Upload
kwillen
View
98
Download
2
Embed Size (px)
DESCRIPTION
Spændende præsentation om hvorledes man håndterer priviligerede brugere i Active Directory i forhold til sikkerhed og compliance via et simpelt værktøj
Citation preview
Risk Management of Privileged Users
June, 2014
Understanding the Challenge
3
The situation for privileged users
Often these accounts are Non Personal
Created during Projects for Specific Task
Clear and Static set of Entitlements
When Created an End Date is not Foreseen
4
That creates Challenges
Often Privileged Accounts do not get Cleaned Up
Nobody knows How Many there are
Nobody knows Which Entitlements they have
Nobody knows which ones are No Longer In Use
Which steps do you need to follow to get back in to control
6
Step 1: Discover
In the Discovery Phase all NPA’s / Privileged Accountsare detected within the infrastructure. For most of
those we can assess right away if they are still actively being used or not.
7
Step 2: Monitor
For those accounts for which not directly canbe established if/how they are being used,
a monitoring process is started.
8
Step 3: Clean Up!
All NPA’s / Privileged Accounts that are no longer being used, will be decommissioned during
the third phase: the Clean Up.
9
Step 4: Manage
All accounts are being put into a Managed Lifecycle. Responsibility is placed under a role, owned by a‘normal’ identity and an expiration date is added.
10
Focus on the basics
Enforce access controls
Monitor user
activity
Minimizerights
How to make your Active Directory safe and compliant
12 © 2012 NetIQ Corporation. All rights reserved.
The Current State of Active DirectoryWhere are we at? Where are we going?
Native
Critical
Automation
SECURITYDemand for better controls over user permissions and
changes, richer reporting and auditing capabilities
Active Directory’s role in the enterprise is evolving to meet
business demands
Microsoft native tools lack fine-tuned administration
features
Automating processes could
decrease workload and simplify compliance
13 © 2012 NetIQ Corporation. All rights reserved.
What NetIQ Provides NetIQ Directory and Resource Administrator
• Features
‒ Secure delegated administration
‒ Centralized auditing & reporting of account management tasks
‒ Automation of repetitive tasks
‒ Enforcement of account policies
• Benefits
‒ Reduces administration costs
‒ Increases administration efficiency
‒ Assures enterprise security
‒ Helps achieve compliance
14 © 2012 NetIQ Corporation. All rights reserved.
Secure, Delegated AdministrationNetIQ Directory and Resource Administrator
• What is it?
‒ Dramatically simplifies the delegation of administrative entitlements across Active Directory
• Benefits
‒ Reduces the number of native privileged accounts
‒ Delegate administrative tasks out across the organization
‒ Using ActiveView technology, administrators only see what they are allowed to manage
Puts greater control overadministrative capabilities,assuring the security ofActive Directory
15 © 2012 NetIQ Corporation. All rights reserved.
Centralized Auditing of AdministrationNetIQ Directory and Resource Administrator
• What is it?
‒ Captures all account management activities
‒ Identifies who did what, when, and where
• Benefits
‒ Enforcement of activity auditing
‒ Capturing & centralizing activities in a multi-master environment
‒ AD security audit log conciseness & interpretation
‒ Complete audit trail
Helps achieve regulatorycompliance and securitybest practices
16 © 2012 NetIQ Corporation. All rights reserved.
‒ The Reporting Center Console allows you to view, configure, and create reports based on data collected by DRA servers.
Reporting Center Console
17 © 2012 NetIQ Corporation. All rights reserved.
Enforcement of Account PoliciesNetIQ Directory and Resource Administrator
• What is it?‒ Ensure policy is enforced across
administrative-related activities
• Benefits‒ Content control through data validation
policies
‒ Data correctness and compliance
‒ Assures content consistency as well as contextual control
‒ What and when changes are made
‒ Ability to review and rollback deleted objects
Assures data integrity,accuracy, and improvedcontrol over changes
18 © 2012 NetIQ Corporation. All rights reserved.
Automation of Repetitive TasksNetIQ Directory and Resource Administrator
• What is it?
‒ Facilitates the automation of repetitive activities to reduce the level of required human interaction
• Benefits
‒ Assures that all steps are carried out correctly, in order, and completely
‒ Ability to integrate and launch 3rd-party applications and scripts from within the console
‒ Examples: Mailbox creation, disk quota reporting and more
Increases administratorefficiency
19 © 2012 NetIQ Corporation. All rights reserved.
Privileged User Management
Microsoft AD
20 © 2012 NetIQ Corporation. All rights reserved.
Adm
inist
ratio
n la
yer
Privileged User Management
Microsoft AD
21 © 2012 NetIQ Corporation. All rights reserved.
Adm
inist
ratio
n la
yer
Privileged User Management
Privileged Users
Microsoft AD
Delegated Admin
22 © 2012 NetIQ Corporation. All rights reserved.
Granular Delegated Administration
Adm
inist
ratio
n la
yer
Privileged Users
Microsoft AD
Delegated Admin
23 © 2012 NetIQ Corporation. All rights reserved.
Adm
inist
ratio
n la
yer
Recycle Bin for Easy Restoration
Privileged Users
Microsoft AD
Delegated Admin
24 © 2012 NetIQ Corporation. All rights reserved.
Adm
inist
ratio
n la
yer
Full Audit Trail & Enhanced Reporting
Privileged Users
Microsoft AD
Delegated Admin
25 © 2012 NetIQ Corporation. All rights reserved.
Adm
inist
ratio
n la
yer
AD user provisioning through DRA
Privileged Users
Microsoft AD
Delegated Admin
Identity Manager
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.26
Thank you.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.27
+1 713.548.1700 (Worldwide)888.323.6768 (Toll-free)[email protected]
Worldwide Headquarters1233 West Loop South Suite 810 Houston, TX 77027 USA
www.netiq.com/communities
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
Copyright © 2014 NetIQ Corporation. All rights reserved.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other countries.