Document that the deviation is an exception and therefore authorized
Quest ActiveRoles Server Practical Provisioning, Management, and Security for Active Directory, AD LDS and Beyond
Introducing ActiveRoles Server Practical Provisioning, Management, and Security for Active Directory, AD LDS and Beyond ActiveRoles Server offers a practical approach to automated Active Directoryuser provisioning and administration, for maximum security and efficiency
Key Features Provisioning End-to-End User and Group Lifecycle Management Automatic User and Group Provisioning and Deprovisioning Management Unified Active Directory and Active Directory Lightweight Directory Services (AD LDS – formerly ADAM) Management Automated group management Interfaces for Day-to-Day administrators, Help Desk, and end user self-service ADSI and PowerShell support for extensibility Security Controlled Administration through Roles and Rules for a true least privilege model Approval Workflow for Change Control Centralized Auditing & Reporting Add-on Applications Quickly and easily connect to existing HR/ERP system or ILM 2007 (MIIS) to provision and synchronize Active Directory Simplified Exchange Resource Forest Management – from a single console Protection for critical DNS Services Compliant & Secure Access Management through Group Membership Self-Service
Efficient Group Management Efficiency Extensive Group Management functionality saves Time, makes administrators more efficient, reduces errors and accuracy ensured by application of consistent policies Improves Administrator efficiency while reducing mistakes and security concerns. Exclude criteria provides separation of duties capability Group Membership Rules Automatically add users to groups based on a common set of policy rules. Dynamic Groups and Group Families Automatically add or remove users to groups according to a set of query based criteria - Bulk creation and population of groups
Web Based Day-to-Day Adminand Help Desk Web Consoles Simplifies day-to-day tasks and reduces administrative costs Provides alternate console for managing Active Directory Configurable with Point-and-click simplicity to meet customer needs Complete management of user, group, computer, and Microsoft Exchange Built with the latest ASP.NET technology
New command line interface from Microsoft More “Unix” like usage The foundation of Exchange 2007
Why is PowerShell Important for ActiveRoles?
Provides a command line for ActiveRoles Server Simplifies bulk operations Commands work with or without ActiveRoles Server, but maximum benefit only comes with ActiveRoles ownership ActiveRoles (at Microsoft’s request) is the first and only product to provide PowerShell commands for Active Directory Commands are subject to Rules, Roles and Approvals Microsoft PowerShell
Controlled Administrationwith Roles and Rules Provides administrative layer between users and Active Directory, for strict enforcement of operating policies and to eliminate unregulated access - Enforces “Least Privilege” Model Allows for centralized auditing and reporting of directory-related changes Simplifies the process of delegating rights by abstracting the required delegation into roles (or templates) that can be quickly deployed and easily maintained Controls the administrative rights that individual accounts and groups get in Active Directory through role-based delegation Provides full reporting and import/export capabilities Provides multi-forest support
Roles Based Delegation Sr. Administrator Exchange Admins OU Admins / Help Desk Application / Data Owners End user Self-Service Day-to-Day Admin Active Directory Full Control Computers Domain Controllers AD Architect Mailbox Admin Create Mailbox, Move Mailbox APAC EMEA North America Service Desk New York Create Users/Groups Create Groups Reset Passwords, Unlock Accounts Mexico City Self-Service AD LDS Update personal Information Request Changes ADAM Objects App/Data Owners DNS Servers Change Group Membership DNS Records Job Function Roles Access
Prevent Un-wanted Changewith Approval Workflow Management Solution Remediation - Deprovision Groups Applicationor Data Owner ApprovalWorkflow + - Manage GroupMembership Or Review Owner Attestation Review Assistants IT Oversight VerificationReports IT Administrator Provides segregation of duties and tracking of request and responses to help with security and compliance
QuestIntrust SIEM & AD , File and Exchange Protection
What if you could… Obtain real-time, detailed tracking of all changes to Active Directory (AD) and Group Policy settings? Take corrective actions for undesired changes in AD and ADAM, eliminating downtime and security breaches caused by accidental deletions or modifications? Be notified in real-time when critical events and changes are detected in AD, ensuring your awareness of possible security violations and destructive changes? Ensure adherence to compliance regulations and internal policies by tracking all activity in your Active Directory environment? Protect Active Directory by preventing changes to the most critical Active Directory objects, down to the attribute level including Group Policy Object settings?
InTrustArchitecture Overview InTrust Server Reports Real-Time Store SQL Server SRS Quest Knowledge Portal InTrust Repository
Configure File Access Auditfrom a Central Location 23
Agents and reports can be deployed and configured from a single location
Admins can manage all agent activity from a single console
Configure File Access Auditfrom a Central Location 24 With the Lockdown feature you have the option to allow access to all users or specific accounts only
Sample reports with drill-down functionality which enablesyou to find exactly what you are looking for All file access activity performed by that user All recently deleted files and by user
More sample reports… Drill down information from file highlighted in red showing all modification to that file and by whom
QuestReporter Baseline, Compliance and Configuratiion
What if you could… Audit administrative rights on your domains, workstations and servers? Ensure that privileges that are granted are in conformance with your formal security policies? Provide configuration reports quickly with the most current information? Have the capability to take action on violations to security policies? Know what changes have taken place to objects in the directory? Satisfy the needs of different data consumers in your organization?