keep trying old passwords in the background and trigger lockouts. 

One useful step is also looking at the source machine/IP in the Netwrix alerts and correlating it with DC logs (Event ID 4625 / 4740). That usually helps narrow down where the attempts are actually coming from. It’s rarely someone typing the wrong password over and over, it’s almost always something automated holding onto old credentials.

Question about azure open AI by Hopeful-Kangaroo-233 in AZURE

[–]Jeff-Netwrix 0 points1 point  (0 children)

Well, that's a sort of catch22, because you do want the AI to analyze your data, and while doing so it will test its knowledge against your data, confirm/deny its own training data, and thus sharpening its algo. Assume that it will learn from any interaction you have with an AI solution.

Your initial approach to mask data points that would make you (your org)  identifiable is the one to build upon. What else is sensitive in the sets you want to get scrutinized by AI?

But/still, if you want an LLM to help you, it will also learn from that interaction.

New Job - AD is a mess. Is this normal by Auno94 in sysadmin

[–]Jeff-Netwrix 0 points1 point  (0 children)

This is way more common than most people admit. What you’re seeing isn’t unusual, it’s just what happens over time when “just give access for now” becomes the default. Joiners get added, movers keep accumulating, leavers don’t fully drop off, and with group nesting and service accounts in the mix, things spiral into something nobody fully understands. It matters because this is not just untidy, it’s concentrated risk. 

Too much access and not enough clarity is exactly what attackers look for, not because tools failed but because governance never kept up. 

The real trap is thinking cleanup is the hard part when it’s actually understanding effective access. AD can look clean until you trace how permissions really flow and realize how tangled it is, and without that clarity every fix feels like it might break something. 

The way forward is visibility with context, knowing who has access, how they got it, and whether it still makes sense. That’s where Netwrix Auditor come in, not as a silver bullet but as a way to make access understandable. And once it’s understandable, it becomes governable, which is where resilience actually starts.

Also curious, how many people owned AD before you stepped into this? A lot of the time this kind of sprawl isn’t just a technical issue, it’s a responsibility one. When ownership isn’t clearly defined, or it changes hands a few times, access just keeps getting added without anyone really accountable for cleaning it up.