Blackbird Management Suite Blackbird Group, Inc. www.blackbird-group.com



Similar documents
Best Practices for Auditing Changes in Active Directory WHITE PAPER

How to Audit the 5 Most Important Active Directory Changes

WHITE PAPER. Take Back Control of Your Active Directory Auditing

5 Group Policy Management Capabilities You re Missing

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Active Directory Change Notifier Quick Start Guide

10 Things IT Should be Doing (But Isn t)

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

6425C - Windows Server 2008 R2 Active Directory Domain Services

Installing, Configuring, and Managing a Microsoft Active Directory

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

NetWrix SQL Server Change Reporter

Restructuring Active Directory Domains Within a Forest

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

SolutionScope. Active Directory Change Auditing

Resolving Active Directory Backup and Recovery Requirements with Quest Software

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

JIJI AUDIT REPORTER FEATURES

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course 6425B: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

The Definitive Guide. Active Directory Troubleshooting, Auditing, and Best Practices Edition Don Jones

How to Configure Microsoft System Operation Manager to Monitor Active Directory, Group Policy and Exchange Changes Using NetWrix Active Directory

Netwrix Auditor. Administrator's Guide. Version: /30/2015

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Windows Server 2008: What s New in Active Directory Auditing and Recovery. Your IT infrastructure. Simplified.

6.7. Administrator Guide

What s New Guide. Active Administrator 6.0

7 Tips for Achieving Active Directory Compliance. By Darren Mar-Elia

White Paper. Better Together: Auditing with Microsoft Audit Collection Services (ACS) and Quest Software

How to best protect Active Directory in your organization. Alistair Holmes. Senior Systems Consultant

Group Policy for Beginners

NetWrix File Server Change Reporter. Quick Start Guide

NetWrix SQL Server Change Reporter

Ultimus and Microsoft Active Directory

Course 6425C: Five days

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425

ShareSync from LR Associates Inc. A business-grade file sync and share service that meets the needs of BOTH users and administrators.

Reports, Features and benefits of ManageEngine ADAudit Plus

VMware and Microsoft VSS: What You Need to Know

Implementing HIPAA Compliance with ScriptLogic

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

What s New Guide: Version 5.6

Managing and Maintaining a Microsoft Windows Server 2003 Environment

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Create, Link, or Edit a GPO with Active Directory Users and Computers

Outline SSS Configuring and Troubleshooting Windows Server 2008 Active Directory

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Creating and Managing Shared Folders

PLANNING AND DESIGNING GROUP POLICY, PART 1

RecoveryManager Plus

Exchange Mailbox Protection Whitepaper

NETWRIX FILE SERVER CHANGE REPORTER

Outpost Network Security

Administrator s Guide

efolder White Paper: Dedicated File Backup vs. File Sync Backup: 5 Questions MSPs Should Ask to Determine the Best Backup Solution for Their Clients

WhatsUp Gold v16.3 Installation and Configuration Guide

Admin Report Kit for Active Directory

Manufacturer to Enhance Efficiency with Improved Identity Management

NE-2273B Managing and Maintaining a Microsoft Windows Server 2003 Environment

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains

Active Directory. Users & Computers. Group Policies

Quest InTrust. Change auditing and policy compliance for the secure enterprise. May Copyright 2006 Quest Software

R4: Configuring Windows Server 2008 Active Directory

How to monitor AD security with MOM

The Recipe for Sarbanes-Oxley Compliance using Microsoft s SharePoint 2010 platform

Reports, Features and benefits of ManageEngine ADAudit Plus

NetWrix SQL Server Change Reporter. Quick Start Guide

Get Started Guide for Admins

These guidelines can dramatically improve logon and startup performance.

CHAPTER THREE. Managing Groups

Active Directory Auditing The Need and Result

NetIQ Group Policy Administrator User Guide

Dell Active Administrator 7.5. Install Guide

Troubleshooting Active Directory Server

Administration GUIDE. SharePoint Server idataagent. Published On: 11/19/2013 V10 Service Pack 4A Page 1 of 201

Librarian. Integrating Secure Workflow and Revision Control into Your Production Environment WHITE PAPER

Administration of Symantec Enterprise Vault 10.0 for Exchange. Version: Demo. Page <<1/12>>

CC4 TEN: Pre-installation instructions for Windows Server networks

Microsoft Virtual Labs. Active Directory New User Interface

WhatsUp Gold v16.2 Installation and Configuration Guide

5 Challenges in Active Directory Management and How to Manage Them

Administering Active Directory. Administering Active Directory. Reading. Review: Organizational Units. Review: Domains. Review: Domain Trees

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Vector HelpDesk - Administrator s Guide

SAS 9.4 Management Console

Transcription:

PRODUCT ANALYSIS Blackbird Management Suite Blackbird Group, Inc. www.blackbird-group.com Analysis by Don Jones Senior Partner and Principal Technologist, Concentrated Technology www.concentratedtechnology.com This Product Analysis was commissioned by Blackbird Group, Inc.

Most businesses today realize that Microsoft Active Directory requires a little bit of help when it comes to automating management, providing compliance-grade auditing and reporting, and managing change in the directory. Unfortunately, most of the vendors in this space provide point solutions: One tool to audit changes, another tool to roll back changes, a third to add workflow and change control, and so forth. That s a less-than-perfect situation, because you typically have to install and maintain a variety of software agents on each domain controller, and have to learn the user interface for a half-dozen different tools. There s also a productivity burden. For example, using one tool to detect a change, then having to start up a second tool to locate a recent backup of the changed directory object, and finally restore that object to undo the change. Blackbird Group s Blackbird Management Suite seeks to consolidate those activities into a single, truly integrated toolset that operates within the familiar Microsoft Management Console (MMC), extending many of the native MMC snap-ins, including Active Directory Users and Computers, Sites and Services, ADSI Edit, and so forth. Blackbird organizes the functionality into modular functional areas. Businesses can choose to buy all five, which are licensed per-heartbeat (meaning you pay a license fee for each human being in your business), or they can choose to activate only a subset of the functionality. The option always exists to activate additional features as needed, providing a straightforward growth path. It s important to note that, unlike other vendor offerings that bundle standalone products into an integrated suite, these modules are actually all a part of the same solution, meaning they connect to one another quite seamlessly. Blackbird has recently added file system permissions management to Blackbird Management Suite (BBMS), and this analysis also includes that functionality. Active Directory Auditing A growing number of vendors are implementing auditing solutions that, rather than relying on Active Directory s native event logs, connect directly to internal AD application programming interfaces (APIs) to gather more detailed and granular information. Blackbird Management Suite is one such solution. A benefit of this approach is that you get what is effectively real-time auditing and alerting of changes, including information about who made the change, what was changed, when the change was made, and the before and after values of the change. Unlike other similar solutions, Blackbird s rollback mechanism is built right in: As you re reviewing a change, a rollback button lets you immediate undo it. If a change involved multiple values (editing several user attributes, for example), you can choose which ones to roll back.

Auditing can be accessed through straightforward search features, but significant integration into Microsoft s native tools can provide a better means of retrieving the information. For example, right-clicking a user in Active Directory Users and Computers offers a context menu option to retrieve the audit trail and change history for that object. You can even right-click a user to see an audit trail of every change they ve made - a powerful way to check up on trusted administrators or other individuals. Blackbird s auditing capabilities help to meet most major compliance requirements, including centralization of the audit log into a separate, secure database, as well as extensive reporting. Real-time alerts can also keep administrators or managers informed of critical changes, such as changes to administrative group memberships. In fact, the alerting mechanism is quite robust. Using a simple user interface, you can create alerts that look for specific types of activity, and send alerts to whomever you like.

Note that the rollback functionality does not rely on snapshot-style backups, as some other solutions do. Instead, Management Suite relies on its own database of tracked changes, meaning you can roll back changes that are made in between backups. Interestingly, even schema changes can be detected and rolled back, helping to protect against changes to default object permissions and other schema changes. Schema extensions, however, cannot be rolled back; Microsoft does not support removing schema extensions and is not likely to do so in the foreseeable future. Active Directory Reporting Simply having all of that auditing data in the database isn t enough, though; a solution must provide robust reporting. Ideally, the solution should provide built-in reports for the most important and common types of reports, including changes to critical built-in objects, as well as compliance-specific reports. Blackbird includes numerous built-in reports, including ones targeted to many of the major compliance efforts: HIPAA, SOX, GLB, and so on. You can, of course, also create custom reports and save them for future use. Active Directory Protection Once you start to gain visibility to the changes in your environment, you ll want to begin locking them down, and that s where the protection module comes into play. Using a simple, Outlook-style user interface, you can designate which objects you want to lock. Your lock can even extend to specific users and actions, such as don t allow members of the Domain Admins group to make changes to the user objects in this OU. You can also configure exception rules: These can make it easier to lock out

a broad portion of your company, while allowing a smaller, delegated group to retain control. For example, Don t allow anyone to do anything in this OU, except members of the Sales Administrators group. Protection rules can not only help prevent unwanted changes, especially to critical objects, but can also help to enforce your change control processes and mechanisms. Protection rules execute server-side, and while it s not impossible to bypass them, it would be fairly difficult. A Blackbird-designed agent taps directly into the AD APIs, and inserts itself directly into the AD event stack. It is thus able to preview all changes submitted to AD, whether through native tools, scripts, or even other thirdparty tools. If a change violates one of the protection rules, the agent aborts the change, typically returning an error message to the initiating client. The protection rules can therefore act as a kind of firewall for AD, going far above and beyond the simple accidental deletion protection offered natively. Interestingly, the robustness of the protection feature - combined with Management Suite s own internal security, which will be discussed shortly, can help address the forest as a security boundary issue that has led many organizations to create far more forests than can easily be managed. With Blackbird s toolset, these companies can consolidate their forests while retaining rigid security boundaries within the forest, eliminating in many respects the super-privileges of the Enterprise Admins group through the use of protection rules. Active Directory Recovery Management Suite also includes a traditional AD recovery toolset. You can compare individual directory objects to their backed-up versions, from any point in time, and restore them - or restore specific attributes. Again proving the value of tight integration between modules, Blackbird offers a unique twist on recovery: When comparing a live object to its backed-up version, you can easily obtain information on where a particular difference came from. For example, if a user s name was Jones yesterday, and Smith today, you ll see that difference in a backup

comparison - and be able to see who made the change, and when - by accessing the audit trail. If the change was made through Blackbird s workflow facility (which will be discussed shortly), you ll also see any comments entered by the reviewers who approved the change. The comparison functionality offers various comparison views, including a side-by-side view that makes it incredibly easy to visually process even complex object changes. The toolset includes a Recycle Bin metaphor that provides for simple, instant singleobject recovery, without the need to take a domain controller offline. Unlike the Recycle Bin feature in Windows Server 2008 R2, Blackbird s Recycle Bin actually offers a true graphical user interface for recovery, and can be used on domains that are not on the latest AD domain and forest functional levels.

Blackbird does not currently offer whole-forest recovery. This has been a muchhyped selling point for some vendors solutions, when in fact Microsoft claims to have seen fewer than a handful of whole-forest recoveries worldwide. Microsoft actually urges customers to engage Microsoft Consulting Services for whole-forest recoveries, and in some cases makes doing so a condition of continued product support. Blackbird s lack of whole-forest recovery is not seen as a negative point at this time. Perhaps the most important capability you can add to Active Directory is continuous recovery. Simply relying on point-in-time snapshot backups leaves far too much data at-risk at any given moment; by having a continuous backup, you can always revert the directory to a previous condition, whether it s to roll back a single object deletion or attribute change, or to recover entire sections of the directory. If your most recent backup is from last night, and you lose something midday, you re going to spend a lot of time and manual effort getting the directory back into a known good condition - something no business should be comfortable with. Because Blackbird s solution can restore objects from the audit log, you re assured of a continuously-protected directory.

Active Directory Management One of the most exciting features of Blackbird Management Suite is its flexible workflow engine. Using an Outlook mail rules user interface metaphor, you can easily designate activities that will require approval, such as deleting any user account, changing a particular organizational unit, and so forth. Once approval is required, you can completely customize the workflow process, adding as many approval steps as you like. Within each approval step, you indicate who may approve or deny the activity. You also indicate how many approvals are required for the task to proceed to the next step, and you can require approvers to leave comments when they approve or reject the change. When changes pass their final approval, you can indicate that they take place immediately, or that they be scheduled for change at a particular time - the perfect way to help enforce management framework rules and processes. When an approval is needed, the tool can send an e-mail notifying the reviewer to approve or reject the changes. An Outlook plug-in is provided to facilitate reviewing by users who do not have access to the management console, such as Human Resources users who may need to approve new user account creation, or user deletion. In its current implementation, the workflow is implemented entirely client-side. That means changes made outside the Management Suite - such as through a script - do not engage the workflow engine. In other words, the workflow is not quite as bulletproof as the protection feature in terms of stopping or controlling unwanted changes. This is another instance where tight integration sets this solution apart: Because all of this information is stored in a single database, someone later reviewing a change in the auditing section can not only choose to roll back the change, but they can also see the approval process that led to the change in the first place. This creates a sort

of integrated paper trail and change history, which becomes nearly effortless as you begin relying on the toolset to make changes. Related to the workflow facility is full support for business rules. Again, by specifying criteria that defines the type of object you want to affect, you can create rules that run scripts (say, in response to a new object creation), that enforce naming conventions (for user or group names, for example), and so forth. You can also create rules that generate alerts for specific directory actions. Again, these rules run client-side, rather than server-side, so they help to supplement the protection feature and provide enforcement for business processes. DNS, Group Policy Object Support Blackbird Management Suite also includes support for DNS and Group Policy objects. For DNS, you can track changes to individual records, roll back changes, and so forth, all from within a standard ADSI Edit snap-in that includes Blackbird extensions. You can even roll back deleted DNS zones, if needed. For Group Policy objects, Blackbird does not attempt to track individual changes to GPO settings as they are made - a task that is technically challenging, and can create information overload when administrators make numerous changes to a single GPO during one editing session. Instead, the tools detect changes, immediately pull a versioned backup of the GPO, and permit you to compare the different versions of the GPO. In this fashion you can obtain detailed reports of what has changed in a GPO over time. Again, this provides great support for change control and change management processes, as well as for auditing activities that support those processes.

File Systems Permissions Inventory and Reporting In its newest release, Blackbird Management Suite also includes the ability to inventory and report on file system entitlements, including historical permissions. The product uses the same collector model as with its Active Directory functionality; essentially, each collector is responsible for gathering information from a given server. You can choose to inventory an entire file server, or limit your data collection to just a specific path, or even a specific shared folder. If you have built your environment in such a way that sensitive data is located in specific places, this ability to inventory permissions on just those places is an effective way to reduce the amount of data you might otherwise have to wade through. Collection happens on a periodic basis, and the permissions information is centralized into the product s database. Because file and folder access control entries are actual Security Identifiers (SIDs), the privilege explorer component of Blackbird Management Suite also has the ability to inventory groups and users from one or more Active Directory domains. This has two benefits: First, it translates SIDs into actual user and group names. Second, it enables the product to expand nested group memberships for a more accurate picture of your file and folder permissions. The product s main functionality is organized into views, which you can create and modify. You can think of a view as a kind of interactive report. A view can be defined to only include: Permissions related to a single account or set of accounts (helping to answer the question, what does this person have access to? ) Specific kinds of permissions (as in, who has full control over any files on this server? ) Specific computers ( what permissions have been granted on this file server? ) Time range ( what permissions have been granted to this file in the past 90 days? ) The resulting view presents the file system as it has been inventoried by the collectors. For any given file or folder, the view shows: Which permissions have been inherited (and these can be hidden in favor of direct permissions only) Which permissions have changed since the last permissions inventory including the ability to right-click a changed permission and roll back the change to the prior state

Which effective permissions have changed because a group s membership has changed. In other words, if new users have access to a file because they were added to a group, but the file s actual permissions assignment was not changed, this is distinguishable through color-coded permissions lists. Through deep integration with the rest of the software suite, clicking on one of those added via group membership lines lets you see who made the change to a group s membership through AD auditing. From within the view, a given permission can also be compared to prior collected information so that you can see a change or delta report. The privilege explorer console essentially replaces Windows Explorer for security management on whatever files are being collected and managed. In other words, permissions can be easily removed or modified from within the privilege explorer interface, enabling administrators to work within a single console. Views are organized into nodes, or folders, which can have their own permissions applied. This enables effective separation of duties, as you can delegate permissions over a specific set of files and folders to whomever you like. Privilege explorer also supports more traditional snapshot reports by means of SQL Server Reporting Services, providing designated users with Web-based access to numerous built-in and custom reports. Integrated Security Blackbird Management Suite includes its own security layer, which enables you to very granularly determine who can do what within the tool. It uses a folder-based permissions metaphor that is essentially the same as Active Directory s own, and

supports permissions inheritance and all the other elements you would expect. This is actually a somewhat unusual feature. While many solutions support role-based administration, not many provide this detailed a level of security configuration. Truly, Tightly Integrated All of this functionality is provided by a single agent that is installed on your domain controllers, and supported by a single back-end database. That s a significant distinction from other products in this space, which are often billed as integrated but in fact require discrete agents, separate databases, and so forth. That separation often means the functional integration isn t as tight as it should be; in fact, that separation is often the result of external product acquisitions rather than a single development effort. Blackbird s tight integration into the native tools is remarkable: After a very short while, you feel as if the functionality is simply built into the Microsoft consoles, rather than being provided by a third-party. About Blackbird Group, Inc. Blackbird Group has focused on identity and access management solutions since 2002. The company is privately-held, and is a Microsoft Gold Certified Partner. They have licensed more than seven million seats worldwide to date, and are headquartered in Manhattan, New York, with offices throughout Europe. For more information, visit www.blackbird-group.com. About Concentrated Technology, LLC Concentrated Technology was founded by IT industry experts Don Jones and Greg Shields to provide concise, accurate education in business technology topics. The company writes to a range of audiences from the C-level to the trenches, with a focus on practical technology solutions for today s business challenges. For more information, visit www.concentratedtech.com.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information