Change Tracking – How secure is it?

I'm often asked "How secure is Change Tracking?", and whether it can be referred to as Auditing. The correct answer is:

The Change Tracking log is as secure as the ISA configuration it documents. No more, no less.

No more: Change Tracking is not intended to be a hacker-proof, audit-trail-providing feature. A bad guy with sufficient permissions to change the ISA configuration can use the same permissions to change the log and cover his tracks. Change Tracking will only provide an additional hoop that the prospective bad guy needs to jump through. A determined attacker will be able to overcome it using a number of ways: running a pre-SP1 management console (which doesn't honor Change Tracking settings), changing ISA configuration directly via regedit and/or ADAM-ASDIEdit, tampering with the log using COM scripts, and many other ways.

No less: Change Tracking goes in-line with the ISA configuration permission model. This means that an array administrator can write only to his array's change log, that an enterprise policy editor can write only to his policy's log, that auditor roles can only view change logs, and the an enterprise administrator can write to all logs.

So is this auditing? Now that you have the facts, you can decide whether it fits into your definition of auditing, or more to the point, to the level of security you're aiming for.


-Jonathan Barner, ISA Sustained Engineering Team

Comments (5)

  1. Anonymous says:

    Today, I’d like to go over a major Change Tracking design aspect: Change Tracking is a client-side feature

  2. Log management scripts are on my to-do list.

    -Jonathan Barner, ISA Sustained Engineering Team

  3. Anonymous says:


    I have no yet seen any information on where the actual tracking information is stored?

    Is it a new log file or is it stored within the ADAM configuration data on the CSS?

    Many Thanks


  4. Hi Jason,

    The log is saved to ISA storage registry/CSS. It is actually an XML, saved as a VPS string. For now this is not exported / imported by std export/import operation, but can be exported via script for backup and other purposes.

  5. Anonymous says:

    Thanks Yuri.

    It would be handy for DR purposes to get some visibility on an example script. I know you guys are busy though 😉

Skip to main content