scrubbing your active directory squeaky clean

Scrubbing yourActive DirectorySqueaky Clean!

Chris RadbandSenior Solutions Consultant

© 2011 NetIQ Corporation. All rights reserved.2

Lets talk about…

• Cleaning up your Active Directory

• What’s happening in your environment today

• Controlling changes in your environment eg. user lifecycle management

• Empowering the user with self-service

2013 NetIQ Corporation. All rights reserved. 3

Active Directory clean-up


Challenges of an unmanaged Active Directory Estate

• Inactive Users

• Disabled Users

• Locked out users

• Expired Users

• Passwords never set to expire

These illustrate just a few common Security risks, Performance impacts and contributors to Audit failures

seen in many environments of all sorts of sizes

2013 NetIQ Corporation. All rights reserved. 4 |

Active Directory Environmental Clean-up

• Security Groups with no members

• Nested Security Groups

• Stale Computer Accounts

• Mixed-Naming conventions

• Reducing the number of Power Users


How do you deal with Clean-up today?

*Source: http://www.codeproject.com/Articles/18621/VBScript-to-Disable-Old-Accounts-in-Active-Directo


Scripted and manual clean-up tasks are

often labour intensive, limited in

functionality, inaccurate and at worst can have all

sorts of

unexpected results!


Automated Clean-up of Inactive Accounts





Discovery:Process runs to determine which accounts are inactive





Action:Request administrator or manager approval to disable account





Action:Request administrator or manager approval to disable account

Remediation:Account is disabled and therefore secured

What are today’s challenges, right now?


Regulatory & Oversight Pressures

Internal Audit

Board of Directors – Oversight Groups


Worst case scenario…

http://www.flickr.com/photos/teegardin/6093810333/in/photostream/


• Minimises the risk associated with Operational changes

• Satisfying audit requirements/achieving compliance with regulations such as ISO 27001/2, Sarbanes-Oxley and PCI DSS

• Identify Change when it happens

• Catalogue managed and unmanaged changes

• Detect high-profile changes

• Provides detailed AD/GPO change history

• Centrally record and audit AD/GPO changes

• Easily integrates into your existing AD change process

• Feeding events backup to your Monitoring Infrastructure

Increasing audit and compliance requirements…not to mention good-practice!


© 2011 NetIQ Corporation. All rights reserved.15 2013 NetIQ Corporation. All rights reserved. 8 |

Monitor for unmanaged GPO Changes

© 2011 NetIQ Corporation. All rights reserved.16 2013 NetIQ Corporation. All rights reserved. 9 |

Be proactive: GPO change: Email report sent to administrators

Regaining Control…


• Why is it important?

• The granular the better but no added complexity

• Something which defines:

- WHO– who are we delegating control to (for Active Directory).

- WHAT – what functionality/permissions are we delegating to the individual(s)

- WHERE – which objects are we allowing these individuals to execute their permissions on (most likely contain multiple objects).

• Capable of managing an enterprise environment

• Report on delegation

• Controlled way to make

changes to environment

2013 NetIQ Corporation. All rights reserved. 11 |

Managing Privileged/Non-privileged Users


Just in Time Automated Access



• Reducing the human element

• Increasing Security & compliance

• Does it increase consistency?

• Is it truly efficient and does it

save time?

• Does the process work for your

business today?

• Can it accommodate the changes of

tomorrow?

User Provisioning, User De-provisioning, User Re-provisioning


Empowering the User…


• It may seem straightforward to us but the statistics are scary!

– 64%

– 65%

– 82%

– 76%

Password Management



– 64% - end users that write passwords down

– 65%

– 82%

– 76%

Password Management




– 65% - use the same password for multiple accounts

– 82%

– 76%

Password Management





– 82% - have forgotten a password

– 76%

Password Management






– 76% - intrusions exploit weak or stolen credentials

Password Management






– 76% - intrusions exploit weak or stolen credentials

• Instead, provide the user ability to reset password anytime and anyplace (at work, home, or on the road)

– Increased productivity – lower TCO

– Helpdesk freed to perform higher value tasks

– Users don’t have to wait for their password to be reset

– Increased security

– Users less likely to write password down on paper

– Challenge questions provide higher security than phone based user validation

– Password rules enable consistent enforcement of password policy

Password Management


More than just Self Service Password Reset...

• Further Frees up IT Resources

• Giving the business users an

On-Demand Service

• Controlled way to deal with User Request

• Being able to provide a timely response

• Requesting access to resources

• Mailbox Size Quota Increase Request

• Group membership change request

Empowering the Business UserSelf Service Administration



• Directory and Resource Administrator

• Aegis

• Group Policy Administrator

• Change Guardian for Active Directory

• Self-Service Password Reset

See NetIQ.com/Products

NetIQ Solutions


www.netiq.com

scrubbing your active directory squeaky clean

Technology

netiq corporation

active directory cleanup

time automated access12

user provisioning

active directory whats

active directory squeaky

user reprovisioning

user deprovisioning