Simplifying Virtualization and Cloud Management

Download Report

Transcript Simplifying Virtualization and Cloud Management 

Protecting and Auditing
Windows Networks
Adrian DUMITRESCU
Senior Technical Consultant | Q-East Software
www.quest.com
© 2010 Quest Software, Inc. ALL RIGHTS RESERVED
Why Protect and Audit Active Directory
 Active Directory is the core of enterprise IT; for this reason,
comprehensive protection and auditing of AD changes is critical
 Key components for protection and auditing of Active Directory
 Third-party systems integration (Identity and Access
Management)
 Change tracking (real-time monitoring, reporting, secure audit
trail, security event management and correlation)
2
Third-party Systems Integration (IAM)
3
What is IAM?
People
Resources
Permanent
employees
Contractors
Temporary
employees
Partners
Customers
Suppliers
File data
Car/phone/PC
Door access
Software
Installs
Application
access
Projects
ACCESS
ACCESS
ACCESS
4
The Seven IAM Projects
Directory Consolidation
Directory Content Management
& Provisioning
Password Management
Single Sign On
Strong Authentication
Privileged Account Management
Audit & Compliance
5
Directory Consolidation
6
So, you’ve got AD
Auth.
Roles
Policy
Access
7
Add some UNIX and Linux
Auth.
Auth.
Auth.
Roles
Roles
Roles
Policy
Policy
Policy
Access
Access
Access
8
Mix in Macintosh and Java apps
Auth.
Auth.
Auth.
Auth.
Auth.
Roles
Roles
Roles
Roles
Roles
Policy
Policy
Policy
Policy
Policy
Access
Access
Access
Access
Access
9
Sprinkle in SAP and Databases
Auth.
Auth.
Auth.
Auth.
Auth.
Auth.
Auth.
Roles
Roles
Roles
Roles
Roles
Roles
Roles
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Access
Access
Access
Access
Access
Access
Access
10
Finish with Mainframes and cloud
Auth.
Auth.
Auth.
Auth.
Auth.
Auth.
Auth.
Auth.
Auth.
Auth.
Roles
Roles
Roles
Roles
Roles
Roles
Roles
Roles
Roles
Roles
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Policy
Access
Access
Access
Access
Access
Access
Access
Access
Access
Access
11
Integrate where you can
Auth.
Auth.
Auth.
Auth.
Roles
Roles
Roles
Roles
Policy
Policy
Policy
Policy
Access
Access
Access
Access
12
But what about the others? …
Auth.
Auth.
Auth.
Auth.
Roles
Roles
Roles
Roles
Policy
Policy
Policy
Policy
Access
Access
Access
Access
13
Directory Content Management
& Provisioning
14
Password Management
15
Single Sign On
16
Strong Authentication
17
Privileged Account Management
18
Audit & Compliance
•
•
•
•
Everything audited
Actionable items
OOTB reporting
Plug-in Solution
19
The “strategic” approach
• Platform agnostic – meta-directory
approach
• Business tool for use by business people
• Supplying business intelligence such as …
–
–
–
–
–
–
Who works for me?
What do they do?
What can they see?
What do they have?
What have they done?
How much do they cost?
20
Web IT-Shop – Built for the “business”
21
Self-service Shopping Cart
22
Attestation
23
What Does This Mean For You?
• Identity and Access Management means different things to
different people.
• It requires different approaches based on YOUR customer’s
needs
– Help your customers with “tactical” solutions to their IT problems.
– Put them on a trusted path to grow with the Quest One Identity
Management Solution.
– Provide their business with a “strategic” IAM solution for their business
problem.
– Extend this with the “tactical” tools to provide unparalleled, complete,
coverage.
• Developing tools and solutions for your customer’s needs today,
and also for the future.
24
Informatii
Active Directory
Servere, Statii si alte
Echipamente
Aplicatii
Server de fisiere
Baze de date
Manageri
Auditori
Ofiteri de Securitate
Administratori
Compliance Lifecycle
SOX, FISMA, ITIL
Alertare Real-Time
25
Change Tracking
 AD change tracking can be implemented using a uniform process
that works no matter what type of object is changed
 The key elements to any AD change event should include the:







Time of change
Object modified
User that modified the object
Operation performed
Propertied modified and their values before and after the change
Domain controller where the change was made
IP address of the workstation or client machine from which the change
originated
26
Providing Comprehensive Audit and
Protection for Active Directory
27
Integrated Audit and Compliance
Gathering Correlation
Reporting
IT
Management
“Powered by Quest InTrust©”
28
The solution must cover the entire infrastructure
1. All operating system in the enterprise
2. AD and integrated platforms
3. Messaging systems
4. Database platforms
5. Web servers and enterprise applications
6. Hardware and software firewall infrastructures
7. Network equipments and workstations
29
A unified console for all audit requirements
30
Built-in compliance
with audit standards
 Structured reports
 “Out-of-the-box” compliance
31
Covering the entire IAM environment
Identity Management
and ODBC compliant
systems tracking
reports
32
Covering the entire IAM environment
Custom applications
reports
33
Agregated reports
34
To address additional change audit requirements
1. Extended audit for Active Directory and AD LDS
Tracking the entire AD activity: who, what, where, when and
how produced the change, plus changed value before and
after the change
2. Extended audit for Microsoft Exchange
Tracking the entire Exchange activity: non-owner access,
configuration and permissions changes for mail servers and
mailboxes
3. Extended audit for File Access
Tracking user and administrator activity on folders, files and
shared resources, without the need to activate native audit
35
Native Audit Limitations
 Audit events are not centralized
 There is no support for analysis and reporting
 High volumes of audit data
 Performance risks
 Missing or limited information
 There is no real-time monitoring engine
 There is no protection against privileged administrators
36
Criptic data in Windows access events
 Who is “Logon ID 0x3e7”?
 Which file was accessed?
 What action was performed
on the file?
 What other actions performed
that Logon ID?
Conclusion:
Although event logs exist and follow everything happening inside the file system, they
cannot be used for internal or external security requirements
37
Providing Unified Security over Boundary
Enterprise
Security
Detect / Monitor / Enforce

Detection:
• NIDS, WIDS, HIDS
• Vulnerability Scanning
• Anomaly

Monitoring:
• Network Profiling
• Availability
• Inventoryy

Enforcement:
• NAC, IPS, DLP

Enterprise Security
• Correlation
• Risk Assessment
• IDM
• Reporting
• Dashboard
• Compliance

Log Management
• Unlimited Storage
• Legal Evidence
38
Boundary Audit and Compliance
 SIEM appliances provides real-time analysis of security alerts
generated by network hardware and applications
 SIEM appliances are a valuable asset for monitoring boundaries
against attacks and intrusions
 Integrating AD/IAM audit and compliance capabilities with SIEM
adds to overall protection against threats:
 Real-time analysis, risk measurement and correlation of boundary
threat evidences
 Situational intelligence for intrusion attempts (cross correlation,
contextual analysis
 Extended detection of threats (IDS, vulnerability scanning, HIDS)
39
Integration with SIEM architectures
– SIEM appliances process data and produce Intelligence
– Sensor appliances collect and produce data
– Logger appliances forensically store data
40
Multi Dimensional Threat Identification
 A complete analysis of a threat must include all available
information defining the context of the attack!
• Integrated capture,
normalization and
correlation of events for
deep security analysis
Threats
Vulnerabilities
Inventory
!
Alerts
Network
41
42