• Like

The Top 7 Active Directory Admin Challenges Overcome White Paper

  • 1,925 views
Uploaded on

Overcome Top 7 Admin Challenges of Active Directory …

Overcome Top 7 Admin Challenges of Active Directory

As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable, enforceable processes that reduces administrative overhead and enables robust, customizable reporting and auditing capabilities.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,925
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
10
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The Challenges of AdministeringActive DirectoryAs Active Directory’s role in the enterprise has drastically increased, so hasthe need to secure the data it stores and to which it enables access. The lackof native control makes the secure administration of Active Directory achallenging task at best for administrators. As a result, organizations needassistance in creating repeatable, enforceable processes that will ultimatelyreduce their administrative overhead, while simultaneously helping increaseavailability and security of their systems.This white paper outlines seven common challenges associated with securelyadministering Active Directory and provides some helpful insight into whatNetIQ can do to assist you with these difficulties.
  • 2. This document could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein. These changes may be incorporated in new editions of this document.NetIQ Corporation may make improvements in or changes to the software described in this document atany time.Copyright © 2010 NetIQ Corporation. All rights reserved.ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design,Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator,File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts,NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, SecurityAdministration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQCorporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identificationpurposes and may be trademarks or registered trademarks of their respective companies. WHITE PAPER: The Challenges of Administering Active Directory
  • 3. Table of Contents Introduction: Active Directory and Its Central Role in Enterprise Environments........................................... 1  Compliance Auditing and Reporting .......................................................................................................... 1  Group Policy Management ........................................................................................................................ 2  User Provisioning, Re-Provisioning and De-Provisioning ......................................................................... 2  Secure Delegation of User Privilege ......................................................................................................... 3  Change Auditing and Monitoring ............................................................................................................... 3  Maintaining Data Integrity .......................................................................................................................... 4  Self-Service Administration ....................................................................................................................... 5 Conclusion .................................................................................................................................................... 5 About NetIQ .................................................................................................................................................. 6  WHITE PAPER: The Challenges of Administering Active Directory
  • 4. Introduction: Active Directory and Its Central Role inEnterprise EnvironmentsSince its availability with Microsoft Windows (Windows) 2000, Microsoft Active Directory (Active Directory)has been used to help organizations administer and secure their Windows environments. As deploymentof, and reliance upon, Active Directory in the enterprise has grown, it has increasingly become the centraldata store for sensitive user data and the gateway to critical business information. This providesorganizations with a consolidated, integrated, and distributed directory service, which enables thebusiness to better manage user and administrative access to business applications and services.As Active Directory’s role in the enterprise has drastically increased, so has the need to secure the data itstores and to which it enables access. Unfortunately native Active Directory administration tools providelittle control over user and administrative permissions and access. The lack of native control makes thesecure administration of Active Directory a challenging task at best for administrators. In addition tolimited control over what users and administrators can do in Active Directory, there is a limited ability toreport on activities performed in Active Directory which makes it very difficult to meet audit requirementsand secure Active Directory. As a result, organizations need assistance in creating repeatable,enforceable processes that will ultimately reduce their administrative overhead, while simultaneouslyhelping increase availability and security of their systems.As an essential part of the IT infrastructure, Active Directory must be thoughtfully and diligentlymanaged—that is, controlled, secured, and audited. Not surprisingly, an application of this importancethat has minimal native controls presents management challenges that must be confronted and resolvedin order to reduce risk, while deriving maximum value for the business. This paper examines seven of themost challenging administrative tasks in Active Directory.Compliance Auditing and ReportingIn the face of diverse regulatory mandates—such as HIPAA, Sarbanes-Oxley, and PCI-DSS—achieving,demonstrating, and maintaining compliance is challenging. To satisfy audit requirements, organizationsmust be able to demonstrate control over the security of sensitive and business-critical data. However,without additional tools, the ability to demonstrate regulatory compliance with Active Directory natively istime-consuming, tedious, and complex at best.Auditors and stakeholders require detailed information about privileged-user activity. This level of granularinformation enables interested parties to troubleshoot problems and also provides the informationnecessary to improve the performance and availability of Active Directory.Auditing and reporting on Active Directory has always been a challenge. Prior to the release of WindowsServer 2008, there were no granular reporting capabilities. However, with the release of Windows Server2008, there is now limited reporting on some of the details auditors require. While this limited informationis a move in the right direction, it is not robust enough to meet stringent audit requirements or to supportbusiness changes or decisions.To more easily achieve, demonstrate, and maintain compliance, organizations should employ a solutionthat provides robust, customizable reporting and auditing capabilities. Reporting should provideinformation on who made a change, what change was made, when the change was made, and where thechange was made. Reporting capabilities should be flexible enough to provide graphical trend informationfor business stakeholders, while also providing granular detail necessary for administrators to improve WHITE PAPER: The Challenges of Administering Active Directory | 1
  • 5. their Active Directory deployment. Solutions should also securely store audit events for as long asnecessary to meet data retention requirements and enable the easy search of these audit events.Group Policy ManagementMicrosoft recommends that Group Policy be utilized as a cornerstone of Active Directory security.Leveraging the powerful capabilities of Group Policy, IT organizations can centrally manage andconfigure user and asset settings, applications, and operating systems from a central console. It is anindispensable resource for managing user access, permissions, and security settings in the Windowsenvironment.Maintaining a large number of Group Policy Objects (GPOs), where policy settings are stored, can be achallenging task. In large IT environments with many systems administrators, for example, special caremust be taken because changes made to GPOs can affect every computer or user in a domain in realtime; yet Group Policy lacks true change-management and version-control capabilities.Due to the limited native controls available in Group Policy, accomplishing something as simple asdeploying a shortcut requires writing a script. Custom scripts are often complex to create and difficult todebug and test. If the script fails or causes disruption in the live environment, there is no way to roll-backto the last known setting or configuration. As you can imagine, the consequences of malicious orunintended changes to Group Policy can have devastating and permanent effects on the IT environmentand the business.To prevent Group Policy changes that can negatively impact the business, IT organizations often restrictadministrative privilege to a few highly-skilled administrators. As a result, these staff members are taskedand overburdened with administering Group Policy rather than supporting the greater and more strategicgoals of the business.To securely leverage the powerful capabilities of Group Policy, it is necessary to have a solution in placethat provides a secure offline repository to model and predict the impact of Group Policy changes prior topushing them live. The ability to plan, control, and troubleshoot Group Policy changes—coupled with anapproved change and release management process—enables you to improve the security andcompliance of your Windows environment without making business-crippling administrative errors.Organizations should also employ a solution for managing Group Policy that enables easy and flexiblereporting that clearly demonstrates that audit requirements have been met.User Provisioning, Re-Provisioning and De-ProvisioningMost employees require access to several systems and applications, each with its own account and log-on information. Even with today’s more advanced processes and systems, employees often findthemselves waiting for days for access to the systems they need. This can cost organizations directly inlost productivity and employee downtime. To minimize workloads and expedite the provisioning process,many organizations look to Active Directory to be the commanding data store for managing user accountinformation and access rights to IT resources and assets.Provisioning, re-provisioning and de-provisioning access via Active Directory is often a manual process.In the case of a large organization, maintaining appropriate user permissions and access can be anextraordinarily time-consuming activity, especially when the business has significant turnover inpersonnel. Systems administrators often spend hours creating, modifying, and removing credentials.In a large, complex business, manual provisioning can take days. There are no automation or policyenforcement capabilities natively available in Active Directory. With little to no control in place, there is no WHITE PAPER: The Challenges of Administering Active Directory | 2
  • 6. way to ensure that users will receive the access they need within the timeframe they need it. In addition,there is no system of checks and balances, so administrative errors can easily result in elevated userprivileges that can lead to a security breach, malicious activity, or unintended error that can expose thebusiness to significant risk.Organizations should look for an automated solution to execute provisioning activities. Pursuing anautomated solution with approval capabilities drastically reduces the time and burden on administrators,improves adherence to security policies by minimizing human interaction with the process, improvesstandardization, and decreases the time the user must wait for access. It also expedites the removal ofuser access, which minimizes the ability for a user with malicious intent to access sensitive business data.Secure Delegation of User PrivilegeReducing the number of users with elevated administrative privileges is a constant challenge for theowners of Active Directory. Many user and helpdesk requests require interaction with Active Directory.These common interactions with Active Directory often result in administrative privileges for users who donot require elevated access to perform their jobs.Because there are only two levels of administrative access in Active Directory (Domain Administratoraccess or Enterprise Administrator access), it is very difficult to control what a user can see and do oncethey have gained administrative privileges. In addition, once a user has acquired powerful administrativecapabilities, they can easily access sensitive business and user information, further elevate theirprivileges, and have the capability to make changes within Active Directory. Elevated administrativeprivileges, especially when in the hands of someone with malicious intent, dramatically increase the riskexposure of Active Directory and the applications, users, and systems that rely upon it (i.e., HumanResource systems or proprietary business information).It is not uncommon for a business to discover that thousands of users have elevated administrativeprivileges. Each user with unauthorized administrative privileges presents a unique threat to the securityof the IT infrastructure and business. Coupled with the vulnerabilities native to Active Directory, it is veryeasy for someone to make business-crippling administrative changes. When this occurs, troubleshootingbecomes a nightmare, as auditing and reporting limitations discussed earlier in this paper make it nearlyimpossible to quickly gather a clear picture of the problem.To ultimately reduce the risk associated with elevated user privilege and help ensure that users haveaccess to only the information they require to perform their jobs, organizations should seek a solution thatcan securely delegate entitlements. This is a requirement to meet separation of duties mandates, as wellas a way to share administrative load by securely pushing restricted change privileges out to the lessexpensive resources.For example, an administrator may wish to delegate the ability to reset passwords to the members of thehelp desk in order to more quickly resolve user requests and reduce administrative burden. With granularprivilege delegation, the help desk would be able to reset passwords but would not have the ability to takeother administrative actions in Active Directory, ultimately improving efficiency and reducing business risk.Change Auditing and MonitoringTo achieve and maintain a secure and compliant environment, you must control change and monitor forunauthorized change that may negatively impact the business. Active Directory change auditing is animportant procedure for identifying and limiting unauthorized changes and errors to Active Directory WHITE PAPER: The Challenges of Administering Active Directory | 3
  • 7. configuration. One single change can put your organization at risk, introducing security breaches andcompliance issues.Native Active Directory tools fail to proactively track, audit, report, and alert on vital configurationchanges. In addition, real-time auditing and reporting on configuration change (including Group PolicyObjects), day-to-day operational change, and critical group change does not exist natively. This exposesthe business to exponential risk—as once a change has occurred, your ability to correct and limit thenegative impact is completely dependent upon your ability to detect the change that has been made andto pinpoint and troubleshoot the change.A change that goes undetected can have a drastic impact on the business. For example, someone whowas able to elevate their privileges and change their identity to that of a senior member of the financedepartment could potentially access company funds resulting in theft, wire transfers, and so forth.To reduce risk and help prevent security breaches, organizations should employ a solution that providescomprehensive change monitoring. This solution should include real-time change detection, intelligentnotification, human-readable events, centralized auditing, and detailed reporting. Employing a solutionthat encompasses all of these elements will help enable you to quickly and easily identify unauthorizedchange, pinpoint the source of the change, and efficiently resolve the change before the business isnegatively impacted.Maintaining Data IntegrityIt is important for organizations to ensure that the data housed within Active Directory supports the needsof the business, especially as other business applications further rely on Active Directory for content andinformation.Data integrity involves both the consistency of data and the completeness of information. For example,there are multiple ways to enter a phone number: • +1.713.418.5555 • 713 418-5555 • 7134185555 • 1-713-418-5555 • (713) 415-5555Entering data in inconsistent formats creates data pollution. Data pollution inhibits the business fromorganizing and efficiently accessing important information. Another example of data in-consistency is theability to abbreviate a department name. Think of all the different ways to abbreviate accounting. If thereis not consistency in the data entered in Active Directory, there is no way to ensure that all members ofaccounting can be organized or grouped together, which can be necessary for payroll, communications,systems access, and so on.Completeness of information is another aspect of data integrity that is necessary for organizations to gainmeaningful information from Active Directory. For example, if an employee is transferred to a newdepartment in a new city and state, the HR system in the company would leverage Active Directory toupdate benefits and payroll information. However, if the administrator did not enter the employees’ zipcode, the HR system would not know where to send the employee’s paystub.Active Directory provides no control over content that is entered natively. If no controls are in place,administrators can enter information in any format they wish and leave fields void of information that thebusiness relies upon. WHITE PAPER: The Challenges of Administering Active Directory | 4
  • 8. To help ensure that all aspects of the business that rely upon Active Directory are supported and providedwith meaningful and trustworthy information, organizations should employ a solution that controls both theformat and the completeness of data entered in Active Directory. By putting these controls in place, youcan drastically reduce data pollution and significantly improve the uniformity and completeness of thecontent in Active Directory.Self-Service AdministrationMost requests that are made by the business or by users require Active Directory to be accessed andadministered. This work is often highly manual and there are few controls in place to preventadministrative errors. Active Directory’s inherent complexity makes administrative errors common—justone mistake could do damage to the entire security infrastructure. Given the lack of controls—and thebusiness cannot have just anyone administering Active Directory.While it may be practical to employ engineers and consultants to install and maintain Active Directory,organizations cannot afford to have their highly-skilled and valuable resources spending the majority oftheir time responding to menial user requests.Self-service administration and automation are logical solutions for organizations looking to streamlineoperations, to become more efficient, and to improve compliance. This is achieved by placing controlsaround common administrative tasks and enabling user requests to be performed without tasking highly-skilled administrators. Organizations should identify processes that are routine yet highly manual, andconsider solutions that provide user self-service and automation of the process. Automation of highly-manual processes not only reduces the workload on highly-skilled administrators, it also improvescompliance with policies, as automation does not allow for steps in the process to be skipped.Organizations should also look for self-service and automation solutions that allow for approval andprovide a comprehensive audit trail of events to help demonstrate policy compliance.ConclusionActive Directory has found its home as a mission-critical component of the IT infrastructure. Asbusinesses continue to leverage it for its powerful capabilities as a commanding repository, ActiveDirectory is a critical component of enterprise security. Therefore, it must be diligently controlled,monitored, administered, and protected with the same degree of discipline currently applied to other high-profile information (e.g., credit card data, customer data, and so forth).Because native tools do not enable or support the secure and disciplined administration of ActiveDirectory, organizations must look for solutions that enable its controlled and efficient administration.These solutions help ensure the business information housed in Active Directory is both secure andappropriately serving the needs of the business.This paper has explored some of the most challenging aspects of securely administering Active Directory.NetIQ provides Active Directory Management and Security solutions that increase your control overActive Directory administration and improve your ability to achieve and maintain compliance. In addition,solutions from NetIQ decrease the cost and complexities associated with administering Active Directory. WHITE PAPER: The Challenges of Administering Active Directory | 5
  • 9. About NetIQNetIQ is an enterprise software company with relentless focus on customer success. Customers andpartners choose NetIQ to cost-effectively tackle information protection challenges and IT operationscomplexities. Our portfolio of scalable, automated management solutions for Security & Compliance,Identity & Access, and Performance & Availability and our practical, focused approach to solving ITchallenges help customers realize greater strategic value, demonstrable business improvement and costsavings over alternative approaches.For more information, visit NetIQ.com.