Quest InTrust. Change auditing and policy compliance for the secure enterprise. May 2008. Copyright 2006 Quest Software

Quest InTrust Change auditing and policy compliance for the secure enterprise May 2008 Copyright 2006 Quest Software

Quest is the Thought Leader in Active Directory Named Microsoft Global ISV Partner of the Year! 2007 2004 Mature Products Working with Microsoft s enterprise directory (NT & AD) since 1993 The Migration Expert Over 20 Million user accounts migrated by Quest Most Managed Users Over 45 Million user accounts managed using Quest s Active Directory solutions Strategic Investment Multiple patents and patents pending for our technology Trusted Partner Over 7,000 companies look to Quest to help manage their Active Directory Single Vendor for Your AD requirements Migration, Availability, Auditing & Reporting, Efficiency, Extending the Reach Cross-platform 1

Quest InTrust Architecture Overview Store Real-Time Reports Changes InTrust Server SQL Server SRS Quest Knowledge Portal InTrust Repository Collect Event Data Securely Correlate heterogeneously Prove it to the auditors Compressed, long-term storage Report intelligently Real-time Monitoring (Alerts, Remediation) 2

Quest Knowledge Portal 3

The InTrust Framework Collect event data securely Correlate heterogeneously Report intelligently Prove it to the auditors Compressed, long-term storage Real-time Monitoring (Alerts, Remediation) 4

The InTrust Framework The InTrust framework provides a basis for an organization s GRC (Governance, Risk and Compliance) systems, and leverages modular functionality via Plug-in s to provide a deeper level of auditing, reporting and security than available natively. Built upon the core InTrust framework, there are InTrust Plug-ins for: Active Directory, File Access, Exchange, SharePoint (coming late 08) All of the plug-ins leverage the InTrust framework to: Collect event data securely Correlate heterogeneously Report intelligently: Prove it to the auditors Deliver advanced archival, Long-term storage (compressed, admissible in court) Enforce policies for email compliance and ediscovery Improve system security and performance Reporting through a common web-based platform Provide Real-time Monitoring 5

Further Benefits of the InTrust Family Advanced auditing and remediation capabilities via InTrust Plug-ins Active Directory Exchange File Access SharePoint Report intelligently Predefined and custom reports Regulatory reports mapped to SOX, HIPAA, PCI and COSO Improve system security Keep more data at your fingertips Consolidated Reporting via the Knowledge Portal 6

Active Directory Information Servers and Workstations Applications Exchange Microsoft Identity Lifecycle Manager Active Directory Lightweight Directory Service Databases SQL Server Oracle Files & Folders CIO Auditors Security Officer Administrators COSO, HIPAA, PCI, SOX Real-Time Alerting Soon to be released CoBit*, ISO17799*, FFIEC* ITIL*, BASEL II*, J-SOX*, OMB A-123 Compliance Lifecycle 7

Problems with MS Native auditing of AD MS Directory Services auditing is difficult to configure/manage. Policy settings and ACL Audit entries must be applied locally to each OU you wish to monitor. Native auditing events are incomplete. Events on Permission changes (Delegate Control) lack critical details. Incomplete auditing of Group Policy changes No auditing of Schema container changes / extensions. Event overload due to inheritance 8

Why InTrust for Active Directory is Superior to Native Windows Auditing! No audit configuration needed Audit virtually all changes to AD Permission changes (Delegated Control) with complete details! Full auditing of Group Policy changes Changes, links, even changes made directly via SYSVOL! No Event Overload on permission changes due to inheritance. Even audit Configuration & Schema container changes! Gain additional insight: Before & After values for each change Source IP address / Computer name Bonus!: Protect critical objects outside of MS Security! GPOs, Root level OUs, Service accounts, groups, Anything in AD! 9

ITAD GPO Changes Subreport example 10

Problems with MS Native Object Access (file) auditing: Native Auditing is Time consuming and difficult to configure/manage Policy settings can be pushed out via GPO, but ACL Audit entries must be applied locally to each folder you wish to audit Events are often incomplete, redundant or incorrect To MS: Everything is a file! Long vs. Short filename Event overload due to inheritance Events on Permission changes lack critical details No Move event data 11

Why InTrust plug-in for File Access is Superior to MS Native Auditing! Centralized Audit configuration Configure audit settings on all file servers from a single console Complete, correct event data Files are files, and folders are. Folders! Always shows the long file name Eliminates redundant audit records Folder permission changes include scope of change Duplicate events are suppressed, reducing storage requirements Complete permission change details Who s permission and what changed Before and after values Includes Move events! 12

InTrust plug-in for File Access drill down functionality! All recently deleted files and by user All file access activity performed by that user. 13

Problems with MS Exchange Auditing: Impossible to natively track all change details to Exchange Stores Microsoft Native auditing does not provide detailed information on: Non-owner mailbox access and specific activity related to this access Changes to permissions at the client level Changes to permissions to the Configuration Store Native auditing does not provide detailed change tracking of permission changes made to a mailbox within AD Critical to both security and compliance objectives 14

Why InTrust plug-in for Exchange is Superior to MS Native Auditing! The only solution on the market that tracks non-owner Mailbox activity Logon to other user's mailbox Logon to other user's mailbox via OWA Open folder Read, Modify, Delete other user's emails (objects in user's mailbox) Tracks send-as activity Tracks Permission changes Mailbox and Folder permissions. Delegates and Alternate Recipient Management! MICROSOFT DOES NOT DO THIS NATIVELY! 15

Additional Auditing from InTrust for Exchange: Track Exchange Server Configuration Changes Delivery restrictions Authentication, Connections and Access control changes for: HTTP IMAP SMTP POP3 Enabled services Assures that organizational assets are protected and secured from unwanted administrator actions 16

Sample InTrust Plug-in for Exchange Reports Folder permission changes Non-owner mailbox read attempts 17

InTrust for Exchange Example: Inappropriate Mailbox Access Alert via email whenever Non-owner mailbox activity is detected that did not come from a known Executive Assistant Copyright 2006 Quest Software

19

InTrust for Exchange Example: Mailbox Permission / Delegate Changes Alert via Email any time a Mailbox has a permission or delegate change Copyright 2006 Quest Software

21

Quest approach. Quest approach to Enterprise security. Copyright 2006 Quest Software

Overall vision.

ActiveRoles Server 24

Quest InTrust Change auditing and policy compliance for the secure enterprise Thank You! Copyright 2006 Quest Software