Scrubbing Your Active Directory Squeaky Clean

1,017 views

Published on

Bytes Technology identified Active Directory issues within their customer base, so they brought in NetIQ as a strategic partner. This deck outlines how scrubbing your environment clean with the right tools and processes will help you keep your Active Directory environment consistent, manageable, auditable and efficient.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,017
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Scrubbing Your Active Directory Squeaky Clean

  1. 1. Scrubbing your Active Directory Squeaky Clean! Chris Radband Senior Solutions Consultant
  2. 2. Lets talk about… • Cleaning up your Active Directory • What’s happening in your environment today • Controlling changes in your environment  eg. user lifecycle management • Empowering the user with self-service 32 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  3. 3. Active Directory clean-up
  4. 4. Active Directory Environmental Clean-up Challenges of an unmanaged Active Directory Estate • Inactive Users • Disabled Users • Locked out users • Expired Users • Passwords never set to expire • Security Groups with no members • Nested Security Groups • Stale Computer Accounts • Mixed-Naming conventions • Reducing the number of Power Users These illustrate just a few common Security risks, Performance impacts and contributors to Audit failures seen in many environments of all sorts of sizes 44 | © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  5. 5. How do you deal with Clean-up today? Scripted and manual clean-up tasks are labour intensive, limited in functionality, inaccurate and often at worst can have all sorts of unexpected results! *Source: http://www.codeproject.com/Articles/18621/VBScript-to-Disable-Old-Accounts-in-Active-Directo 55 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  6. 6. Automated Clean-up of Inactive Accounts 66 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  7. 7. Automated Clean-up of Inactive Accounts Discovery: Process runs to determine which accounts are inactive 67 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  8. 8. Automated Clean-up of Inactive Accounts Discovery: Process runs to determine which accounts are inactive Action: Request administrator or manager approval to disable account 68 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  9. 9. Automated Clean-up of Inactive Accounts Discovery: Process runs to determine which accounts are inactive Action: Request administrator or manager approval to disable account Remediation: Account is disabled and therefore secured 69 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  10. 10. What are today’s challenges, right now?
  11. 11. Regulatory & Oversight Pressures Internal Audit Board of Directors – Oversight Groups 11 © 2011 NetIQ Corporation. All rights reserved.
  12. 12. Worst case scenario… http://www.flickr.com/photos/teegardin/6093810333/in/photostream/ 12 © 2011 NetIQ Corporation. All rights reserved.
  13. 13. Increasing audit and compliance requirements …not to mention good-practice! • • Identify Change when it happens • Catalogue managed and unmanaged changes • Detect high-profile changes • Provides detailed AD/GPO change history • Centrally record and audit AD/GPO changes • Easily integrates into your existing AD change process • © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved. Satisfying audit requirements/achieving compliance with regulations such as ISO 27001/2, Sarbanes-Oxley and PCI DSS • 7 13 Minimises the risk associated with Operational changes Feeding events backup to your Monitoring Infrastructure
  14. 14. 14 © 2011 NetIQ Corporation. All rights reserved.
  15. 15. Monitor for unmanaged GPO Changes 8 15 | © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  16. 16. Be proactive: GPO change: Email report sent to administrators 9 16 | © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  17. 17. Regaining Control…
  18. 18. Managing Privileged/Non-privileged Users • Why is it important? • The granular the better but no added complexity • Something which defines: - - - WHO– who are we delegating control to (for Active Directory). WHAT – what functionality/permissions are we delegating to the individual(s) WHERE – which objects are we allowing these individuals to execute their permissions on (most likely contain multiple objects). • Capable of managing an enterprise environment • Report on delegation • Controlled way to make changes to environment 11 18 | © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  19. 19. Just in Time Automated Access 12 19 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  20. 20. Just in Time Automated Access 12 20 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  21. 21. Just in Time Automated Access 12 21 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  22. 22. Just in Time Automated Access 12 22 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  23. 23. User Provisioning, User De-provisioning, User Re-provisioning • Reducing the human element • Increasing Security & compliance • Does it increase consistency? • Is it truly efficient and does it save time? • Does the process work for your business today? • Can it accommodate the changes of tomorrow? 13 23 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  24. 24. Empowering the User…
  25. 25. Password Management • It may seem straightforward to us but the statistics are scary! – – 65% – 82% – 25 64% 76% © 2011 NetIQ Corporation. All rights reserved.
  26. 26. Password Management • It may seem straightforward to us but the statistics are scary! – – 65% – 82% – 26 64% - end users that write passwords down 76% © 2011 NetIQ Corporation. All rights reserved.
  27. 27. Password Management • It may seem straightforward to us but the statistics are scary! – – 65% - use the same password for multiple accounts – 82% – 27 64% - end users that write passwords down 76% © 2011 NetIQ Corporation. All rights reserved.
  28. 28. Password Management • It may seem straightforward to us but the statistics are scary! – – 65% - use the same password for multiple accounts – 82% - have forgotten a password – 28 64% - end users that write passwords down 76% © 2011 NetIQ Corporation. All rights reserved.
  29. 29. Password Management • It may seem straightforward to us but the statistics are scary! – – 65% - use the same password for multiple accounts – 82% - have forgotten a password – 29 64% - end users that write passwords down 76% - intrusions exploit weak or stolen credentials © 2011 NetIQ Corporation. All rights reserved.
  30. 30. Password Management • It may seem straightforward to us but the statistics are scary! – – 65% - use the same password for multiple accounts – 82% - have forgotten a password – • 64% - end users that write passwords down 76% - intrusions exploit weak or stolen credentials Instead, provide the user ability to reset password anytime and anyplace (at work, home, or on the road) – Increased productivity – lower TCO – – – Helpdesk freed to perform higher value tasks Users don’t have to wait for their password to be reset Increased security – – Challenge questions provide higher security than phone based user validation – 30 Users less likely to write password down on paper Password rules enable consistent enforcement of password policy © 2011 NetIQ Corporation. All rights reserved.
  31. 31. Self Service Administration Empowering the Business User More than just Self Service Password Reset... • Further Frees up IT Resources • Giving the business users an On-Demand Service • Controlled way to deal with User Request • Being able to provide a timely response • Requesting access to resources • Mailbox Size Quota Increase Request • Group membership change request 14 31 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  32. 32. NetIQ Solutions • Directory and Resource Administrator • Aegis • Group Policy Administrator • Change Guardian for Active Directory • Self-Service Password Reset See NetIQ.com/Products 16 32 © 2011 NetIQ Corporation. All rights reserved. 2013 NetIQ Corporation. All rights reserved.
  33. 33. Demo
  34. 34. www.netiq.com

×