Scrubbing Your Active Directory Squeaky Clean
-
Upload
netiq -
Category
Technology
-
view
559 -
download
2
description
Transcript of Scrubbing Your Active Directory Squeaky Clean
Scrubbing yourActive DirectorySqueaky Clean!
Chris RadbandSenior Solutions Consultant
© 2011 NetIQ Corporation. All rights reserved.2
Lets talk about…
• Cleaning up your Active Directory
• What’s happening in your environment today
• Controlling changes in your environment eg. user lifecycle management
• Empowering the user with self-service
2013 NetIQ Corporation. All rights reserved. 3
Active Directory clean-up
© 2011 NetIQ Corporation. All rights reserved.4
Challenges of an unmanaged Active Directory Estate
• Inactive Users
• Disabled Users
• Locked out users
• Expired Users
• Passwords never set to expire
These illustrate just a few common Security risks, Performance impacts and contributors to Audit failures
seen in many environments of all sorts of sizes
2013 NetIQ Corporation. All rights reserved. 4 |
Active Directory Environmental Clean-up
• Security Groups with no members
• Nested Security Groups
• Stale Computer Accounts
• Mixed-Naming conventions
• Reducing the number of Power Users
© 2011 NetIQ Corporation. All rights reserved.5
How do you deal with Clean-up today?
*Source: http://www.codeproject.com/Articles/18621/VBScript-to-Disable-Old-Accounts-in-Active-Directo
2013 NetIQ Corporation. All rights reserved. 5
Scripted and manual clean-up tasks are
often labour intensive, limited in
functionality, inaccurate and at worst can have all
sorts of
unexpected results!
© 2011 NetIQ Corporation. All rights reserved.6
Automated Clean-up of Inactive Accounts
2013 NetIQ Corporation. All rights reserved. 6
© 2011 NetIQ Corporation. All rights reserved.7
Automated Clean-up of Inactive Accounts
2013 NetIQ Corporation. All rights reserved. 6
Discovery:Process runs to determine which accounts are inactive
© 2011 NetIQ Corporation. All rights reserved.8
Automated Clean-up of Inactive Accounts
2013 NetIQ Corporation. All rights reserved. 6
Discovery:Process runs to determine which accounts are inactive
Action:Request administrator or manager approval to disable account
© 2011 NetIQ Corporation. All rights reserved.9
Automated Clean-up of Inactive Accounts
2013 NetIQ Corporation. All rights reserved. 6
Discovery:Process runs to determine which accounts are inactive
Action:Request administrator or manager approval to disable account
Remediation:Account is disabled and therefore secured
What are today’s challenges, right now?
© 2011 NetIQ Corporation. All rights reserved.11
Regulatory & Oversight Pressures
Internal Audit
Board of Directors – Oversight Groups
© 2011 NetIQ Corporation. All rights reserved.12
Worst case scenario…
http://www.flickr.com/photos/teegardin/6093810333/in/photostream/
© 2011 NetIQ Corporation. All rights reserved.13
• Minimises the risk associated with Operational changes
• Satisfying audit requirements/achieving compliance with regulations such as ISO 27001/2, Sarbanes-Oxley and PCI DSS
• Identify Change when it happens
• Catalogue managed and unmanaged changes
• Detect high-profile changes
• Provides detailed AD/GPO change history
• Centrally record and audit AD/GPO changes
• Easily integrates into your existing AD change process
• Feeding events backup to your Monitoring Infrastructure
Increasing audit and compliance requirements…not to mention good-practice!
2013 NetIQ Corporation. All rights reserved. 7
© 2011 NetIQ Corporation. All rights reserved.14
© 2011 NetIQ Corporation. All rights reserved.15 2013 NetIQ Corporation. All rights reserved. 8 |
Monitor for unmanaged GPO Changes
© 2011 NetIQ Corporation. All rights reserved.16 2013 NetIQ Corporation. All rights reserved. 9 |
Be proactive: GPO change: Email report sent to administrators
Regaining Control…
© 2011 NetIQ Corporation. All rights reserved.18
• Why is it important?
• The granular the better but no added complexity
• Something which defines:
- WHO– who are we delegating control to (for Active Directory).
- WHAT – what functionality/permissions are we delegating to the individual(s)
- WHERE – which objects are we allowing these individuals to execute their permissions on (most likely contain multiple objects).
• Capable of managing an enterprise environment
• Report on delegation
• Controlled way to make
changes to environment
2013 NetIQ Corporation. All rights reserved. 11 |
Managing Privileged/Non-privileged Users
© 2011 NetIQ Corporation. All rights reserved.19
Just in Time Automated Access
2013 NetIQ Corporation. All rights reserved. 12
© 2011 NetIQ Corporation. All rights reserved.20
Just in Time Automated Access
2013 NetIQ Corporation. All rights reserved. 12
© 2011 NetIQ Corporation. All rights reserved.21
Just in Time Automated Access
2013 NetIQ Corporation. All rights reserved. 12
© 2011 NetIQ Corporation. All rights reserved.22
Just in Time Automated Access
2013 NetIQ Corporation. All rights reserved. 12
© 2011 NetIQ Corporation. All rights reserved.23
• Reducing the human element
• Increasing Security & compliance
• Does it increase consistency?
• Is it truly efficient and does it
save time?
• Does the process work for your
business today?
• Can it accommodate the changes of
tomorrow?
User Provisioning, User De-provisioning, User Re-provisioning
2013 NetIQ Corporation. All rights reserved. 13
Empowering the User…
© 2011 NetIQ Corporation. All rights reserved.25
• It may seem straightforward to us but the statistics are scary!
– 64%
– 65%
– 82%
– 76%
Password Management
© 2011 NetIQ Corporation. All rights reserved.26
• It may seem straightforward to us but the statistics are scary!
– 64% - end users that write passwords down
– 65%
– 82%
– 76%
Password Management
© 2011 NetIQ Corporation. All rights reserved.27
• It may seem straightforward to us but the statistics are scary!
– 64% - end users that write passwords down
– 65% - use the same password for multiple accounts
– 82%
– 76%
Password Management
© 2011 NetIQ Corporation. All rights reserved.28
• It may seem straightforward to us but the statistics are scary!
– 64% - end users that write passwords down
– 65% - use the same password for multiple accounts
– 82% - have forgotten a password
– 76%
Password Management
© 2011 NetIQ Corporation. All rights reserved.29
• It may seem straightforward to us but the statistics are scary!
– 64% - end users that write passwords down
– 65% - use the same password for multiple accounts
– 82% - have forgotten a password
– 76% - intrusions exploit weak or stolen credentials
Password Management
© 2011 NetIQ Corporation. All rights reserved.30
• It may seem straightforward to us but the statistics are scary!
– 64% - end users that write passwords down
– 65% - use the same password for multiple accounts
– 82% - have forgotten a password
– 76% - intrusions exploit weak or stolen credentials
• Instead, provide the user ability to reset password anytime and anyplace (at work, home, or on the road)
– Increased productivity – lower TCO
– Helpdesk freed to perform higher value tasks
– Users don’t have to wait for their password to be reset
– Increased security
– Users less likely to write password down on paper
– Challenge questions provide higher security than phone based user validation
– Password rules enable consistent enforcement of password policy
Password Management
© 2011 NetIQ Corporation. All rights reserved.31
More than just Self Service Password Reset...
• Further Frees up IT Resources
• Giving the business users an
On-Demand Service
• Controlled way to deal with User Request
• Being able to provide a timely response
• Requesting access to resources
• Mailbox Size Quota Increase Request
• Group membership change request
Empowering the Business UserSelf Service Administration
2013 NetIQ Corporation. All rights reserved. 14
© 2011 NetIQ Corporation. All rights reserved.32
• Directory and Resource Administrator
• Aegis
• Group Policy Administrator
• Change Guardian for Active Directory
• Self-Service Password Reset
See NetIQ.com/Products
NetIQ Solutions
2013 NetIQ Corporation. All rights reserved. 16
Demo
www.netiq.com