Protecting and Auditing Active Directory with Quest Solutions

Transcription

1 Protecting and Auditing Active Directory with Quest Solutions Written by Randy Franklin Smith CEO, Monterey Technology Group, Inc. Publisher of UltimateWindowsSecurity.com TECHNICAL BRIEF

2 2010 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Quest Software, Inc. ( Quest ). The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA legal@quest.com Refer to our Web site for regional and international office information. Trademarks Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight,, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, itoken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vtoolkit, Quest vworkspace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vautomator, vcontrol, vconverter, vfoglight, voptimizer, vranger, Vintela, Virtual DBA, VizionCore, Vizioncore vautomation Suite, Vizioncore vbackup, Vizioncore vessentials, Vizioncore vmigrator, Vizioncore vreplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 1

3 Contents Executive Summary... 3 Key Audit and Protection Requirements for Active Directory... 4 Why Protect and Audit Active Directory... 4 Key Components for Protection and Auditing of Active Directory... 4 Change Tracking... 5 Real-Time Monitoring... 6 Reporting... 7 Security Event Management and Correlation... 8 Secure Audit Trail... 8 Providing Comprehensive Audit and Protection for Active Directory... 9 Introduction... 9 for Active Directory Intelligent AD Auditing Quest InTrust Integration of InTrust and Summary About the Author Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 2

4 Executive Summary Active Directory (AD) is the core of enterprise IT; for this reason, comprehensive protection and auditing of AD changes is critical. Together Quest for Active Directory and InTrust provide the monitoring, reporting and audit trail capabilities required to fulfill operational, planning, security and compliance requirements for AD. tracks, monitors and reports on core changes; InTrust provides a long-term, secure audit trail and correlates AD data with other enterprise IT activity. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 3

5 Key Audit and Protection Requirements for Active Directory Why Protect and Audit Active Directory On many levels, Active Directory (AD) is the core of enterprise IT: AD is where you find user accounts, groups for access control, encryption policies, certificates and CRLs, network IPSec polices the list goes on and on. Moreover, nearly every system component integrates with AD, from databases to applications, UNIX systems and wireless access points to VPNs, as well as business partners and cloud services through federation services. Because AD is critical to your business operations, comprehensive protection and auditing of changes is a must. One unauthorized or accidental change to AD can have devastating cost, security, downtime and compliance consequences. For instance, group policy objects (GPOs) provide centralized and automated configuration control of all computers on your network; a poorly edited GPO can spread a configuration change to thousands of computers in minutes, possibly compromising the security or availability of your network. In addition, AD must be managed by all-powerful domain administrators. Malicious actions by rogue administrators can be deterred by a high-integrity audit trail that detects changes and enforces accountability. Key Components for Protection and Auditing of Active Directory Many monitoring, reporting and audit trail capabilities are required to fulfill AD s operational, planning, security and compliance requirements. But as shown in Figure 1. The comprehensive protection and auditing components of Active Directory, the foundation is change tracking. It should supply real-time changes and detailed event data to be consumed downstream monitoring, reporting and audit trail components. Real-time Monitoring Alerting Object protection Integration with systems management solutions Reporting Planning and analysis Compliance documentation Forensic analysis and security incident response Operational accountability Directory integration/synchronizatio n monitoring Change Tracking Secure Audit Trail Long-term and highintegrity Admissible as evidence Accountability over AD administrators Security Event Management (SEM) and Correlation Figure 1. The comprehensive protection and auditing components of Active Directory Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 4

6 Change Tracking All objects in Active Directory (e.g., users, groups, computer accounts, OUs and group policy objects) are structured according to AD s schema of object classes and properties. Therefore, in general, AD change tracking can be implemented using a uniform process that works no matter what type of object is changed. The key elements to any AD change event should include the: Time of the change Object modified User that modified the object Operation performed If applicable, properties modified and their values before and after the change Domain controller where the change was made IP address of the workstation or client machine from which the change originated AD includes built-in auditing that might, at first glance, seem to be a viable option for tracking changes. However, the native AD audit log has architectural limitations that prevent it from satisfying audit and protection requirements. This is detailed in the Architectural Limitations of the Native Active Directory Audit Log inset below. Moreover, the native audit log fails to audit the following critical types of information: Nested group changes Although the basic, schema-based change tracking engine of AD native auditing tracks first-level group membership changes, nested membership changes go unnoticed. For instance, if John is a member of the group Directory Services Engineers which is a member of Enterprise Admins (an all-powerful forest-level group), native AD auditing will not generate any event alerting you that John now has Enterprise Admins authority. Group policy settings Unlike other AD objects, GPOs have only a pointer (or stub ) object stored in AD; the actual configuration settings comprising a GPO reside in the file system of each domain controller. Simple schema-based tracking like the native AD audit log only monitors changes to the stub of the GPO, such name changes or deletions. At best, the native audit log can tell you that a GPO was modified, but not which of the thousand settings was defined or the setting s values before and after the change. Permission changes In Windows Server 2003, the native audit log can report only that the Discretionary Access Control List (DACL) of an AD object was modified not which permissions were added or removed for which users or groups. In Windows Server 2008, the native audit log reports the before and after values of the entire DACL but it uses cryptic security descriptor definition language (SDDL): D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;; CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BO)S:(AU;FA;CCDCLCSW RPWPDTLOCRSDRCWDWO;;;WD). Cryptic AD schema The native AD audit log reports the actual class and property names as defined in AD s schema. These names are sometimes highly cryptic, which can make it impossible to understand what was actually changed without significant research in the AD schema. For instance, a change to a user s last name is reported as a modification of the sn property. Comprehensive auditing and protection of Active Directory requires an intelligent change tracking engine that monitors all modifications to Active Directory, looks for subtle impacts such as nested group membership changes, and translates cryptic data into information that IT, security, and compliance staff can understand and act upon. for Active Directory s sophisticated change tracking engine meets these requirements, as explained in greater detail later in this tech brief. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 5

7 Architectural Limitations of the Native Active Directory Audit Log Because Active Directory monitoring and auditing is so important, Windows Server provides some native functionality for auditing changes and other high-priority AD events. Despite the valuable functionality provided by the Windows security log, significant gaps and limitations remain. The following limitations compromise an organization s ability to fulfill security and regulatory requirements for monitoring and auditing Active Directory: Audit data scattered among domain controllers - While directory information is replicated between domain controllers, security logs are not. Each domain controller has its own security log, which contains only the events associated with operations performed against that particular domain controller. Therefore, an organization s overall audit trail is fragmented across many domain controllers within the AD environment. No reporting or alerting - Windows Server provides no real reporting or analysis capabilities for the Windows security log. The one native tool for viewing security log activity is the Event Viewer Microsoft Management Console, which provides only basic filtering capabilities. The task triggering capability introduced in Windows Server 2008 could provide some rudimentary alerting but would require significant scripting and management effort. No protection from administrators Since the audit data remains on the domain controllers, it cannot be used as a reliable audit trail of administrator actions because administrators can erase or modify any file on the system. High volume of audit data - Because of the low-level, generalized nature of the Directory Service Access category, the Windows security log can produce huge amounts of data when used to audit AD changes. With each domain controller producing potentially hundreds of megabytes of audit data every day, locating critical events is like looking for a needle in a haystack and vast storage is required to archive the audit data. Performance risks - Given the huge amounts of audit data and the arcane nature of policy definition, it is easy to define AD audit policies that may overwhelm any amount of domain controller hardware. For a full discussion of AD s native audit log, its limitations and impact on compliance with key regulatory requirements please see the white paper Overcoming Active Directory Audit Log Limitations available at Real-Time Monitoring Protecting Active Directory requires real-time monitoring that identifies high impact, suspicious or prohibited changes and automatically takes appropriate actions, such as reversing the change or informing appropriate personnel. Alerting Administrators need to be able to define changes that may not necessarily be prohibited but are suspicious or high- impact. These changes need to be reviewed immediately to determine an appropriate response. For instance, when a group policy object is modified, potentially thousands of computers or users could be impacted. At the same time, once stabilized, most GPOs are fairly static and seldom need modification. Therefore, administrators should be able to designate stable GPOs and receive immediate notification of any modifications. Upon such notification, administrators can confirm that the GPO change was approved and executed in compliance with the organization s normal configuration change control process. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 6

8 Reporting Integration with system management solutions - While direct notification may be appropriate in some situations, enterprises need the ability to receive alerts generated by AD monitoring directly into systems management solutions such as System Center Operations Manager (SCOM) or Tivoli via SNMP traps or other interfaces. Object protection Some changes should not be allowed at all. For instance, administrators may create an organizational unit (OU) that holds critical objects intended for emergencies, This OU may contain an emergency administrator account to be used if all other administrator accounts are deleted, locked out or unavailable, possibly due to a denial of service attach. Or a top level group policy object may ensure certain critical security policies are deployed to all computers. In both cases, an organization needs the ability to lock down such objects to prevent any modification that could jeopardize their purpose even by administrators. Most AD changes are not severe enough to generate an alert or object protection response, but needed to be reported. Organizations need to report Active Directory changes to fulfill a wide array of analytical and documentation needs, including: Planning and analysis Because enterprises are constantly changing, they need to be able to analyze historical data to predict future capacity requirements. They also need to determine how frequently certain changes are made to assess the benefit of automating certain processes or the impact of modifying an operation. For instance, an organization considering adopting a selfservice password reset solution needs to know how often accounts are locked out due to forgotten passwords and how many corresponding calls are made to the help desk for password resets. Compliance documentation To satisfy regulators and auditors, organizations must not only demonstrate that a certain security process or control is in place, but also produce documentation that the process is being used in specific cases. For instance, organizations need to document how promptly accounts are disabled after employee terminations and when group membership is revoked in due to job changes. Forensic analysis and security incident response When a system intrusion or other security incident occurs, analysts may be hampered without an audit trail of all relevant AD changes. Analysts need to be able to search the audit trail left by the intruder or malicious insider using a variety of sorting and grouping techniques. Operational accountability The dire consequences of erroneous changes to Active Directory has already been discussed in this document. When an operational mistake is made, management must be able to determine how the mistake was made, by whom and when. Without this information, the enterprise can t prevent the problem from happening again, nor can it assign responsibility or take appropriate action against policy violations. Enterprise activity correlation AD changes are only a portion of the overall IT activity that organizations must be able to monitor and analyze. Other typical sources of event data include logon and authentication auditing, network connection, and access to applications and resources. Analysts frequently need to correlate events from these different kinds of log data to see the complete picture of what is happening on the network. Therefore, ultimately AD change tracking data needs to be aggregated with the rest of an organization s log data into a single repository for detailed analysis. Directory integration/synchronization monitoring To improve security, operational efficiency, organizational responsiveness, and compliance, organizations are increasingly integrating or synchronizing directory information between systems to automate identity and access management. Debugging and managing the flow of identity information between Active Directory can be complicated, and engineers need visibility into changes made by synchronization processes. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 7

9 Security Event Management and Correlation Active Directory changes are only one channel of the wider stream of security activity. Information security analysts must correlate AD changes with related activity such as AD authentication events and Windows server security events. Ultimately AD audit events need to be aggregated with the rest of the organization s security monitoring. This is especially important in larger enterprises where AD administrators are separate from information security staff. AD change events must be merged into their overall view of enterprise-wide security activity. Secure Audit Trail Most organizations ultimately depend on audit logs as evidence for internal investigations and legal proceedings. For audit logs to be admissible as evidence, organizations must produce the original audit logs and demonstrate that they were not altered. Because audit data tends to be both voluminous and redundant, organizations may reduce storage requirements by normalizing audit data into different tables. However, such restructuring of the data can create the perception that audit record has been modified, rendering it inadmissible. Furthermore, normalization can create indexing problems and performance issues at insertion and query time. Unfortunately, the dynamic accessibility and block-oriented format of databases means they do not function well as an unalterable repository for large amounts of redundant data. Most reporting and analysis processes require that AD audit data reside in a relational database for efficient query capability. However, security and compliance requirements demand that audit logs be protected from modification and stored for long periods of time. So while a relational database may be required for temporary storage of audit data for reporting and analysis, audit logs must ultimately be preserved in a high-integrity repository that supports digital signatures and compression. This repository must also be segregated from AD s operational administrators, because a database within the forest is accessible to all forest administrators and can be modified or even erased. Therefore, to deter or detect unauthorized changes, the permanent copy of any audit data must reside in a repository outside of the jurisdiction of its administrators. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 8

10 Providing Comprehensive Audit and Protection for Active Directory Introduction By combining for Active Directory (CAAD) with Quest InTrust, Quest Software provides comprehensive audit and protection for Active Directory: provides core change tracking, monitoring and reporting. InTrust provides a long-term, secure audit trail and correlates audit data with other IT activity. Real-time Monitoring Alerting Object protection Integration with systems management solutions for Active Directory Reporting Planning and analysis Compliance documentation Forensic analysis and security incident response Operational accountability Directory integration/synchronization monitoring Change Tracking Secure Audit Trail Long-term and highintegrity Admissible as evidence Accountability over AD administrators Security Event Management (SEM) and Correlation Quest InTrust Figure 2 - and InTrust provide comprehensive auditing and protection for AD. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 9

11 for Active Directory monitors Active Directory domain controllers in real time, preventing unauthorized changes to protected objects and recording allowed changes for specified objects, users and actions. It also provides advanced alerting and reporting. s architecture is comprised of three components. These work with the SQL Server relational database that contains s audit data and configuration: Agent Agent Agent Domain Controllers Client Database SQL Server Reporting Services Coordinator Coordinator SMTP Alerts SNMP Systems Center Operations Manager Figure 3 - architecture Agent s change tracking engine resides in the agent, which runs on each domain controller. As the agent monitors any attempts to change various objects in AD, it compares each requested change to the object protection policies previously defined by users. If the change matches a prohibited combination of user, action and object, prevents the change from being made. Otherwise, records the event to the database according to the organization s CAAD configuration policy that defines which objects, users and actions are audited. Coordinator The Coordinator monitors new activity being logged to the database and generates SMTP alerts and SNMP traps. It can also send events to SCOM, depending on the activity and s configured alert policy. Additional Coordinators and a SQL Server cluster can be implemented for fault-tolerance. Client IT staff use the Client to access and configure, as well as run reports and conduct analysis. Reports can also be scheduled and automatically delivered via SQL Reporting Services, which integrates directly with the Client. With this client, staff can quickly determine who changed what, when the change occurred, and where the change originated. Intelligent AD Auditing Unlike native AD auditing, which is limited to simple object/property schema-based auditing, the agent provides intelligent auditing of AD changes. It addresses the specialized auditing requirements arcane to Active Directory as described in the Change Tracking section earlier in this document. Nested group changes fully expanded intelligently monitors nested group memberships and faithfully reports indirect group membership additions. To use the example given earlier, if John is made a member of the group Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 10

12 Directory Services Engineers, which in turn is a member of Enterprise Admins, alerts you that a new member has gained all-powerful Enterprise Admins membership. Scenario: User added to nested group Directory Services Engineers Enterprise Admins Native AD audit event: (none) event Figure 4. Nested group membership changes are reported by Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 11

13 Changes to group policy settings reported in detail As explained earlier, a GPO s configuration settings reside in the file system of each domain controller, so the native audit log can tell you only that a GPO was modified, but not which settings were changed or their values before and after the change., on the other hand, reports exactly which settings within the GPO were changed and provides the before and after values for the settings, as shown below: Scenario: Group Policy Object Modified Native AD audit event event Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 12

14 Permission changes fully reported, without redundant notifications At best, native AD auditing can report only that there was some kind of permission change on a given OU; moreover, it floods the security log with hundreds or thousands of additional notifications for each child object within that OU and its sub-ous., however, reports a single permission change event for the object where the permissions were actually modified, and specifies exactly which entries were deleted and/or added: Scenario: Active Directory permissions delegated for a given organizational unit Native AD audit event event Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 13

15 Plain language used instead of cryptic AD schema While the native AD audit log reports changes using cryptic schema names for objects and properties, reports AD changes in plain language easily understood by IT staff: Scenario: Last name of user account changed Native AD audit event event Quest InTrust While provides real-time monitoring and reporting, Quest InTrust provides the security audit trail and security event management (SEM) for comprehensive auditing and protection of Active Directory. InTrust is a modular log management and change auditing platform with optional integration with for specialized monitoring functionality, and knowledge packs for expert analysis of log and monitoring data. The InTrust platform provides log collection, alerting, archival and reporting. InTrust has built-in support for the common log formats, including Windows event logs and any type of text file log, as well as syslog streams for support of UNIX, Linux and network devices such as routers and firewalls. In addition, InTrust provides a secure log-based repository that can securely and efficiently store large amounts of audit data. This protects the data from tampering and keeps it separate from the operational AD administrators, providing deterrence and detection control. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 14

16 Integration of InTrust and In larger enterprises where AD administrators are separate from information security staff, AD change events must be merged into one overall view of enterprise-wide security activity. Quest delivers this view by integrating the auditor event stream into InTrust s enterprise-wide security event management capabilities. agents can be configured to write Active Directory change events to a local Windows event log in addition to the normal SQL Server database used for alerting and short-term reporting. Then, as shown in Figure 5, InTrust collects the event logs from each domain controller and aggregates them with other log data, including logs from servers, firewalls, authentication events from domain controllers, application logs and more: Other log data Quest InTrust Windows Event Logs Agent Agent Agent Domain Controllers InTrust Log Repository (Secure and Compressed) Security Event Management Correlation to other AD security events such as authentication Long term, security audit trail for compliance, legal and forensic needs Figure 5 Integration of with InTrust for an enterprise view of security Once the AD audit data is safely in the InTrust repository, it is protected from tampering by anyone who gains administrator authority in Active Directory. Moreover, AD change events can be correlated with other log data (such as domain controller authentication events) by security personal for full security event management. AD audit data and other logs can be efficiently stored for years in the InTrust repository in compressed format. However, the logs can be immediately reproduced in their original format to satisfy compliance requirements, legal discovery or investigations. InTrust even allows log data repositories to be indexed so that large amounts of historical log data can be quickly searched without the time-consuming and expensive process of re-importing logs into a reporting database. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 15

17 Summary Active Directory (AD) is the core of enterprise IT and requires comprehensive protection and auditing. Together, for Active Directory and Quest InTrust provide the monitoring, reporting and audit trail capabilities needed to fulfill AD s operational, planning, security and compliance requirements. Key Component Intelligent change tracking Monitoring Reporting Secure audit trail Security event management and correlation Quest Solution for Active Directory Quest InTrust reports all details of each change, including who, what, when, and where. Complex changes involving nested groups, permission inheritance, group policy objects, and cryptic AD schema are fully reported in plain language and without the loss of information common to AD s native audit log. Critical objects can be protected from accidental or malicious changes. Administrators are alerted when suspicious or highimpact changes occur Monitoring of directory integration and synchronization improves visibility into AD and facilitates troubleshooting. provides: Reports for planning and analysis Compliance documentation Forensic analysis and security incident response Operational accountability Long-term storage is facilitated by efficient and compressed storage of original logs. Repositories are secure and protected from tampering, so they are admissible for legal proceedings. Repositories can be indexed for quick querying without lengthy database import. Tamper-proof repository provides deterrent and detective control over all-powerful AD administrators. Active Directory changes are aggregated with the rest of the enterprise s audit logs for comprehensive security event management. InTrust collects relevant AD security events not captured by, including AD authentication activity. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 16

18 About the Author Randy Franklin Smith is president of Monterey Technology Group, Inc. and creator of the UltimateWindowsSecurity.com Web site and training course series. As a Systems Security Certified Professional (SSCP), a Microsoft Most Valued Professional (MVP), and a Certified Information Systems Auditor (CISA), Randy specializes in Windows security. Randy is an award-winning author of almost 300 articles on Windows security issues for publications such as Windows IT Pro, for which he is a contributing editor and author of the popular Windows Security log series. He can be reached at rsmith@ultimatewindowssecurity.com. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 17

19 TECHNICAL BRIEF About Quest Software, Inc. Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management products helping our customers solve everyday IT challenges faster and easier. Visit for more information. Contacting Quest Software PHONE (United States and Canada) If you are located outside North America, you can find your local office information on our Web site. MAIL Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA USA WEB SITE Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around-the-clock coverage with SupportLink, our Web self-service. Visit SupportLink at SupportLink gives users of Quest Software products the ability to: Search Quest s online Knowledgebase Download the latest releases, documentation, and patches for Quest products Log support cases Manage existing support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policies and procedures. 5 Polaris Way, Aliso Viejo, CA PHONE WEB sales@quest.com If you are located outside North America, you can find your local office information on our Web site 2010 Quest Software, Inc. ALL RIGHTS RESERVED. Quest Software is a registered trademark of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. TBW-AuditAD-Manuel-US-MJ