compliance
DESCRIPTION
TRANSCRIPT
Compliance
Quest Compliance Suite
• Visibility to an expected configuration state (server hardening document)
• Visibility to an expected operational policy (user provisioning process)
• Visibility of end user access (permissions) • Forensic analysis to determine who, what, when and how the deviation occurred from the assess phase
• Notify of any changes to the expected state
• Preventative controls to address the deviation from ever occurring in the first place• Address issue immediately• Document that the deviation is an exception and therefore authorized
for Exchange
for File Access
for SharePoint *
Quest ActiveRoles Server
Practical Provisioning, Management, and Security for Active Directory, AD LDS and Beyond
Introducing ActiveRoles Server
Practical Provisioning, Management, and Security for Active Directory, AD LDS and Beyond
ActiveRoles Server offers a practical approach to automated Active Directoryuser provisioning and administration, for maximum security and efficiency
Key Features
• Provisioning– End-to-End User and Group Lifecycle Management– Automatic User and Group Provisioning and Deprovisioning
• Management– Unified Active Directory and Active Directory Lightweight Directory Services (AD LDS – formerly
ADAM) Management– Automated group management– Interfaces for Day-to-Day administrators, Help Desk, and end user self-service– ADSI and PowerShell support for extensibility
• Security– Controlled Administration through Roles and Rules for a true least privilege model – Approval Workflow for Change Control– Centralized Auditing & Reporting
• Add-on Applications– Quickly and easily connect to existing HR/ERP system or ILM 2007 (MIIS) to provision and synchronize
Active Directory– Simplified Exchange Resource Forest Management – from a single console– Protection for critical DNS Services– Compliant & Secure Access Management through Group Membership Self-Service
ActiveRoles Server
Provisioning
Identity Lifecycle Management
Reprovisioning (Promotion)- Promotions or Transfers- Project Assignments- Information updates
Deprovision (Retire)- Employment Status Changes- Disable Accounts- Disable Access to Resources- Assign Entitlements to
others
Identity Administration- Information updates- Group and Distribution
List Membership Changes
- Self-service
New User is Provisioned (Hire)- User Account Creation - Mailbox and Home Folders Creation- Group and Distribution List
Memberships
- Access to Applications Granted - Accounts in Connected Systems
Created- E-mail notifications
Automated User andGroup Provisioning
Create User
ActiveRoles Server
Management
Efficient Group Management
• Efficiency– Extensive Group Management functionality saves Time, makes
administrators more efficient, reduces errors and accuracy ensured by application of consistent policies
– Improves Administrator efficiency while reducing mistakes and security concerns.
– Exclude criteria provides separation of duties capability
• Group Membership Rules– Automatically add users to groups based on a common set of policy
rules.
• Dynamic Groups and Group Families– Automatically add or remove users to groups according to a set of
query based criteria - Bulk creation and population of groups
Web Based Day-to-Day Adminand Help Desk Web Consoles
• Simplifies day-to-day tasks and reduces administrative costs
• Provides alternate console for managing Active Directory
• Configurable with Point-and-click simplicity to meet customer needs
• Complete management of user, group, computer, and Microsoft Exchange
• Built with the latest ASP.NET technology
Empower UsersThrough Self-Service
Off-load personal information management with Self-Service – Decreases help desk calls and IT time – Exchange GAL more accurate (info updated more
easily/often)– Allow employees to determine what personal info is
published
Users can modifying their own personal data through a easy to use Self-Service web interface, allowing IT to oversee but not perform these time consuming tasks
Extensibility
• ADSI Scripting– Provides support for an Active Directory Service Interfaces
(ADSI) that is subject to Rule, Roles and Reporting– SDK included
ARS Mgmt Shell for AD
What is PowerShell?– New command line interface from Microsoft
• More “Unix” like usage• The foundation of Exchange 2007
Why is PowerShell Important for ActiveRoles?– Provides a command line for ActiveRoles Server
• Simplifies bulk operations• Commands work with or without ActiveRoles Server, but maximum benefit only comes
with ActiveRoles ownership– ActiveRoles (at Microsoft’s request) is the first and only product to provide PowerShell
commands for Active Directory– Commands are subject to Rules, Roles and Approvals
MicrosoftPowerShell
Controlled Administrationwith Roles and Rules
• Provides administrative layer between users and Active Directory, for strict enforcement of operating policies and to eliminate unregulated access - Enforces “Least Privilege” Model
• Allows for centralized auditing and reporting of directory-related changes• Simplifies the process of delegating rights by abstracting the required
delegation into roles (or templates) that can be quickly deployed and easily maintained
• Controls the administrative rights that individual accounts and groups get in Active Directory through role-based delegation
• Provides full reporting and import/export capabilities• Provides multi-forest support
Roles Based Delegation
ComputersDomain Controllers
APAC
EMEANorth America
AD Architect
New YorkMexico City
Sr. Administrator
OU Admins / Help Desk
Application / Data Owners
Create Users/Groups Create GroupsReset Passwords, Unlock Accounts
Full Control
Day-to-Day Admin
Service Desk
Change Group Membership
App/Data Owners
Exchange Admins
Create Mailbox,Move Mailbox
Mailbox Admin
Active Directory
AD LDS
DNS Servers
Update personal InformationRequest Changes
End user Self-Service
Self-Service
ADAM Objects
DNS Records
Job Function Roles Access
Prevent Un-wanted Changewith Approval Workflow
Provides segregation of duties and tracking of request and responses to help with security and compliance
ApplicationorData Owner
Assistants
VerificationReports
Remediation -DeprovisionGroups
IT Oversight
IT Administrator
Owner
ApprovalWorkflow
AttestationReview
+ -Manage GroupMembershipOr Review
ManagementSolution
Centralized Reportingand Change History
Operations Tracking
Compliance Checking
On-line Administrator Activity Tracking
Quest Intrust
SIEM & AD , File and Exchange Protection
What if you could…
• Obtain real-time, detailed tracking of all changes to Active Directory (AD) and Group Policy settings?
• Take corrective actions for undesired changes in AD and ADAM, eliminating downtime and security breaches caused by accidental deletions or modifications?
• Be notified in real-time when critical events and changes are detected in AD, ensuring your awareness of possible security violations and destructive changes?
• Ensure adherence to compliance regulations and internal policies by tracking all activity in your Active Directory environment?
• Protect Active Directory by preventing changes to the most critical Active Directory objects, down to the attribute level including Group Policy Object settings?
Quest Knowledge Portal
SQL Server SRS
InTrust
Repository
InTrustArchitecture Overview
InTrustServer
ReportsStore Real-Time
• Automated log collection• Ensures Log Integrity
• Compressed, long-term storage• Correlated Reporting• Real-time Monitoring (Alerts)
Sample InTrust ReportAudit Collection Services
Configure File Access Auditfrom a Central Location
23
• Agents and reports can be deployed and configured from a single location• Admins can manage all agent activity from a single console
Configure File Access Auditfrom a Central Location
24
With the Lockdown feature you have the option to allow access to all users or specific accounts only
Sample reports with drill-down functionality which enablesyou to find exactly what you are looking for
All recently deleted files and by userAll file access activity performed by that user
More sample reports…
Drill down information from file highlighted in red showing all modification to that file and by whom
Quest Reporter
Baseline,Compliance and Configuratiion
What if you could…
• Audit administrative rights on your domains, workstations and servers?
• Ensure that privileges that are granted are in conformance with your formal security policies?
• Provide configuration reports quickly with the most current information?
• Have the capability to take action on violations to security policies?
• Know what changes have taken place to objects in the directory?
• Satisfy the needs of different data consumers in your organization?
Here’s how it works
User Properties Report
NTFS Security Report
Quest Compliance Suite
• Visibility to an expected configuration state (server hardening document)
• Visibility to an expected operational policy (user provisioning process)
• Visibility of end user access (permissions) • Forensic analysis to determine who, what, when and how the deviation occurred from the assess phase
• Notify of any changes to the expected state
• Preventative controls to address the deviation from ever occurring in the first place• Address issue immediately• Document that the deviation is an exception and therefore authorized
for Exchange
for File Access
for SharePoint *