Quest InTrust for Active Directory Product Overview Version 2.5
Copyright Quest Software, Inc. 2006. All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS All trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com e-mail: info@quest.com U.S. and Canada: 949.754.8000 Please refer to our Web site for regional and international office information. Quest InTrust for Active Directory Updated April 26, 2006 Software version 2.5
CONTENTS ABOUT QUEST SOFTWARE, INC....3 CONTACTING QUEST SOFTWARE... 3 CONTACTING CUSTOMER SUPPORT... 3 BUSINESS PROBLEM STATEMENT...5 SOLUTION: QUEST INTRUST FOR ACTIVE DIRECTORY...6 HOW IT WORKS...7 KEY FEATURES... 7 Tracking Changes to Active Directory Objects and GPOs... 7 Centralized Reporting on Change Information... 8 Notification upon Active Directory and GPO Changes... 8 Protection of Critical Active Directory Objects and GPOs... 9 CONCLUSION...10 i
ABOUT QUEST SOFTWARE, INC. Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and Windows infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 18,000 customers worldwide meet higher expectations for enterprise IT. Quest s Windows Management solutions simplify, automate and secure Active Directory, Exchange and Windows, as well as integrate Unix and Linux into the managed environment. Quest Software can be found in offices around the globe and at www.quest.com. Contacting Quest Software Phone: Email: Mail: Web site 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com Please refer to our Web site for regional and international office information. Contacting Customer Support Quest Software s world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink Email at www.quest.com/support support@quest.com. You can use SupportLink to do the following: Create, update, or view support requests Search the knowledge base Access FAQs Download patches 3
4
BUSINESS PROBLEM STATEMENT Active Directory administration is one of the most important IT infrastructure servicing tasks for enterprises. Active Directory administrators must find out the best ways to protect Active Directory from accidental and unwanted changes. Accidental deletions, poorly planned changes and careless modifications of crucial objects cause stoppages, security breaches, and process breakdowns. This impacts business-critical applications. 5
Quest InTrust for Active Directory SOLUTION: QUEST INTRUST FOR ACTIVE DIRECTORY Quest InTrust for Active Directory helps watch and prevent undesirable changes. In particular, the solution does the following: Tracks all changes to Active Directory and Group Policy Provides for real-time alerting and notification whenever a change is caught Allows you to protect critical Active Directory objects and GPOs Offers centralized, automated reporting on changes and change attempts discovered The following figure shows the most important tasks that InTrust for Active Directory helps achieve and the components that take part in these tasks. object protection auditing reporting reports Active Directory InTrust for Active Directory InTrust for Active Directory log InTrust Server real-time monitoring alerts 6
Product Overview HOW IT WORKS Quest InTrust for Active Directory installs a Windows service that runs on the domain controller. The service inspects all change requests that are made to Active Directory, regardless of where they come from Windows Active Directory management tools, user-developed scripts, or 3rd party applications. InTrust for Active Directory logs the details behind each Active Directory and Group Policy change to the InTrust for Active Directory event log. In addition, InTrust for Active Directory protects objects that you specify. Protection prevents such actions on Active Directory and Group Policy objects as deletion, creation and modification. Key Features Tracking Changes to Active Directory Objects and GPOs InTrust for Active Directory keeps a close watch on changes to all critical areas of Active Directory, including service accounts, administrative groups, and Organizational Units. Also, it registers changes to Group Policy objects and to individual Group Policy settings, ensuring you know when changes that could affect thousands of users are made. InTrust for Active Directory tracks such occurrences as new object creation, changes to existing objects, object moves and deletions. It provides the administrators with detailed information on: What object was changed When and how it was changed (for example, user account was added to or deleted from the administrative group) Who initiated the change Object information before and after the change These changes are tracked on all domain controllers where the changes occur For example, a particular benefit of InTrust for Active Directory auditing is being able to track user rights assignment. Built-in auditing of user rights changes is not comprehensive, and Security logs must be gathered from all domain computers to get the most out of them. InTrust for Active Directory lets you track all information about user rights changes and get all that information from the domain controller. 7
Quest InTrust for Active Directory Centralized Reporting on Change Information InTrust for Active Directory offers a streamlined, automated workflow for collection and reporting on all changes and change attempts discovered. This workflow includes: Periodic collection of all events logged by InTrust for Active Directory into the specified repository Import of the necessary data to the database Generation of ready-to-use reports Clean-up of unnecessary information This functionality is based on the two-tier data storage model which involves repositories for centralized, long-term data storage, and databases for data analysis and reporting. You can set up central or local reporting, and build up a data gathering and report generation workflow which best fits your organization's requirements. Reporting presents events in an ordered form without unnecessary information, and groups events logically. Reports make sense of data and concentrate on activity that you are interested in. They spare you the effort of browsing raw event data. Some good uses for reports are creating change statistics, detection of abnormal numbers of changes (compared to what was registered previously) or investigation of policy violations. Notification upon Active Directory and GPO Changes With alerting and notification capabilities, you can keep an eye on changes and attempts to modify Active Directory and Group Policy objects in real time. The real-time monitoring engine tracks the InTrust for Active Directory log. As soon as a change or a change attempt is discovered, a corresponding alert is issued, and the responsible personnel get a notification message. Authorized users can work with alerts using web-based Monitoring Console. In addition to Active Directory and Group Policy object changes, you can watch InTrust for Active Directory availability and operation. You can benefit from real-time notification about certain types of changes or even change attempts. For example, you may want to get notified as soon as someone makes a change to the membership of an administrative group. 8
Product Overview Protection of Critical Active Directory Objects and GPOs InTrust for Active Directory makes sure that the most sensitive objects and attributes in Active Directory stay safe from inadvertent or undesirable changes. You can specify objects that cannot be changed under any circumstances by any personnel. Protection can be turned on for any Active Directory or Group Policy object that you consider critical. Examples of such objects are Organizational Units, Group Policy objects and service accounts. 9
Quest InTrust for Active Directory CONCLUSION Quest InTrust for Active Directory offers an efficient solution for controlling changes to the most critical parts of the Windows environment Active Directory and Group Policy. The solution's scope includes the following: Tracking Reporting Notifying Protecting Therefore, InTrust for Active Directory can help strengthen Active Directory integrity, reduce the possibility of breakdowns and security breaches caused by inappropriate modifications of critical objects. 10