Best Practices for Managing & Monitoring Active Directory and Group Policy

Transcription

1 Best Practices for Managing & Monitoring Active Directory and Group Policy Contents March 15, 2007 Introduction...1 Challenges of Administering Windows Environments...2 Successfully Managing Change across Active Directory and Group Policy..4 Managing and Monitoring Change across Active Directory and Group Policy with NetIQ...8 Summary...12 About NetIQ Corporation...13 Both Active Directory and Group Policy have quickly become heavily-relied upon technologies within today s organizations, elevating them both to mission-critical technologies for the continued success of the organization. However, as with any IT technology, an inadvertent or malicious change can quickly disable any infrastructure, and so assuring the security, availability and integrity of that service requires careful management of any and all changes. Through this paper we will discuss the challenges of managing and monitoring changes to Active Directory and Group Policy using native Microsoft tools, and how NetIQ provides an end-toend management solution to assure the continued operation and success of these critical technologies.

2 NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time NetIQ Corporation, all rights reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, Provider-1, SiteManager-1, and VPN-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, AppAnalyzer, AppManager, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, IntelliPolicy, Knowing is Everything, Knowledge Scripts, Mission Critical Software for E-Business, MP3check, NetConnect, NetIQ, the NetIQ logo, NetIQ Change Administrator, NetIQ Change Guardian, NetIQ Compliance Suite, NetIQ Group Policy Administrator, NetIQ Group Policy Guardian, NetIQ Group Policy Suite, the NetIQ Partner Network design, NetIQ Patch Manager, NetIQ Risk and Compliance Center, NetIQ Security Administration Suite, NetIQ Security Analyzer, NetIQ Security Manager, NetIQ Vulnerability Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Server Consolidator, VigilEnt, Vivinet, Work Smarter, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies

3 Introduction Since its introduction with Windows 2000, Active Directory has become the de facto corporate directory. While its original intent was to manage the users, computers and devices that could join a domain, today larger organizations are using it as the core to their identity management projects. Increasingly we see Active Directory as the central identity repository and information store for multiple applications, as well as delivering authentication and authorization services across different IT applications and services within an organization s enterprise architecture. Along with its introduction with Active Directory, Group Policy has been a part of the Microsoft operating system for roughly 6 years. Over this time it has been used increasingly by organizations to centralize and automate user, desktop and server configurations as well as manage security policies across those endpoints. With its increasing adoption and success, Microsoft continues to invest heavily in the technology, as demonstrated by the recently-released Vista desktop operating system that introduced roughly 3,000 additional policy settings to the Microsoft platform. While Group Policy is technically part of Active Directory, for the purposes of this whitepaper we treat them as separate entities. When we talk about Active Directory, we are focusing on the store of identities and related information, particularly referring to users, computers, groups and other related IT entities. And, when we refer to Group Policy, we are focusing on the numerous policy settings and architecture that deploys and applies those policies to endpoints (whether it be users or computers). As organizations have increased their use of Active Directory and Group Policy, they have quickly identified the challenges of using the native tools available to manage the environment. Additionally, with the increased reliance on the technologies have come greater requirements from auditors to be able to demonstrate how and where controls have been put in place to accurately monitor and manage the infrastructure. Unfortunately, native tools are just that - tools designed to get the job done, but with little thought to change control processes and requirements that are all-too prevalent in today s regulated and audited world. Organizations need assistance in creating a repeatable, enforceable change process that will ultimately reduce their administrative overhead, while simultaneously helping increase availability and security of their systems. The scope of this whitepaper is not to discuss the different ways in which one can setup an Active Directory schema, nor to cover topics such as the optimal number of policies within a Group Policy Object. Instead this whitepaper will begin by presenting the challenges of managing both Active Directory and Group Policy within organizations using the native management tools, and how those native tools do not scale well to more complicated environments; become difficult to use with numerous administrators; and can not function successfully within widely distributed environments with geographically dispersed management teams. The paper will then present how a managed change control solution can be used to alleviate many of these issues, with the application of a monitoring infrastructure to identify when changes take place, along with a secure and delegated administration capability to streamline the administration of both Active Directory and Group Policy. Finally, the paper will present how NetIQ can assist organizations in meeting these change control requirements with its management and monitoring solutions for Active Directory and Group Policy. Best Practices for Managing & Monitoring Active Directory and Group Policy 1

4 Challenges of Administering Windows Environments Any organization that uses Active Directory and Group Policy will face certain predictable challenges. As the complexity of their infrastructure increases, the challenges surrounding successfully administering that environment become more difficult, especially when it involves multiple people over multiple time zones and/or geographical areas. Common issues experienced in such environments, when using the native tools include: Managing Changes. Particularly in larger or highly political environments, privileged accounts may be distributed across a wide number of people with differing skill sets and knowledge of Active Directory and Group Policy, often resulting in unnecessary escalations in user privileges. Similarly, with a large number of administrators with differing abilities, and especially where the levels of communication of changes are poor, the potential for inconsistent or conflicting changes is huge! Troubleshooting. Changes are not well audited, if at all, within the event logs of the operating system. As such, attempting to determine what changes were made over any period of time, no matter how short, is near-impossible. Rolling back changes. Native tools do not provide version checking or workflow to prevent changes from being permanently written to production. Therefore, to revert to a previously known state relies upon sound backup-restore procedures to be in place and implemented. Complying with audit requirements. Key regulatory requirements (as often touted by auditors) include the capture of information indicating who changed what and when, along with the ability to easily report on that information. Another popular requirement is the division of labor between different roles to prevent conflicts of interest, (e.g., a single individual possessing the ability to request, approve and implement a change) an area termed separation of duties. With the natively available management tools, the level of audit information is extremely poor, and the tools are designed to be used by those with full administrative rights Ultimately, the inability to handle these common issues leads to greater risks to the organization, potentially jeopardizing the security and availability of the IT infrastructure and the information it holds, and/or the financial well-being of the organization. Where corporate policies exist, successfully implementing native tools to provide the necessary controls can be very challenging. Similarly, audit trails for regulatory compliance and audit satisfaction can be difficult to follow (if even readable!), and without careful log management practices are often lost or incomplete. Challenges Managing Active Directory The native mechanism for managing users, computers and groups within Active Directory is through the Microsoft Management Console (MMC), which is provided natively within Microsoft operating systems (Windows 2000 Server and above). MMC is designed to provide a centralized, unified, modular-based management interface through which administrators can manage different applications or services through consoles called snap-ins. The snap-in for managing Active Directory groups within MMC is called the Active Directory Users and Computers (ADUC) control. 2 White Paper

5 To manage Active Directory groups through the ADUC snap-in, the administrator must either be a member of a privileged Active Directory group (i.e., the Account Operators group, Domain Admins group or the Enterprise Admins group) or must have been specifically granted the appropriate authority to manage the target group. In organizations with a large number of administrators, or where administrators wish to delegate the ability to administer groups out to lesser-experienced staff, this can introduce additional security risks as follows: Assigning administrators to a privileged Active Directory Group may result in multiple persons acquiring powerful administrative capabilities over the domain(s) of the organization, dramatically increasing the risk exposure of Active Directory and the applications, users and systems that rely upon it. Specifically granting administrative capabilities to a group is a far safer approach to assigning group administration rights. The downside to this approach is in the management of the authorized administrator list for each group, which can create an additional workload in its own right since each group must be managed individually through the ADUC console. Essentially, while MMC does provide the rudimentary management capabilities required to manage Active Directory groups, it does present challenges or risks (as detailed above) where there are a large number of groups and/or group administrators. In the management of temporary group members, MMC also provides administrative difficulties: MMC does not provide any scheduling capability for adding or removing group members (i.e., it only provides real-time management of groups). This requires the administrator to be using MMC at the time a group change is required, and does not allow for changes that are desired when the administrator is unavailable (e.g., during nonbusiness hours). MMC delivers no provision for the concept of temporary group membership. Administrators must rely upon some other tracking mechanisms, whether it be their own manual procedures or some ticketing system, to notify them when an entity must be removed from a group. This obviously increases the level of workload and risk that administrators must accommodate. Additionally, MMC does not provide features such as an authorization workflow, the ability to easily retrieve deleted groups or detailed and easy-to-read auditing of changes made to Active Directory groups features that are even more significant in the face of compliance challenges and the need to streamline and simplify a safe operating environment. Challenges Managing Group Policy The most often-used mechanism to manage Group Policy is through Microsoft s Group Policy Management Console (GPMC). While it is a solid native tool, it does present some limitations that include: GPMC only looks at what s live in your environment, and does not allow for any preparatory work such as analyzing or testing changes (e.g., what if scenarios). It does not allow for testing or have an Apply button, meaning changes are instantly rolled out to all users, computers and groups connected to that domain. Essentially hundreds if not thousands of users can be affected with a single keystroke whether intentional or not. The only way to test is to make a change and then report on the Resultant Set of Policies across each object. This is a very reactive method, and subject to potentially embarrassing or costly errors. Best Practices for Managing & Monitoring Active Directory and Group Policy 3

6 Troubleshooting is nearly impossible. Identifying what change was made, when it was made and who made it requires more time and effort than any administrator has in their day. Unfortunately, many of these limitations are not really identified until it s too late and an embarrassing or costly mistake has occurred. There are many horror stories about inadvertent changes to policy settings that have effectively crippled the operations of some organizations for some period of time. This has unfortunately led many to steer clear of using Group Policy, or to use it with trepidation and not to its fullest potential. Key issues with Native Administration tools In summary, the key problems across all native management tools for Active Directory and Group Policy are: Difficult to securely delegate entitlements, which is a requirement to meet separation of duties mandates, as well as a way to share administrative load by pushing restricted change privileges out to the least-expensive resource. No automation of repetitive activities, leading to a greater expense of manual effort in order to perform routine and (often) mundane tasks. Additionally, where the number of tasks is great or complicated, the greater the risk that there will be some human error in successfully completing all the necessary steps. Poor auditing abilities, creating challenges in troubleshooting issues that arise, or in identifying what changes have taken place across the environment. Similarly, without the ability to quickly identify changes, many administrators are left in a reactive state to issues, only identifying them when something drastic happens or when an end-user notices an issue. Troubleshooting difficult to perform, requiring administrators to spend great amounts of valuable time trying to diagnose the issue, and then analyze and model the potential effect of the solution! Rollback is challenging, forcing administrators to rely on complex, time-consuming, and notalways effective backups in order to revert to a previously known state. Additionally, without well-documented changes, it is possible that other changes made since the last backup may be lost with the restoration of that backup. Modeling a change prior to implementation nearly impossible, often requiring organizations to implement expensive staging environments that, to be successful, must accurately model the production environment. Alternatively, administrators must resort to the available analysis tools or hope and pray approaches that while often successful can also lead to disastrous consequences. Successfully Managing Change across Active Directory and Group Policy Managing Active Directory and Group Policy does not have to be such a daunting task. Realistically you need an approach that helps simplify the administration and validation of changes to policy settings and helps monitor the policy environment for changes (both authorized and unauthorized). Some of the key capabilities of such a solution will help you: 4 White Paper

7 Better control changes to your production environment, including the ability to easily delegate the authority to make changes, while fully recording and auditing each change. Analyze the effects of any change before you put it into production. Incorporate a change workflow into your change process so that you have the option to validate and approve the changes of others before they make it into production. Improve the ability to troubleshoot or even back out any change with minimal effort. Validate changes as they happen, or be notified when changes are made outside of your expected change process (e.g., a rogue administrator, or one changing Group Policy Objects without full knowledge of its impact). One approach to reducing the risk of making changes is to implement a test environment within which you can test and validate any changes. However, this has challenges and limitations of its own, since test labs can sometimes be costly and it is difficult to maintain a test environment that matches the particulars of your own production environments. You also have the difficulties of rolling back changes, or even being able to audit who made a change (and what change) to the test environment. Another approach is to create a private area within the production Active Directory schema, within which a copy of the current environment is made and changes tested against. The first obvious drawback is that this requires an update to the schema, and immediately presents a replication and performance challenge since the size of your domain has effectively doubled (even if the duplicated portion is effectively hidden and used just to stage changes!). Similarly, this approach introduces security concerns, and is not generally seen as a best practice. Essentially, organizations need a solutions that provides a buffer from your live environment. A very effective method is to use an offline change control solution within which changes can be controlled, tested and validated, and which provides a logical point to authorize changes before they are pushed to production. Such an infrastructure and capabilities are delivered through NetIQ solutions for Active Directory and Group Policy, which we will present in more detail below. Complementing the administration of Active Directory and Group Policy is the ability to monitor your environment and quickly identify and report on any and all changes to policy settings. NetIQ Change Guardian for Active Directory and Group Policy Guardian deliver real-time monitoring of changes so that administrators can validate the successful implementation of a change, as well as quickly react when notified of an inappropriate or unauthorized change. When used together, these products deliver control and monitoring for effective, end-to-end change management across both Active Directory and Group Policy, and help alleviate many of the risks, headaches and administrative inefficiencies that native tools may present. End-to-End Change Control What is needed to provide end-to-end management of changes across Active Directory and Group Policy are two key areas: Change Administration and Change Monitoring (see Figure 1). Best Practices for Managing & Monitoring Active Directory and Group Policy 5

8 Figure 1 End-to-End Change Control Change Administration Change Administration relates to the secure management of changes to the environment, to assure that changes are made by the appropriate person and in a controlled manner. Essentially a successful change administration solution requires the following features: Secure delegation, which is the ability to delegate (or transfer) the ability to make administrative changes out to others. With this capability, administrators can determine the scope of possible changes, (i.e., the role) and then assign the role to one or more individuals. For example, an administrator may wish to delegate the ability to reset passwords to the members of the help desk. Policy-based administration, which controls the content and context of the information that an operator can submit when making a change. For example, if a password policy is in place for an organization, then the product must be able to validate that any new password entered is in accordance with the policy. Change analysis, or the ability to analyze changes both before they are put into production, as well as analyze the environment after the change has been rolled out. This provides a powerful capability to model changes before they are put into production, helping to identify issues and also assure that the changes will not impact the environment in any undesired fashion. Approval workflow, allowing the option to have multiple, different individuals handle the implementation, review and approval of any change before it is put into production, along with the possibility for another individual to rollout the change into production. This reduces the risk of any inadvertent or malicious changes, and allows a controlled release procedure. Task automation, to alleviate the headaches of managing multiple, recurring, and possibly mundane activities. Additionally, automation assures that all sub-tasks are carried out successfully and in the right order, avoiding mistakes that are common amongst humans. Ease of use. Of course, unless a product is easy to use, then it is likely to be unused and quickly forgotten! 6 White Paper

9 Change Monitoring Centralized auditing, assuring that all change events are captured and centrally logged to enable (where required) subsequent review and analysis. This alleviates the challenge of having event logs stored at each machine where the change took place, requiring administrators to manually collect each of the logs (assuming they are not overwritten), and then consolidate them across the organization in order to determine what occurred and when. Real-time change detection, to provide the ability to identify any and all changes, as well as who made them and when. This helps to identify any unauthorized changes so that remediation actions can take place as quickly as possible. Intelligent notification, allowing administrators to indicate when and where they wish to be notified. In the world of change, there can easily be thousands of changes per day. By categorizing change into managed, (i.e., follows the prescribed change process), unmanaged, (i.e., circumvents the prescribed change process) and high-profile, (i.e., a change to an important entity), administrators can easily and quickly determine when they wish to be notified of each. Human-readable events, translating complex machine-readable text and numeric identifiers into the real names of users, computers, groups, policies and more across the environment. Ultimately, reducing the time that administrators have to try to determine to what (or who) a log entry is referring. Detailed reporting, in order to satisfy management and auditors, as well as for metrics keeping. As described above, assuring that the information is human-readable, and not just a dump of the event logs, is mandatory for their success and acceptance. Best Practices for Managing & Monitoring Active Directory and Group Policy 7

10 Managing and Monitoring Change across Active Directory and Group Policy with NetIQ NetIQ Change Control solutions (see Figure 2) assure that you can control, manage and audit changes across Active Directory and Group Policy. Through an automated approach, IT change management processes are reinforced with the knowledge and confidence that only authorized and intended changes have been implemented. With support for best practices, such as ITIL and COBIT, NetIQ Change Control solutions enable you to more easily comply with leading regulations such as FISMA, HIPAA, and PCI DSS empowering you to: Centrally audit managed, unmanaged and high-profile Active Directory and Group Policy changes Alert on changes and prioritize according to their risk level and the level of importance of the change Know you are in compliance by utilizing out-of-the-box auditing templates designed to automate common compliance queries NetIQ Change Control solutions enable you to: Gain control over change across Active Directory and Group Policy with powerful change monitoring reports and alerting capabilities. Assure service availability through the integration of NetIQ solutions with your Change Management process. Automatically parse change audit reports using out-of-the-box templates for different audiences, such as auditors or management. Figure 2 NetIQ Change Control Solutions 8 White Paper

11 Managing and Monitoring Change across Active Directory NetIQ Directory and Resource Administrator and NetIQ Change Guardian for Active Directory deliver end-to-end management of Active Directory, and assure efficiency, security and control over your Active Directory environment. Directory and Resource Administrator NetIQ Directory and Resource Administrator provides advanced delegation and robust, policybased administration capabilities that improve the security and efficiency of administering your Active Directory environment. All this without having to assign powerful domain administrator privileges across your administrative teams, and allowing you to safely delegate administrative capabilities across your organization to the least expensive resources. With powerful privilege and content management, as well as extensive auditing and reporting capabilities, Directory and Resource Administrator secures Active Directory, protects the integrity of its data and can play a key role in meeting an organization s regulatory and compliance objectives. The benefits of using NetIQ Directory and Resource Administrator include: Secures Active Directory Protects your Windows environment from the risk of power escalation and inadvertent security threats by reducing the number of privileged accounts and providing granular access control. Centralized logging of all administrative actions combines with comprehensive reporting to provide clear accountability. Ensures data integrity Reduces data clutter by reliably enforcing business polices and controlling the data that can be put into your directories. If unchecked, data clutter in Active Directory can compromise its value, introduce dangerous errors and interfere with operational efficiency. Increases administration efficiency Simplifies administration by helping you implement a management model that reflects how you think and work rather than one based on Active Directory legacy topology. With little or no training, IT administrators can transfer common user and mailbox management functions to the help desk or, with the tool's self-service functionality, to the end user. Assists in regulatory compliance Provides granular access control and change management for Windows permissions, allowing organizations to control who has access to what. Centralized logging and audit reports allow organizations to document compliance with regulatory requirements. Reduces administration costs Enforces business and security policies by automating repetitive and complex tasks and using controlled delegation to distribute common account administration duties. For further information on NetIQ Directory and Resource Administrator, including datasheets, whitepapers and the opportunity to download a free, fully-functional trial, please visit the product page at Best Practices for Managing & Monitoring Active Directory and Group Policy 9

12 Change Guardian for Active Directory NetIQ Change Guardian for Active Directory delivers real-time detection and notification of changes, facilitating the rapid identification of changes to quickly identify anomalies or risks to the integrity and availability of Active Directory. By breaking change into 3 change types managed, unmanaged and high-profile NetIQ Change Guardian for Active Directory helps organizations quickly assess the level of risk associated with the change, and it determines when personnel should be notified of each respective change according to its type. With NetIQ Change Guardian for Active Directory, you know which changes are executed based on corporate policy, validate the success or failure of planned changes and capture the difference between authorized and unauthorized change activity. The Change Guardian product minimizes the risks associated with changes to Active Directory by assuring that changes to the production Active Directory environment are authorized, monitored, verified and audited through implementation. The benefits of using NetIQ Change Guardian for Active Directory include: Identifies managed and unmanaged changes. Greatly reduces noise with the ability to focus and alert on real time on unmanaged Active Directory changes. NetIQ Change Guardian for Active Directory identifies and enhances your control over policy compliance in the Active Directory. Detects high-profile changes. Produces detailed reports and alerts on high-profile changes across your environment. The product monitors well-known privileged groups and allows custom definitions of groups or activities that your organization should monitor. Centrally records and audits Active Directory changes. Provides the ability to run detailed change reports on your environment. You can identify the percentage of unmanaged changes made in the environment, as well as easily prepare change audit reports based on out-of-the-box templates. Easily integrates into your existing Active Directory change process. Quickly plugs into the tools that manage change to your Active Directory environment. The product identifies where modifications occur in your change process. Functions on common, flexible infrastructures. Improves your return on investment and utilizes the functionalities of NetIQ Security Manager, extending the ability and usefulness of that product to focus on assuring the security and compliance of your Active Directory environment. For further information on NetIQ Change Guardian for Active Directory, including datasheets, whitepapers and the opportunity to download a free, fully-functional trial, please visit the product page at Managing and Monitoring Change across Group Policy NetIQ Group Policy Administrator and NetIQ Group Policy Guardian deliver end-to-end management of Group Policy, and assure efficiency, security and control over your Group Policy implementations. 10 White Paper

13 NetIQ Group Policy Administrator NetIQ Group Policy Administrator is the industry's leading solution for planning, controlling, troubleshooting and reporting on changes to policy settings. It enables administrators to meet the challenges associated with Group Policy's powerful capabilities, ensuring that Group Policy Object (GPO) changes go through an approved change and release management process. No other solution provides total offline management of Group Policy, allowing organizations to minimize risk and prevent service interruptions. With NetIQ Group Policy Administrator, you can manage GPO changes in a safe, offline environment without impacting the performance and availability of your live Active Directory environment. Its flexible and knowledge-rich reporting capabilities make it easy to increase management visibility into changes made to Group Policy Objects, helping you comply with auditors and regulations. GPA offers some clear benefits to organizations, including: Implements a secure offline repository. Reduces the number of privileged accounts, by offering secure offline Group Policy management without having to provide permissions within Active Directory. Provides robust workflow and delegation model. Allows administrators to push the administration of Active Directory lower in the organization to safely involve all Group Policy stakeholders. Reduces error risk when configuring GPOs. Enables you to configure settings once, and then replicate and apply those settings to GPOs in other domains and even other forests. This feature guarantees that your settings are configured correctly and reduces the risk of accidentally mis-configuring or losing a setting. Provides advanced analysis. Simulates the effect of modifying policy settings without having to first deploy the modified GPO using online Resultant Set of Policy (RSoP) functionality. In addition, health checking, event logging and the ability to compare GPOs help to quickly troubleshoot errors and take corrective action. For further information on NetIQ Group Policy Administrator, including datasheets, whitepapers and the opportunity to download a free, fully-functional trial, please visit the product page at NetIQ Group Policy Guardian NetIQ Group Policy Guardian minimizes the risks associated with Group Policy Object (GPO) change management, and helps determine and document all authorized and unauthorized changes to the live environment. With NetIQ Group Policy Guardian, organizations can easily monitor, verify and track policy changes in real time while capturing the changes in an auditing database. This advanced change monitoring capability demonstrates to auditors that corporate policies implemented for regulatory compliance have not deviated over time. Best Practices for Managing & Monitoring Active Directory and Group Policy 11

14 NetIQ Group Policy Guardian provides real-time GPO change alerts and captures change activity in an auditing database where detailed reports identify GPO changes, when they were made and by whom. Through this product, organizations will realize benefits including: Assures compliance through change monitoring. Provides the visibility you need to stop inappropriate GPO modifications before they impact the security or availability of your Windows Active Directory environment. Provides improved IT service levels and responsiveness. Improves employee productivity by decreasing user and system downtime caused by errant GPO changes. Detects changes to policy settings in real time. Identifies changes to critical components of the Group Policy environment as they occur. Notifies when specified change events occur and whether changes were authorized. Delivers instant change notifications through or pager, enabling you to see and react to GPO changes immediately. When used in conjunction with NetIQ Group Policy Administrator, the control system can classify the changes as authorized or unauthorized. Provides detailed change history. Delivers precise and complete documentation of GPO changes with convenient, in-depth tracking features. Delivers powerful, comprehensive reports. Enables you to run detailed reports linked to each change alert. Based on user-defined criteria, the auditing database presents your selected change events, including pre- and post-change values. Integrates with existing monitoring infrastructure. Integrates most third-party systems management software, including NetIQ AppManager, NetIQ Security Manager and Microsoft Operations Manager (MOM) to simplify configuration and deployment for fast and cost-effective implementation. For further information on NetIQ Group Policy Guardian, including datasheets, whitepapers and the opportunity to download a free, fully-functional trial, please visit the product page at Summary We ve all heard the saying, With great power comes great responsibility, and both Active Directory and Group Policy are powerful technologies that are being relied upon by an increasing number of applications, IT services, and projects. This reliance has quickly escalated both technologies to the level of mission critical, and as such their security, availability and integrity must be upheld! As with anything in IT, change is necessary and is constant, and therefore assuring the careful and controlled management of change is critical to ensure the viability of any IT service to which the change is being applied. NetIQ, along with best practices and frameworks such as ITIL, prescribes to the controlled administration and continual monitoring (and validation) of all changes across the environment, to assure that the risk of change is minimized through careful planning, analysis, implementation, approval, rollout and validation. NetIQ provides end-to-end management capabilities around Active Directory and Group Policy through its Change Control solutions, namely: NetIQ Directory and Resource Administrator and Change Guardian for Active Directory for managing and monitoring changes to Active Directory 12 White Paper

15 NetIQ Group Policy Administrator and NetIQ Group Policy Guardian for managing the administration of, and monitoring all changes to, Group Policy. With these products organizations are assured of success with their use of both Active Directory and Group Policy through the ability to better manage who, how and where changes can be made, provide a completely audited and reportable environment to detail changes made, and provide real-time monitoring and notification of changes. Ultimately, when combining the deployment and management of Active Directory and Group Policy across your organization with the end-to-end management provided using NetIQ Change Control solutions, organizations can better meet business goals with improved control and a drastic reduction in the risk of managing changes to their Windows environment. About NetIQ Corporation NetIQ, now doing business as Attachmate, is a leading provider of integrated systems and security management solutions. Our compelling, best-of-breed solutions for Performance & Availability Management, Security Management, Configuration & Vulnerability Management and Operational Change Control empower IT with the knowledge to ensure operational integrity, better manage services and risk and ensure policy compliance. With a history of innovation and leadership, NetIQ provides a broad range of easy-to-deploy cross-platform products. NetIQ counts more than 3,000 of the world's leading enterprises as key customers. In addition, our partnerships with industry leaders, such as Microsoft, IBM, HP and Dell, give NetIQ a unique advantage in the global marketplace. With customer-proven solutions and strong relationships, NetIQ delivers the tools you need to reduce your risk and deliver value from day one. In June 2006, NetIQ Corporation joined the Attachmate family of companies. Attachmate, owned by an investment group led by Francisco Partners, Golden Gate Capital and Thoma Cressey Equity Partners, enables IT organizations to extend mission critical services and assures they are managed, secure and compliant. Our goal is to empower IT organizations to deliver trusted applications, manage service levels, and ensure compliance by leveraging knowledge, automation and secured connectivity. For more information about: Attachmate, visit NetIQ, visit Best Practices for Managing & Monitoring Active Directory and Group Policy 13