Monitoring Change in Active Directory White Paper October 2005

Transcription

1 Monitoring Change in Active Directory White Paper October 2005 Contents The Need to Monitor and Control Change... 3 Current Approaches for Active Directory Monitoring 5 Criteria for an Ideal Solution5 Benefits and Features of NetIQ Change Guardian for Active Directory... 6 Conclusion: About NetIQ Corporation.. 12 Companies face significant challenges in controlling change in their Active Directory environments. Without effective control over change, organizations' risk and costs increase and can have negative ramifications across the entire enterprise. The organizational adoption of change management process has addressed many of the issues companies face when mitigating change, such as communication facilitation, dependency assessment and approval workflow. The problem with implementing a traditional change management process however, is that well-implemented changes cannot be guaranteed. The contributing factor is lack of insight into and control over change execution. This whitepaper describes the needs for more effective Active Directory monitoring as part of a broader Change Control process, the problems with current approaches and how to leverage NetIQ s products to assure Policy Compliance and Operational Integrity.

2 THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time NetIQ Corporation, all rights reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, Provider-1, SiteManager-1, and VPN-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, AppAnalyzer, Application Scanner, AppManager, AuditTrack, Chariot, ClusterTrends, CommerceTrends, Configuration Assessor, ConfigurationManager, the cube logo design, DBTrends, DiagnosticManager, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, End2End, Exchange Administrator, Extended Management Pack, FastTrends, File Security Administrator, Firewall Appliance Analyzer, Firewall Reporting Center, Firewall Suite, Ganymede, the Ganymede logo, Ganymede Software, Group Policy Administrator, immarshal, Intergreat, Knowledge Based Service Assurance, Knowledge Scripts, MailMarshal, Marshal, Migrate.Monitor.Manage, Mission Critical Software, Mission Critical Software for E- Business, the Mission Critical Software logo, MP3check, NetIQ, the NetIQ logo, the NetIQ Partner Network design, NetWare Migrator, OnePoint, the OnePoint logo, Operations Manager, PentaSafe, PSAudit, PSDetect, PSPasswordManager, PSSecure, Qcheck, RecoveryManager, Security Analyzer, Security Manager, Security Reporting Center, Server Consolidator, SQLcheck, VigilEnt, Visitor Mean Business, Vivinet, W logo, WebMarshal, WebTrends, WebTrends Analysis Suite, WebTrends for Content Management Systems, WebTrends Intelligence Suite, WebTrends Live, WebTrends Log Analyzer, WebTrends Network, WebTrends OLAP Manager, WebTrends Report Designer, WebTrends Reporting Center, WebTrends Warehouse, Work Smarter, WWWorld, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

3 The Need to Monitor and Control Change The ability to effectively and efficiently monitor and audit Active Directory has never been more important. Whether internal or external, financial or operational, business or regulatory, audits are increasingly performed of IT controls and IT security. This increase is driven by the need of the business and auditors to rely on internal controls, the requirement to effectively manage risk, and the role of the auditor in assessing compliance with regulations, policies, and standards. IT environments are in a constant state of change. Managing and controlling change is critical for a smoothly operating business. Currently, the responsibility for changes falls squarely on the shoulders of internal IT professionals. These changes authorized and unauthorized threaten the integrity of entire business processes and internal controls. For that reason, change controls are audited for Sarbanes-Oxley compliance and are a significant focus of other regulatory initiatives. Even the simplest of changes, such as applying the latest Windows patch or changing a Group Policy setting in Active Directory (AD), can have far-reaching implications. Change-related incidents compound over time, leading to increased cost of ownership and decreased stability in the IT environment. Unmanaged changes cause many system failures and security risk. Even when properly managed, planned changes may cause system outages due to lack of visibility to dependencies. The prevailing approach to addressing problematic changes reactively fighting fires is unacceptable for managing your AD environment. To be successful, IT organizations require a controllable process to deal with the volume and impact of change to directory services and infrastructure. Change management enables control and manageability of approved changes to Active Directory with minimal disruption. Decreased budgets, reduced staff, increased incident-related cost and risk exposure are motivating IT organizations to improve their operational efficiency. IT management frameworks such as the Information Technology Information Library (ITIL), a best practice approach to Service Management, suggest that controlling changes will decrease the frequency of changerelated incidents and reduce the cost and impact of performance, availability and security failures. As a result, even organizations with a smaller IT staff and budget can achieve world-class Active Directory service delivery. Change Control as part of Change Management Change management includes requesting, reviewing, approving and tracking changes to IT services and infrastructure. Effectively, change management ensures that standardized procedures for all changes are enforced. The change management processes should facilitate efficient and prompt handling of all changes and maintain the proper balance between the need for change and the potential detrimental impact of changes. The adoption of change management processes often results in more efficient implementation of changes and, to some degree, fewer service disruptions. To support change management, traditional ticketing systems provide a formal workflow process to evaluate and approve change requests. Monitoring Change in Active Directory 3

4 Change management, however, often lacks the capability for proper control of change. Change controls ensure all changes are authorized, monitored, audited and verified. When effective, change controls close the gap left by traditional change management processes. Unfortunately, change controls are often heavily manual procedures, making them ineffective and expensive. To address this challenge, NetIQ is leading the development of operational change control solutions. Operational change control addresses the challenges of today s ever-changing and increasingly complex IT organization. While operational change control might be confused with existing change management regimes, it should instead be viewed as complementary to them. In fact, operational change control embraces and extends change management processes by operationalizing and automating controls over the changes to production environments. NetIQ understands the importance of knowing that changes are authorized, implemented, verified, audited and monitored throughout the change management process. Using operational change control principles in building enterprise solutions, NetIQ successfully extends companies existing change management investments. Change Monitoring as part of Change Control Operational change control closes the loop on the change management process and enforces control over the execution of change. Changes are continuously monitored throughout the lifecycle, and companies have a transparent enterprise-wide view of both approved and unapproved change. Most importantly, change is controlled throughout the implementation and is verifiable, auditable and recoverable. Change Monitoring provides documented proof that change and security controls are effective, demonstrates that only authorized and intended changes have been made to AD environments, and supports change control policy and security best practices. Policy Compliance Policy compliance involves the assessment, operation and control of systems and resources in accordance with security standards, best practices and regulatory requirements. The mandates for Active Directory security and compliance come from many sources. Perhaps the most common source are regulations and industry standards, such as Sarbanes-Oxley and FISMA Accord. Indeed, external auditors routinely review their clients compliance programs as part of the financial audit. Unfortunately, many organizations do not have robust or complete information compliance policies, and leave the decision-making for compliance implementation up to the technologist rather than the management of the company. One of the auditor s first procedures should be the evaluation of compliance and security policies, to see if they exist and to assess them for appropriateness. From there, the auditor should evaluate the configuration and other security aspects of key systems and the network with policies for guidance. However, given that policies are often limited, the auditor should go beyond policies during the audit in order to identify other causes of risk. Operational Integrity Operational integrity includes the instrumentation and monitoring of the performance, availability and security of systems and services. In doing so, it helps determine the cause of the issue and its origination. For example, measuring the difference between managed and unmanaged changes in the Active Directory environment can help administrators understand exactly what changes were made and how they impact the users downstream. Monitoring Change in Active Directory 4

5 Operational Integrity is a large part of general controls, the foundation on which effective internal controls can be built. In turn, effective internal controls are the foundation for sound business practices and the basis for reducing the amount of substantive testing during audits. It should be no wonder that the assessment of and reporting on internal controls over financial systems is now required by law for public companies traded on exchanges in the United States specifically, section 404 of the Sarbanes-Oxley Act of Today, the bottom line is literally dependent on effective internal controls and strong IT security. Current Approaches for Active Directory Monitoring IT auditors often leverage manual procedures, scripts and other internally developed workarounds when auditing Active Directory. Unfortunately, these are fraught with challenges and limitations and often create an undue burden on the administrator, on management, and on the auditor. Manual Procedures Manual audit procedures for Active Directory are still fairly common. To some degree, manual procedures are unavoidable. They might include inquiries of administrators and other technical personnel regarding their practices for security, such as backups and system maintenance. However, they often include procedures for checking the technical security of the system, such as reviewing system policy settings, looking at user and group accounts and other procedures that could be automated. The greatest problems with manual procedures are that they take considerable time to perform, often require significant technical expertise, and rarely result in a thorough evaluation of Active Directory security. Automating as many audit procedures as possible should be the goal. Scripts Another common method of performing Active Directory audits is the use of scripts to gather log data from targeted systems. While this automates a significant piece of work the gathering of data it fails to perform the most important and often most time-consuming piece of work the correlation and interpretation of the data and the identification of compliance exceptions. Moreover, the manual analysis of data is highly prone to errors, leading to flawed audit reports or oversights of potentially high-risk exceptions. Criteria for an Ideal Solution An ideal solution for Active Directory monitoring should meet the following requirements: Reduces the workload of IT auditors and other involved personnel. Any Active Directory auditing approach should be efficient. It should leverage technology to audit technology where possible, and minimize the amount of manual procedures. Monitoring Change in Active Directory 5

6 Assesses compliance with policies, regulations, standards and leading practices. Compliance with applicable policies and standards (i.e., benchmarks) and other drivers (e.g., Sarbanes-Oxley, FISMA) are important in today s business. The approach should facilitate compliance by identifying exceptions from policies and standards. Leverages existing infrastructure wherever possible. Organizations should not have to deploy a completely new monitoring framework just to support the necessary monitoring and auditing of Active Directory. An ideal solution would take advantage of existing systems and agents to provide monitoring, reporting and alerting of Active Directory changes. Provides an accurate assessment of security posture. Active Directory audits should provide a comprehensive picture of security from an administrator s point of view. It should provide a view from the inside out, so that it is clear where you have compliance exceptions and vulnerabilities. Supports real-time monitoring and continuous auditing. The solution should be completely automated and work hands free. This means the solution should enable assessments to be scheduled on a recurring basis, performed during off hours, and hold the results and data securely for subsequent reporting and analysis. Scales securely. The solution should grow with the business and support the entire enterprise. This means the solution should work over large, distributed Active Directory domains with little impact on utilization and other resources. Moreover, it should communicate and store data securely, so that the solution itself does not become a potential exposure. Provides insight into different types of change. It is not enough just to know that change is occurring. In order to help administrators, management and auditors, the ideal solution should help to classify and identify the types of changes occurring in the Active Directory environment so that there is an understanding of which changes and personnel are following defined processes. Benefits and Features of NetIQ Change Guardian for Active Directory NetIQ Change Guardian for Active Directory delivers real-time monitoring and alerting of changes to your Active Directory environment, and provides detailed audit reporting showing changes made inside or outside of your change process as well as the level of importance of the change. Not only do these solutions ensure that changes to the production infrastructure are authorized, tested and approved, but can also identify unauthorized changes and how they impact audit metrics. Benefits of NetIQ Change Guardian for Active Directory NetIQ Change Guardian for Active Directory minimizes the risks associated with operational changes to Active Directory. The product provides the visibility you need to protect your Active Directory environment from dangerous security exposures and costly service disruptions by automating and simplifying Active Directory change monitoring. Monitoring Change in Active Directory 6

7 Improving Compliance and Security Posture for Active Directory Risk exposure from operational changes is most effectively managed with a concerted operational change control effort that closely monitors changes to the Active Directory. NetIQ Change Guardian for Active Directory enables IT security auditors and AD Administrators to effectively and efficiently perform IT security audits on the most important aspects of Active Directory and also scales to support both large and small implementations, from those in a single domain, to domains distributed around the world. NetIQ Change Guardian for Active Directory enables IT auditors to more effectively and efficiently perform security audits at every phase, from defining and performing alert rules to analyzing and reporting results. Change Guardian for Active Directory can be used to enable not only auditors to perform their jobs, but also give administrators and other IT users the ability to leverage the solution to perform their own audits in a secure manner. Moreover, because monitoring occurs in a real-time continuous basis, NetIQ Change Guardian for Active Directory enables you to identify and alert on potential policy compliance issues at any time, assuring that issues can be addressed within minutes, instead of hours or days. Minimize cost while maximizing existing infrastructure NetIQ Change Guardian for Active Directory enables you to maximize the technology you already use. Not having to deploy a new infrastructure just to monitor and alert on Active Directory changes means that your organization can realize the additional benefits of monitoring and reporting with Change Guardian for Active Directory without having to learn entirely new interfaces or incur additional performance hits. Reinforce change control process through metrics Providing the ability to differentiate between Managed, Unmanaged, and High-profile changes in Active Directory gives organizations a unique opportunity to really see which changes are occurring within or outside of their change control process, a very important metric come audit season. Increase availability and reduce risk Assuring that AD Admins and other privileged personnel are making changes according to corporate policy and process through the use of smart monitoring can provide confidence to your organization that risk is being mitigated and that necessary systems and services will be available to the knowledge workers in your organization. Key Features of NetIQ Change Guardian for Active Directory NetIQ Change Guardian for Active Directory provides the following features to enable smart Active Directory Monitoring. Identifies and alerts on managed, unmanaged and high-profile changes Changes to some Active Directory environments can number in the thousands on a daily basis and notifying over-worked administrators of all of these changes would be detrimental. NetIQ Change Guardian for Active Directory provides the capability to audit, report and alert on managed, unmanaged, and high-profile changes independently so that administrators can concentrate on the changes that matter most to the organization. Below are definitions of the different change classification types and how they are treated by NetIQ Change Guardian for Active Directory. Monitoring Change in Active Directory 7

8 Managed Changes: Managed changes are characterized as those changes to AD that are initiated from within a defined change control interface, and represent a low degree of risk. An example of this might be the addition of a new user within an organizational unit s marketing group through the use of NetIQ s Directory and Resource Administrator interface. Unmanaged Changes: Unmanaged changes are characterized as those changes to AD that are initiated outside of a defined change control interface or account, and represent a medium high degree of risk. An example of this might be the addition of a new user within an organizational unit s marketing group through the use of the server console. High-profile Changes: High-profile changes are characterized as those changes to AD that are identified within NetIQ Change Guardian for Active Directory as high-profile, and represent a high degree of risk. An example of this might be the addition of a new user within the Domain Admins group, regardless of the interface the action is performed from (ie. Regardless of whether it is considered managed or unmanaged). Real-time notifications for changes are typically recommended for both Unmanaged and High-Profile Changes, but when and how these alerts are implemented is configurable. Figure 2: Not only does NetIQ s Change Guardian allow administrators to differentiate between managed and unmanaged types of change, it also provides very detailed forensic reports within each classification. In Figures 2 and 3, we can see the depth of information that NetIQ s Change Guardian for Active Directory provides for Managed and Unmanaged changes. Viewing information in this framework provides efficient and automated means for both auditors and administrators to understand where the change control process is working and where additional reinforcement can be applied. Monitoring Change in Active Directory 8

9 Figure 3: Regardless of how change is initiated within your Active Directory domain, NetIQ Change Guardian for Active Directory provides the tools necessary to report on all changes in the environment. Change Guardian for Active Directory also detects and alerts on high-profile changes. In Figure 4 below, we can see many of the well-known privileged groups that Change Guardian considers as high-profile as a default. NetIQ s Change Guardian for Active Directory also allows you to set up additional high-profile objects to produce reports and receive alerts on. Figure 4: Part of the value-add that NetIQ brings with it s products is built in knowledge. In this figure, we see how NetIQ Change Guardian for Active Directory starts administrators off with well-known accounts that have the greatest potential to initiate high-impact changes. Monitoring Change in Active Directory 9

10 Centrally records and audits Active Directory changes Provides the ability to run detailed change reports on your environment. You can identify the percentage of unmanaged changes made in the environment, as well as easily prepare change audit reports based on out-of-the-box templates. Functions on common, flexible infrastructures Improves your return on investment and utilizes the functionalities of NetIQ Security Manager or Microsoft Operations Manager, extending the ability and usefulness of both products to focus on assuring the security and compliance of your Active Directory environment. Monitoring Change in Active Directory 10

11 Conclusion: NetIQ Change Guardian for Active Directory is integral in assuring Policy Compliance and Operational Integrity Like never before, IT auditors and managers, as well as Active Directory administrators can have a tool designed for both policy compliance assessments and operational integrity reporting that also provides real-time alerting on the types of changes that matter most. NetIQ Change Guardian for Active Directory automates and streamlines the AD auditing process, freeing up administrators from manually gathering historical data from log files and freeing up auditors to perform more valuable tasks such as interpreting and reporting results, formulating recommendations, and moving on to the next audit. Moreover, NetIQ Change Guardian for Active Directory meets the requirements of an ideal Change Control monitoring solution for AD. Assesses compliance with policies, regulations, standards and leading practices. Compliance with applicable policies and standards (i.e., benchmarks) and other drivers (e.g., Sarbanes-Oxley, FISMA) are important in today s business. Change Guardian for Active Directory facilitates compliance by identifying exceptions from policies and standards. Provides insight into different types of change. It is not enough just to know that change is occurring. In order to help administrators, management and auditors, Change Guardian for Active Directory helps to classify and identify the types of changes occurring in the Active Directory environment so that there is an understanding of which changes and personnel are following defined processes. Leverages existing infrastructure wherever possible. Organizations should not have to deploy a completely new monitoring framework just to support the necessary monitoring and auditing of Active Directory. Change Guardian for Active Directory takes advantage of existing systems and agents to provide monitoring, reporting and alerting of Active Directory changes. Provides an accurate assessment of security posture. Change Guardian for Active Directory provides a comprehensive picture of security from an administrator s point of view. It provides a view from the inside out, so that it is clear where you have compliance exceptions and vulnerabilities. Supports real-time monitoring and continuous auditing. Change Guardian for Active Directory is completely automated and works hands free. The CGAD solution enables assessments to be scheduled on a recurring basis, performed during off hours, and holds the results and data securely for subsequent reporting and analysis. Reduces the workload of IT auditors and other involved personnel. Change Guardian for Active Directory is efficient. It leverages technology to audit technology where possible, and minimizes the amount of manual procedures. Scales securely. Change Guardian for Active Directory grows with the business and supports the entire enterprise. The CGAD solution works over large, distributed Active Directory domains with little impact on utilization and other resources. Moreover, it communicates and stores data securely, so that the solution itself does not become a potential exposure. For more information visit NetIQ online at Monitoring Change in Active Directory 11

12 About NetIQ Corporation NetIQ is a leading provider of integrated systems and security management solutions that empower IT organizations with the knowledge and ability necessary to assure IT service. NetIQ's Knowledge- Based Service Assurance products and solutions include embedded knowledge and tools to implement industry best practices and to better ensure operational integrity, manage service levels and risk, and ensure policy compliance. NetIQ's modular, best-of-breed solutions for Performance & Availability Management, Security Management, Configuration & Vulnerability Management, and Operational Change Control integrate through an open, service-oriented architecture allowing for common reporting, analytics and dashboards. For more information about NetIQ, visit or call (888) Monitoring Change in Active Directory 12