Thursday, August 27, 2009

Synchronizing Exchange identities and more

Microsoft has a product to support synchronization of identities between Exchange environments. That product is the "Identity Integration Feature Pack for Microsoft Windows Server Active Directory with Service Pack 2 (SP2)". For those you who do not know what the IIFP is here's a snippet that gives you an overview:
Identity Integration Feature Pack for Microsoft® Windows Server™ Active Directory® with Service Pack 2 (SP2) manages identities and coordinates user details across Microsoft Active Directory, Active Directory Application Mode (ADAM), Microsoft Exchange 2000 Server, and Exchange Server 2003 implementations. Using Identity Integration Feature Pack, you can combine identity information for a given user or resource into a single, logical view. Identity Integration Feature Pack also automates the provisioning of new and updated identity data, eliminating time-consuming, repetitive administration and the need to manually add, delete, or update identity information, groups, and user accounts.
Sounds good, right? In fact, it does sound good - or maybe I should say it used to sound good. Read the description above a few times and you might notice three key things that are missing:
  1. What about support of Windows Server 2008?
  2. What about support for Exchange 2007? Exchange 2010?
  3. This is all about identities. What about synchronizing calendars "into a single, logical view"?
The first two key items are getting to be show stoppers for most organizations. The last item is, in my humble opinion, very important - it's the "and more" in my post title. I've heard from many customers that they'd one tool to synchronize contacts and free/busy information - not half a tool.

All of this came to mind when I was trying to better understand why interest in Quest's Collaboration Services product seems to be rapidly increasing. The product has been around for a long time but over the last 8-12 months it's really been taking off.

I think I figured out that the answer is in the questions above.

Technorati Tags:
, , , , , ,

Monday, August 24, 2009

Privileged Identity Management

I read an interesting article on this topic recently and how it relates to databases. The article is a good read and I want to highlight some points that should apply to everyone working in IDM and particularly around PIM:
  1. Even at an enormous firm, the number of privileged IDs with access to high-risk data should be short enough for a busy executive to personally review
  2. It is both feasible and reasonable for senior executives to personally review this information and record that they have done so
  3. Anyone can expect this kind of review may be taking place in any major organization handling high-risk data, although it is not as universal as it should be

Think about point #1 above and ask yourself if you would have a short list for your CIO/CISO to review at your company. I agree that the list should be extremely short and it should be reviewed by your management chain on a regular basis. As the author states, these reviews are not as universal as they should be. How about at your company?

Technorati Tags:
, , ,

Tuesday, August 18, 2009

SPML - The Lingua Franca of Provisioning

If you missed this webcast you can still view it here:

If you have any interest in SPML here's an opportunity for education:

Webcast: SPML -- Exploiting the New Lingua Franca of Provisioning Identity and Access Management
Thursday, August 20 at 11:00 a.m. EDT

During this informative webcast, Randy Franklin Smith will explain how Service Provisioning Markup Language (SPML) can help you easily integrate self-service portals, provisioning systems and target applications in your heterogeneous environment. You will learn where to find support for SPML in a Microsoft-centric network now and in the future, as well as see a live demonstration of SPML in action.

Register here.

Technorati Tags:
, , ,

Wednesday, August 12, 2009

Cloud Insecurity

Interesting article about Clive Peeters - an Australian company - and how they have been left reeling by $20m sting by their payroll manager.
...she admitted to using a loophole in the company's internet banking with National Australia Bank to steal from the company.
What this reminded me of was a customer focus group about federation that I did while I was at Microsoft. I'm not sure if this is the exact words that the CIO of a company used during the meeting but it is close enough:
Why would I want to use federation in my business when I can't even trust my own staff not to write down their passwords and leave them stuck to their monitors or to even log off their workstations at night?
While the article I reference isn't exactly related to cloud computing it does highlight the fact that we still have a long way to go with respect to security. Here's another article that seems appropriate to the discussion: Why cloud security is only as strong as your weakest password (and what you can do about it)

Technorati Tags:
, ,

Monday, August 10, 2009

Quest Authentication Services User Group Meeting

If you haven't already received a personal invitation from me I wanted to let you know that we are going to hold a user group meeting for Quest Authentication Services (QAS) right after The Experts Conference (TEC) conference in Berlin. The letter we sent out is below but the most important thing is the fact that we are going to be previewing our QAS 4.0 product at this session. This is going to be an amazing release of QAS so if you have any interest in what's coming this is your opportunity!

If you are interested in attending - especially if you are one of our European customers - please send an e-mail message to Todd Peterson (below). Seats are starting to fill so please don't hesitate.
Please join us for an exclusive Quest Authentication Services (formerly Vintela Authentication Services – VAS) User Group Meeting at TEC Europe on Wednesday, 16 September, from 13:30 to 16:30 at the Hilton Berlin. If you’re already attending TEC, please join us at the user group, if you aren’t attending TEC I would like to invite you to attend all or some of the conference while in Berlin, please let me know if I can arrange complimentary registration. While TEC is all about intense Microsoft technology training, we want to help you leverage your time and travel to TEC by bringing you together with your peers to share best practices and futures guidance on Authentication Services as an added benefit!

At this User Group meeting, we’ll discuss how you and other companies are leveraging Authentication Services to solve many of the problems with non-Windows identity and access management including: Access control, NIS migration, single sign-on, compliance, Group Policy, and directory consolidation. We’ll also give you an exclusive, early look at the exciting new capabilities available in Authentication Services 4.0

Immediately following the user group, we will have a cocktail reception as well! To accept this invitation, simply respond with a favorable reply in Outlook and look for more details next week! (email to todd.peterson(at)

We look forward to meeting you all in person at the user group.

Technorati Tags:
, , , , , ,

Friday, August 07, 2009

Webcast on Active Directory’s Delegation of Control and Auditing

Quest is sponsoring one of Randy Franklin Smith's "real training for free" webcasts on this topic on August 13th. If you have a any interest in Active Directory delegation or auditing this will definitely be worthwhile. Here are some more details:
The depth and breadth of information that must be accurately published in Active Directory spans the organization from Human Resources to the Telecommunications department. On top of that you have to manage access control based on decisions from data owners and managers.

Trying to coordinate updates from all of these individuals and departments is a nightmare. Moreover skilled administrator time is wasted carrying out what basically amounts to clerical work.

The best solution is self-service administration and access control (more on that below) but AD can't quite pull that off. Thankfully however Active Directory does support delegation of control and provides an excellent audit log. With these 2 features you can spread out responsibility for updating various aspects of user and group information to the people and departments actually responsible for it without losing control.

AD’s delegation of control feature allows you to granularly delegate the ability to update specific fields on users and groups to any other user or group in AD. For instance you can grant the Telecommunications department the authority to update office, mobile and pager telephone numbers while giving Human Resources access to update home phone and address. Delegation also provides ways to streamline access control management and group membership.

Lest you worry about losing control, the events generated by Active Directory are the best designed out of all the events in the Windows security log, so you always have a complete audit trail of who did what and when. In this real training for free webinar I will show you how to streamline maintenance of user, groups and access by using:

* AD advanced permissions
* The security log
* Custom MMCs

Randy's webcasts are always packed with great information so if you have any interest in this topic please check it out!

Active Directory's Recycle Bin

I happened across this article last night while flying back from Boston - "Criticisms and kudos for the Active Directory Recycle Bin". As you probably know, Microsoft introduces the concept of a recycle bin for Active Directory in Windows Server 2008 R2. Allow me to give you the executive summary of the article along with a few of my own tidbits:
  • All domain controllers have to be running Windows Server 2008 R2
  • The Recycle Bin has to be enabled to work. Don't delete something, enable the Recycle Bin and then expect to restore the item. (Why not enable the Recycle Bin by default - just like my Windows7 desktop does?)
  • There's no GUI to help in the restore process. You have to use PowerShell or LDP.
  • The Recycle Bin does not backup Group Policy Objects (GPO). This is a glaring hole.
  • The Recycle Bin only supports restoring deletions - not changes that are made to objects.
Take a look at our PowerGUI tool to wrap your PowerShell scripts into - I'd rather PowerShell/PowerGUI than LDP any day of the week! It might make it easier and more repeatable to wrap PowerGUI around your recovery scripts.

Don't forget you can always take a look at a 3rd party recover tool like Quest's Recover Manager for Active Directory.

The Active Directory Recycle Bin is a welcome addition to Windows Server overall but like any insurance policy you need to read the fine print and plan accordingly. Last thing you want to be doing is trying to learn PowerShell to restore some executive's user object...

Technorati Tags:
, , , ,

Tuesday, August 04, 2009

Form factors for strong authentication

Following on Stuart Harrison's post on Quest's new SlimToken I wanted to mention how we keep hearing from customers that they want tokens that are easier to carry and less likely to be forgotten or lost by end-users. With our Defender product we've spent a lot of time working on soft-tokens that run on your mobile phone. We are also about to introduce a new form factor - basically a credit card - that simply fits in your wallet with all your other cards.

In the picture above you can see the one-time password ("717370") in the upper right hand corner. I triggered getting the number by pushing the "Press Here" space on the lower right hand side of the card. The SlimToken has an expected lifetime of 3-4 years and is fully OATH compliant so you can use it with Defender or any other vendor who supports OATH.

Technorati Tags:
, , , , ,