NetIQ Directory and Resource Administrator Effortless, delegated Active Directory administration Jean-Philippe Sanchez NetIQ France Sales Engineer Agenda 2 • Critical Role of Active Directory • Active Directory Management Challenges • NetIQ Directory and Resource Administrator • Demo • Directory and Resource Administrator (DRA) Advanced • Demo © 2012 NetIQ Corporation. All rights reserved. The Critical Role of Active Directory The Current State of Active Directory Where are we at? Where are we going? Active Directory’s role in the enterprise is evolving to meet business demands Microsoft native tools lack fine-tuned administration features Automating processes could decrease workload and simplify compliance Critical Nativ e Automation SECURITY Demand for better controls over user permissions and changes, richer reporting and auditing capabilities 4 © 2012 NetIQ Corporation. All rights reserved. Active Directory is Mission Critical • Active Directory’s role in the enterprise – – – 5 Central identity store – Multiple platforms – Important applications Gatekeeper – Sensitive user information – Critical corporate data The cost of failure is high – Active Directory service interruption – Security and privacy breach © 2012 NetIQ Corporation. All rights reserved. Active Directory Management Challenges Active Directory – Security • Secure administration is more than heavy with native tools – Administration is highly manual – – Lacks change control – – 7 No inherent change control approval processes Inability to granularly delegate or control user permissions – – Manual changes introduce more security risk and errors Difficult to simply delegate “reduced permissions” to specific people Insufficient reporting and auditing capabilities – Cannot easily produce reports on who made changes – Showing level of access or user activity difficult © 2012 NetIQ Corporation. All rights reserved. Active Directory - Management • • • Change is constant – Active Directory reflects the business – IT staff spends time making reactive changes Limited resources and budget – Less technical tasks should be delegated – Routine tasks could be automated Nearly impossible to report on delegated permissions – 8 Once delegation wizard is closed, requires significant work to identify who has access to what © 2012 NetIQ Corporation. All rights reserved. The Impact of Complexity A False Sense of Security • Many people feel secure, but ignore these common problems: – Too many domain administrators – – “Least privilege” not enforced – – Users have more privileges than they need for indefinite periods of time Limited visibility – 9 Results in “risky” escalation of privileges Difficult or impossible to determine the who, what, where, when and how of Active Directory changes © 2012 NetIQ Corporation. All rights reserved. NetIQ Directory and Resource Administrator What NetIQ Provides NetIQ Directory and Resource Administrator • • 11 Features – Secure delegated administration – Centralized auditing & reporting of account management tasks – Enforcement of account policies Benefits – Reduces administration costs – Increases administration efficiency – Assures enterprise security – Helps achieve compliance © 2012 NetIQ Corporation. All rights reserved. Secure, Delegated Administration NetIQ Directory and Resource Administrator • What is it? – • 12 Dramatically simplifies the delegation of administrative entitlements across Active Directory Benefits – Reduces the number of native privileged accounts – Delegate administrative tasks out across the organization – Using ActiveView technology, administrators only see what they are allowed to manage © 2012 NetIQ Corporation. All rights reserved. Puts greater control over administrative capabilities, assuring the security of Active Directory Centralized Auditing of Administration NetIQ Directory and Resource Administrator • • 13 What is it? – Captures all account management activities – Identifies who did what, when, and where Benefits – Enforcement of activity auditing – Capturing & centralizing activities in a multi-master environment – AD security audit log conciseness & interpretation – Complete audit trail © 2012 NetIQ Corporation. All rights reserved. Helps achieve regulatory compliance and security best practices Enforcement of Account Policies NetIQ Directory and Resource Administrator • What is it? – • Ensure policy is enforced across administrative-related activities Benefits – Content control through data validation policies – – Assures content consistency as well as contextual control – What and when changes are made Ability to review and rollback deleted Allobjects © 2012 NetIQ Corporation. rights reserved. – 14 Data correctness and compliance Assures data integrity, accuracy, and improved control over changes Demo Directory and Resource Administrator (DRA) Advanced Challenges with Native Administration • • Difficult to Securely Delegate Entitlements – Native controls inflexible, scale poorly, and difficult to change – Assistant administrators see everything, regardless of whether they can manage it or not! Near Impossible to Report on Delegated Permissions – • • Poor Control Over Content Going into Active Directory – No content/context policy enforcement – Risk of directory pollution No Web-based Administration – • AD objects can only be recovered with significant effort No Automation of Repetitive Activities – 17 Requires the ADUC interface Difficult to Restore Deleted Active Directory Objects – • Once delegation wizard is closed, requires significant work to identify who has access to what! Repetitive tasks subject to risk from errors © 2012 NetIQ Corporation. All rights reserved. NetIQ Directory and Resource Administrator DRA Advanced Provides: § Secure delegation of privileged administration access § Centralized auditing & reporting of account management tasks § Enforcement of account policies § Automation of repetitive activities Customer Benefits: 18 § Reduces administration costs § Increases administration © 2012 NetIQ Corporation. All rights reserved. Automation of Repetitive Activities What is it? Facilitates the automation of repetitive activities to reduce the level of required human interaction. Benefits 19 § Assures that all steps are carried out correctly, in order, and completely § Ability to integrate and launch 3rd-party applications and scripts from within the console § Examples include: – AD Provisioning / Deprovisioning – Self Empowerment (JIT delegation) – AD Maintenance – Compliance Reporting/Signoff – More … © 2012 NetIQ Corporation. All rights reserved. Automation (Provisioning Example) 1. Data enter in HR system 5. IT services automatically provisioned (hardware, BB, OCS, etc.) 2. NetIQ workflow engine provisions account (sends approval request, etc.) 6. Ticket automatically opened/closed in Remedy for documentation. 3. Role assigned based on job code, site code, etc. 7. All Parties notified of progress and report sent to manager when complete. 4. Access automatically granted to various systems/applications based on AD group membership assigned. 20 HR System (SAP, PeopleSoft, Remedy, etc.) © 2012 NetIQ Corporation. All rights reserved. NetIQ Advanced Admin Suite Automation … Provisioning Examples with DRA Advanced 21 © 2012 NetIQ Corporation. All rights reserved. Automated User Provisioning Streamline UserMaster Accountsubtitle Creation.style Improve Quality of AD Data. Click to edit • Problem: Dramatic increase in new user accounts for employees/contractors and 100% annual turnover in retail call center • Solution: – Policy/automation triggers to ensure all required fields are populated – Inspection of values as they are entered to ensure they are valid. – 22 Template accounts to further streamline the process and ensure consistency © 2012 NetIQ Corporation. All rights reserved. Enforcement of Data Completeness Automated User De-Provisioning Disable Quickly. Removestyle from Downstream Systems. Ensure SOX Compliance. Click toAccounts edit Master subtitle • Problem: Large volume of terms for contractors and other accounts • Solution: – Custom web portal for HR – Creates work orders to remove users from downstream systems when HR rep disables account – Produces daily log for AD objects owned or managed by the disabled account (users, DLs, security groups, etc.) – 23 Sends confirmation to Security for follow-up and remediation © 2012 NetIQ Corporation. All rights reserved. Automated Workflow for Terminations Critical Security Group Modifications Prevent to Critical AD Security Click toChanges edit Master subtitle style Groups w/o Pre-Approval. Ensure Compliance. • Problem: Sensitive AD security groups needed protection against changes • Solution: 24 – Triggers whenever Admin modifies a group object – Blocks change if group is flagged as critical – Notifies group owner and requests approval to proceed – If request is approved, makes the group modification – Sends confirmation email to requester and group owner © 2012 NetIQ Corporation. All rights reserved. Automated Workflow for Group Modifications User Account Extensions Cost-Effectively Manage subtitle Extensions of 1,500+ Accounts that Expire Every 90 Days. Click to edit Master style • Problem: Many contractor accounts must be extended (re-enabled) every 90 days • Solution: 25 – Queries AD for accounts expiring within 21 days – Emails spreadsheet to all managers of the affected users – Managers review, edit and email spreadsheet back – Extends the expiration date approved user accounts © 2012 NetIQ Corporation. All rights reserved. Automated Workflow for User Account Extensions Solution Benefits Security. Compliance. Efficiency. ROI. Click to edit Master subtitle style • ROI – now and later • Efficiencies gained – hundreds of hours of manual work per month • Improved Compliance • Satisfaction of prior year internal audit findings • Better alignment with the business • Improved customer satisfaction 26 26 © 2012 NetIQ Corporation. All rights reserved. Demo NetIQ AD Operational Change Control Console Web DRA Direct permissions ADAD AD AD Unmanaged Changes Mange Changes Reporting DC logs Automatic’s Action Alerts reports 28 © 2012 NetIQ Corporation. All rights reserved. DC logs DC logs NetIQ Sentinel CGAD CGGP CGW Log Archive Worldwide Headquarters 1233 West Loop South Suite 810 Houston, TX 77027 USA 29 © 2011 NetIQ Corporation. All rights reserved. +1 713.548.1700 (Worldwide) 888.323.6768 (Toll-free) [email protected] NetIQ.com http://community.netiq.com This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright © 2012 NetIQ Corporation. All rights reserved. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other countries.
© Copyright 2024 ExpyDoc
