scrubbing your active directory squeaky clean
DESCRIPTION
Bytes Technology identified Active Directory issues within their customer base, so they brought in NetIQ as a strategic partner. This deck outlines how scrubbing your environment clean with the right tools and processes will help you keep your Active Directory environment consistent, manageable, auditable and efficient.TRANSCRIPT
Scrubbing yourActive DirectorySqueaky Clean!
Chris RadbandSenior Solutions Consultant
© 2011 NetIQ Corporation. All rights reserved.2
Lets talk about…
• Cleaning up your Active Directory
• What’s happening in your environment today
• Controlling changes in your environment eg. user lifecycle management
• Empowering the user with self-service
2013 NetIQ Corporation. All rights reserved. 3
Active Directory clean-up
© 2011 NetIQ Corporation. All rights reserved.4
Challenges of an unmanaged Active Directory Estate
• Inactive Users
• Disabled Users
• Locked out users
• Expired Users
• Passwords never set to expire
These illustrate just a few common Security risks, Performance impacts and contributors to Audit failures
seen in many environments of all sorts of sizes
2013 NetIQ Corporation. All rights reserved. 4 |
Active Directory Environmental Clean-up
• Security Groups with no members
• Nested Security Groups
• Stale Computer Accounts
• Mixed-Naming conventions
• Reducing the number of Power Users
© 2011 NetIQ Corporation. All rights reserved.5
How do you deal with Clean-up today?
*Source: http://www.codeproject.com/Articles/18621/VBScript-to-Disable-Old-Accounts-in-Active-Directo
2013 NetIQ Corporation. All rights reserved. 5
Scripted and manual clean-up tasks are
often labour intensive, limited in
functionality, inaccurate and at worst can have all
sorts of
unexpected results!
© 2011 NetIQ Corporation. All rights reserved.6
Automated Clean-up of Inactive Accounts
2013 NetIQ Corporation. All rights reserved. 6
© 2011 NetIQ Corporation. All rights reserved.7
Automated Clean-up of Inactive Accounts
2013 NetIQ Corporation. All rights reserved. 6
Discovery:Process runs to determine which accounts are inactive
© 2011 NetIQ Corporation. All rights reserved.8
Automated Clean-up of Inactive Accounts
2013 NetIQ Corporation. All rights reserved. 6
Discovery:Process runs to determine which accounts are inactive
Action:Request administrator or manager approval to disable account
© 2011 NetIQ Corporation. All rights reserved.9
Automated Clean-up of Inactive Accounts
2013 NetIQ Corporation. All rights reserved. 6
Discovery:Process runs to determine which accounts are inactive
Action:Request administrator or manager approval to disable account
Remediation:Account is disabled and therefore secured
What are today’s challenges, right now?
© 2011 NetIQ Corporation. All rights reserved.11
Regulatory & Oversight Pressures
Internal Audit
Board of Directors – Oversight Groups
© 2011 NetIQ Corporation. All rights reserved.12
Worst case scenario…
http://www.flickr.com/photos/teegardin/6093810333/in/photostream/
© 2011 NetIQ Corporation. All rights reserved.13
• Minimises the risk associated with Operational changes
• Satisfying audit requirements/achieving compliance with regulations such as ISO 27001/2, Sarbanes-Oxley and PCI DSS
• Identify Change when it happens
• Catalogue managed and unmanaged changes
• Detect high-profile changes
• Provides detailed AD/GPO change history
• Centrally record and audit AD/GPO changes
• Easily integrates into your existing AD change process
• Feeding events backup to your Monitoring Infrastructure
Increasing audit and compliance requirements…not to mention good-practice!
2013 NetIQ Corporation. All rights reserved. 7
© 2011 NetIQ Corporation. All rights reserved.14
© 2011 NetIQ Corporation. All rights reserved.15 2013 NetIQ Corporation. All rights reserved. 8 |
Monitor for unmanaged GPO Changes
© 2011 NetIQ Corporation. All rights reserved.16 2013 NetIQ Corporation. All rights reserved. 9 |
Be proactive: GPO change: Email report sent to administrators
Regaining Control…
© 2011 NetIQ Corporation. All rights reserved.18
• Why is it important?
• The granular the better but no added complexity
• Something which defines:
- WHO– who are we delegating control to (for Active Directory).
- WHAT – what functionality/permissions are we delegating to the individual(s)
- WHERE – which objects are we allowing these individuals to execute their permissions on (most likely contain multiple objects).
• Capable of managing an enterprise environment
• Report on delegation
• Controlled way to make
changes to environment
2013 NetIQ Corporation. All rights reserved. 11 |
Managing Privileged/Non-privileged Users
© 2011 NetIQ Corporation. All rights reserved.19
Just in Time Automated Access
2013 NetIQ Corporation. All rights reserved. 12
© 2011 NetIQ Corporation. All rights reserved.20
Just in Time Automated Access
2013 NetIQ Corporation. All rights reserved. 12
© 2011 NetIQ Corporation. All rights reserved.21
Just in Time Automated Access
2013 NetIQ Corporation. All rights reserved. 12
© 2011 NetIQ Corporation. All rights reserved.22
Just in Time Automated Access
2013 NetIQ Corporation. All rights reserved. 12
© 2011 NetIQ Corporation. All rights reserved.23
• Reducing the human element
• Increasing Security & compliance
• Does it increase consistency?
• Is it truly efficient and does it
save time?
• Does the process work for your
business today?
• Can it accommodate the changes of
tomorrow?
User Provisioning, User De-provisioning, User Re-provisioning
2013 NetIQ Corporation. All rights reserved. 13
Empowering the User…
© 2011 NetIQ Corporation. All rights reserved.25
• It may seem straightforward to us but the statistics are scary!
– 64%
– 65%
– 82%
– 76%
Password Management
© 2011 NetIQ Corporation. All rights reserved.26
• It may seem straightforward to us but the statistics are scary!
– 64% - end users that write passwords down
– 65%
– 82%
– 76%
Password Management
© 2011 NetIQ Corporation. All rights reserved.27
• It may seem straightforward to us but the statistics are scary!
– 64% - end users that write passwords down
– 65% - use the same password for multiple accounts
– 82%
– 76%
Password Management
© 2011 NetIQ Corporation. All rights reserved.28
• It may seem straightforward to us but the statistics are scary!
– 64% - end users that write passwords down
– 65% - use the same password for multiple accounts
– 82% - have forgotten a password
– 76%
Password Management
© 2011 NetIQ Corporation. All rights reserved.29
• It may seem straightforward to us but the statistics are scary!
– 64% - end users that write passwords down
– 65% - use the same password for multiple accounts
– 82% - have forgotten a password
– 76% - intrusions exploit weak or stolen credentials
Password Management
© 2011 NetIQ Corporation. All rights reserved.30
• It may seem straightforward to us but the statistics are scary!
– 64% - end users that write passwords down
– 65% - use the same password for multiple accounts
– 82% - have forgotten a password
– 76% - intrusions exploit weak or stolen credentials
• Instead, provide the user ability to reset password anytime and anyplace (at work, home, or on the road)
– Increased productivity – lower TCO
– Helpdesk freed to perform higher value tasks
– Users don’t have to wait for their password to be reset
– Increased security
– Users less likely to write password down on paper
– Challenge questions provide higher security than phone based user validation
– Password rules enable consistent enforcement of password policy
Password Management
© 2011 NetIQ Corporation. All rights reserved.31
More than just Self Service Password Reset...
• Further Frees up IT Resources
• Giving the business users an
On-Demand Service
• Controlled way to deal with User Request
• Being able to provide a timely response
• Requesting access to resources
• Mailbox Size Quota Increase Request
• Group membership change request
Empowering the Business UserSelf Service Administration
2013 NetIQ Corporation. All rights reserved. 14
© 2011 NetIQ Corporation. All rights reserved.32
• Directory and Resource Administrator
• Aegis
• Group Policy Administrator
• Change Guardian for Active Directory
• Self-Service Password Reset
See NetIQ.com/Products
NetIQ Solutions
2013 NetIQ Corporation. All rights reserved. 16
Demo
www.netiq.com