Scrubbing your Active Directory Squeaky Clean! Chris Radband Senior Solutions Consultant

Scrubbing Your Active Directory Squeaky Clean

  • Upload

  • View

  • Download

Embed Size (px)


Bytes Technology identified Active Directory issues within their customer base, so they brought in NetIQ as a strategic partner. This deck outlines how scrubbing your environment clean with the right tools and processes will help you keep your Active Directory environment consistent, manageable, auditable and efficient.

Citation preview

Page 1: Scrubbing Your Active Directory Squeaky Clean

Scrubbing yourActive DirectorySqueaky Clean!

Chris RadbandSenior Solutions Consultant

Page 2: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.2

Lets talk about…

• Cleaning up your Active Directory

• What’s happening in your environment today

• Controlling changes in your environment eg. user lifecycle management

• Empowering the user with self-service

2013 NetIQ Corporation. All rights reserved. 3

Page 3: Scrubbing Your Active Directory Squeaky Clean

Active Directory clean-up

Page 4: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.4

Challenges of an unmanaged Active Directory Estate

• Inactive Users

• Disabled Users

• Locked out users

• Expired Users

• Passwords never set to expire

These illustrate just a few common Security risks, Performance impacts and contributors to Audit failures

seen in many environments of all sorts of sizes

2013 NetIQ Corporation. All rights reserved. 4 |

Active Directory Environmental Clean-up

• Security Groups with no members

• Nested Security Groups

• Stale Computer Accounts

• Mixed-Naming conventions

• Reducing the number of Power Users

Page 5: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.5

How do you deal with Clean-up today?

*Source: http://www.codeproject.com/Articles/18621/VBScript-to-Disable-Old-Accounts-in-Active-Directo

2013 NetIQ Corporation. All rights reserved. 5

Scripted and manual clean-up tasks are

often labour intensive, limited in

functionality, inaccurate and at worst can have all

sorts of

unexpected results!

Page 6: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.6

Automated Clean-up of Inactive Accounts

2013 NetIQ Corporation. All rights reserved. 6

Page 7: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.7

Automated Clean-up of Inactive Accounts

2013 NetIQ Corporation. All rights reserved. 6

Discovery:Process runs to determine which accounts are inactive

Page 8: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.8

Automated Clean-up of Inactive Accounts

2013 NetIQ Corporation. All rights reserved. 6

Discovery:Process runs to determine which accounts are inactive

Action:Request administrator or manager approval to disable account

Page 9: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.9

Automated Clean-up of Inactive Accounts

2013 NetIQ Corporation. All rights reserved. 6

Discovery:Process runs to determine which accounts are inactive

Action:Request administrator or manager approval to disable account

Remediation:Account is disabled and therefore secured

Page 10: Scrubbing Your Active Directory Squeaky Clean

What are today’s challenges, right now?

Page 11: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.11

Regulatory & Oversight Pressures

Internal Audit

Board of Directors – Oversight Groups

Page 12: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.12

Worst case scenario…


Page 13: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.13

• Minimises the risk associated with Operational changes

• Satisfying audit requirements/achieving compliance with regulations such as ISO 27001/2, Sarbanes-Oxley and PCI DSS

• Identify Change when it happens

• Catalogue managed and unmanaged changes

• Detect high-profile changes

• Provides detailed AD/GPO change history

• Centrally record and audit AD/GPO changes

• Easily integrates into your existing AD change process

• Feeding events backup to your Monitoring Infrastructure

Increasing audit and compliance requirements…not to mention good-practice!

2013 NetIQ Corporation. All rights reserved. 7

Page 14: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.14

Page 15: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.15 2013 NetIQ Corporation. All rights reserved. 8 |

Monitor for unmanaged GPO Changes

Page 16: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.16 2013 NetIQ Corporation. All rights reserved. 9 |

Be proactive: GPO change: Email report sent to administrators

Page 17: Scrubbing Your Active Directory Squeaky Clean

Regaining Control…

Page 18: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.18

• Why is it important?

• The granular the better but no added complexity

• Something which defines:

- WHO– who are we delegating control to (for Active Directory).

- WHAT – what functionality/permissions are we delegating to the individual(s)

- WHERE – which objects are we allowing these individuals to execute their permissions on (most likely contain multiple objects).

• Capable of managing an enterprise environment

• Report on delegation

• Controlled way to make

changes to environment

2013 NetIQ Corporation. All rights reserved. 11 |

Managing Privileged/Non-privileged Users

Page 19: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.19

Just in Time Automated Access

2013 NetIQ Corporation. All rights reserved. 12

Page 20: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.20

Just in Time Automated Access

2013 NetIQ Corporation. All rights reserved. 12

Page 21: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.21

Just in Time Automated Access

2013 NetIQ Corporation. All rights reserved. 12

Page 22: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.22

Just in Time Automated Access

2013 NetIQ Corporation. All rights reserved. 12

Page 23: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.23

• Reducing the human element

• Increasing Security & compliance

• Does it increase consistency?

• Is it truly efficient and does it

save time?

• Does the process work for your

business today?

• Can it accommodate the changes of


User Provisioning, User De-provisioning, User Re-provisioning

2013 NetIQ Corporation. All rights reserved. 13

Page 24: Scrubbing Your Active Directory Squeaky Clean

Empowering the User…

Page 25: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.25

• It may seem straightforward to us but the statistics are scary!

– 64%

– 65%

– 82%

– 76%

Password Management

Page 26: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.26

• It may seem straightforward to us but the statistics are scary!

– 64% - end users that write passwords down

– 65%

– 82%

– 76%

Password Management

Page 27: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.27

• It may seem straightforward to us but the statistics are scary!

– 64% - end users that write passwords down

– 65% - use the same password for multiple accounts

– 82%

– 76%

Password Management

Page 28: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.28

• It may seem straightforward to us but the statistics are scary!

– 64% - end users that write passwords down

– 65% - use the same password for multiple accounts

– 82% - have forgotten a password

– 76%

Password Management

Page 29: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.29

• It may seem straightforward to us but the statistics are scary!

– 64% - end users that write passwords down

– 65% - use the same password for multiple accounts

– 82% - have forgotten a password

– 76% - intrusions exploit weak or stolen credentials

Password Management

Page 30: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.30

• It may seem straightforward to us but the statistics are scary!

– 64% - end users that write passwords down

– 65% - use the same password for multiple accounts

– 82% - have forgotten a password

– 76% - intrusions exploit weak or stolen credentials

• Instead, provide the user ability to reset password anytime and anyplace (at work, home, or on the road)

– Increased productivity – lower TCO

– Helpdesk freed to perform higher value tasks

– Users don’t have to wait for their password to be reset

– Increased security

– Users less likely to write password down on paper

– Challenge questions provide higher security than phone based user validation

– Password rules enable consistent enforcement of password policy

Password Management

Page 31: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.31

More than just Self Service Password Reset...

• Further Frees up IT Resources

• Giving the business users an

On-Demand Service

• Controlled way to deal with User Request

• Being able to provide a timely response

• Requesting access to resources

• Mailbox Size Quota Increase Request

• Group membership change request

Empowering the Business UserSelf Service Administration

2013 NetIQ Corporation. All rights reserved. 14

Page 32: Scrubbing Your Active Directory Squeaky Clean

© 2011 NetIQ Corporation. All rights reserved.32

• Directory and Resource Administrator

• Aegis

• Group Policy Administrator

• Change Guardian for Active Directory

• Self-Service Password Reset

See NetIQ.com/Products

NetIQ Solutions

2013 NetIQ Corporation. All rights reserved. 16

Page 33: Scrubbing Your Active Directory Squeaky Clean


Page 34: Scrubbing Your Active Directory Squeaky Clean
