Download - Scrubbing Your Active Directory Squeaky Clean

Scrubbing yourActive DirectorySqueaky Clean!

Chris RadbandSenior Solutions Consultant

© 2011 NetIQ Corporation. All rights reserved.2

Lets talk about…

• Cleaning up your Active Directory

• What’s happening in your environment today

• Controlling changes in your environment eg. user lifecycle management

• Empowering the user with self-service

2013 NetIQ Corporation. All rights reserved. 3

Active Directory clean-up


Challenges of an unmanaged Active Directory Estate

• Inactive Users

• Disabled Users

• Locked out users

• Expired Users

• Passwords never set to expire

These illustrate just a few common Security risks, Performance impacts and contributors to Audit failures

seen in many environments of all sorts of sizes

2013 NetIQ Corporation. All rights reserved. 4 |

Active Directory Environmental Clean-up

• Security Groups with no members

• Nested Security Groups

• Stale Computer Accounts

• Mixed-Naming conventions

• Reducing the number of Power Users


How do you deal with Clean-up today?

*Source: http://www.codeproject.com/Articles/18621/VBScript-to-Disable-Old-Accounts-in-Active-Directo


Scripted and manual clean-up tasks are

often labour intensive, limited in

functionality, inaccurate and at worst can have all

sorts of

unexpected results!


Automated Clean-up of Inactive Accounts





Discovery:Process runs to determine which accounts are inactive





Action:Request administrator or manager approval to disable account





Action:Request administrator or manager approval to disable account

Remediation:Account is disabled and therefore secured

What are today’s challenges, right now?


Regulatory & Oversight Pressures

Internal Audit

Board of Directors – Oversight Groups


Worst case scenario…

http://www.flickr.com/photos/teegardin/6093810333/in/photostream/


• Minimises the risk associated with Operational changes

• Satisfying audit requirements/achieving compliance with regulations such as ISO 27001/2, Sarbanes-Oxley and PCI DSS

• Identify Change when it happens

• Catalogue managed and unmanaged changes

• Detect high-profile changes

• Provides detailed AD/GPO change history

• Centrally record and audit AD/GPO changes

• Easily integrates into your existing AD change process

• Feeding events backup to your Monitoring Infrastructure

Increasing audit and compliance requirements…not to mention good-practice!



© 2011 NetIQ Corporation. All rights reserved.15 2013 NetIQ Corporation. All rights reserved. 8 |

Monitor for unmanaged GPO Changes

© 2011 NetIQ Corporation. All rights reserved.16 2013 NetIQ Corporation. All rights reserved. 9 |

Be proactive: GPO change: Email report sent to administrators

Regaining Control…


• Why is it important?

• The granular the better but no added complexity

• Something which defines:

- WHO– who are we delegating control to (for Active Directory).

- WHAT – what functionality/permissions are we delegating to the individual(s)

- WHERE – which objects are we allowing these individuals to execute their permissions on (most likely contain multiple objects).

• Capable of managing an enterprise environment

• Report on delegation

• Controlled way to make

changes to environment

2013 NetIQ Corporation. All rights reserved. 11 |

Managing Privileged/Non-privileged Users


Just in Time Automated Access












• Reducing the human element

• Increasing Security & compliance

• Does it increase consistency?

• Is it truly efficient and does it

save time?

• Does the process work for your

business today?

• Can it accommodate the changes of

tomorrow?

User Provisioning, User De-provisioning, User Re-provisioning


Empowering the User…


• It may seem straightforward to us but the statistics are scary!

– 64%

– 65%

– 82%

– 76%

Password Management



– 64% - end users that write passwords down

– 65%

– 82%

– 76%

Password Management




– 65% - use the same password for multiple accounts

– 82%

– 76%

Password Management





– 82% - have forgotten a password

– 76%

Password Management






– 76% - intrusions exploit weak or stolen credentials

Password Management






– 76% - intrusions exploit weak or stolen credentials

• Instead, provide the user ability to reset password anytime and anyplace (at work, home, or on the road)

– Increased productivity – lower TCO

– Helpdesk freed to perform higher value tasks

– Users don’t have to wait for their password to be reset

– Increased security

– Users less likely to write password down on paper

– Challenge questions provide higher security than phone based user validation

– Password rules enable consistent enforcement of password policy

Password Management


More than just Self Service Password Reset...

• Further Frees up IT Resources

• Giving the business users an

On-Demand Service

• Controlled way to deal with User Request

• Being able to provide a timely response

• Requesting access to resources

• Mailbox Size Quota Increase Request

• Group membership change request

Empowering the Business UserSelf Service Administration



• Directory and Resource Administrator

• Aegis

• Group Policy Administrator

• Change Guardian for Active Directory

• Self-Service Password Reset

See NetIQ.com/Products

NetIQ Solutions


Demo

www.netiq.com