Wednesday, October 31, 2007

Matt Flynn's Identity Management Blog: Surviving an Identity Audit

Check out Matt Flynn's Identity Management Blog: Surviving an Identity Audit and Matt's associated white paper on this topic. Good reading. There's not enough info on how identity and identity audits in particular map to compliance - despite the fact that compliance is a big driver/stick for getting your identity house in order. (You need to overlook the commercial reference at the end of Matt's whitepaper. Unfortunately, we sometimes have to support our employer in our writings.)

Identity audit solutions reduce organizational risk by providing reports and monitoring of the identity systems which grant or deny system access and the user accounts empowered to act within the environment. Having effective audit and monitoring in place also has the additional benefit of acting as a deterrent for system users who might otherwise attempt to subvert policy.

While flipping through the channels tonight I happened across an old favorite - "The Exorcist". I was reminded of that famous line "The Power of Christ" while I read Matt's whitepaper where he talks about the "Power of Identity". Unfortunately, it was the Catholic priests at my school that forbade us to see The Exorcist that made us run out to see it immediately (of course).

Matt, maybe you should forbid people from reading your whitepaper? Nice work.

See you at the Gartner conference?


Technorati Tags:
,

Archive the box!

If you liked the Quest Idol video that I posted about in February then you'll like our "Archive the box" video that the same group of guys here at Quest put together...It's all about our Exchange archive manager product.





Technorati Tags:
, ,

Tuesday, October 30, 2007

Identity and the "50 greatest arguments"

Network World recently published this interesting story:

Perhaps the only thing more fun than working on and playing with network technologies is arguing about them. Macs vs. PCs. Ethernet vs. Token Ring. Outsourcing vs. keeping it in-house. Here's our take on the nastiest, most colorful and in some cases, still unresolved network industry arguments. Read up and weigh in.

Yes, a few of their top 50 "arguments" are identity related! Here they are:

X.500 vs. LDAP - Directory services battle took turn with advent of Internet

This architectural argument would pack networking conference sessions, divide the room and ignite heated shouting matches in the early-to-mid-1990s. It was a case of the student overtaking the mentor as the Lightweight Directory Access Protocol was at first a simple alternative to X.500’s Directory Access Protocol (DAP). LDAP was used for accessing X.500 directories via the TCP/IP protocol. With the advent of the Internet and its reliance on TCP/IP, X.500 faded into the background even though it was later modified for use over TCP/IP.

Flashback: I'm at the DISA conference on the Defense Message System (DMS) in Resto, VA circa 1995. I'm talking to the DMS Project Manager - a distant relation of my wife - and tell him that DMS is doomed to failure if it continues to ignore TCP/IP and LDAP over OSI and X.500. He tells me that I'm crazy. Who's crazy now, Wayne?! See the associated argument about SNA and OSI versus TCP/IP in the same list!

Industry standards vs. proprietary technologies

It’s hard to imagine now, but there used to be a rigorous debate about which strategy was best for corporate IT buyers: industry standards or proprietary technology. Standards have won this debate, but that doesn’t mean there weren’t advantages to buying proprietary technology.

Oh, really? Standards have won the debate? Do we have to go back to that argument I recently had about MIT Kerberos and Windows Kerberos? Will the real standard please stand up - you know, the one that is used by more people. After all, isn't it usage that defines success and standards versus "Should", "Must" and "Optional" statements in a piece of paper emitted from the IETF or United Nations?

Let's not even go back to the discussion of X.400 (an ISO standard) versus SMTP (an IETF standard). Why didn't they both win? They are both standards?

P.S. to Network World (John, you missed this one): How come you didn't mention X.400 vs. SMTP? That was a good argument while it lasted buddy!

Technorati Tags:
, , , ,

Thursday, October 18, 2007

Quest acquires eXc Software

Not much fanfare about this acquisition on our end but if you go to http://www.excsoftware.com/ you'll see our logo on eXc's home page. I'm excited about this for a few reasons...

  • Agentless connectivity to non-Windows systems - lots of applications in Quest for this set of products
  • Single sign-on with mainframes - what else can I say here, I'm interested!
As with any acquisition we're figuring out how and where to specifically integrate eXc's bits but in the meantime the eXc team will continue doing business as usual except with a much larger team backing them up!

Technorati Tags:
,

Tuesday, October 16, 2007

ActiveRoles Management Console for Active Directory

Both my friends Dmitry and Bob have written about the RC1 release of the Management Console for Active Directory that is based on Quest's Active Roles product and built on PowerShell. I've copied the info direct from Bob's blog...

We just shipped RC1 of our Active Directory (and ADAM) managment commands for PowerShell. Congratulations to our awsome dev team... See below for details of what we provide for free by simply downloading our CMDLETs from http://www.quest.com/activeroles-server/arms.aspx.


CMDLETS at a Glance
Windows Server 2008 CMDLETS 1-4
General Object Management CMDLETS 5-11
Group Management CMDLETS 12-17
Computer Management CMDLET 18
User Management CMDLETS 19-24

CMDLETS Description

***Manage Windows 2008 Password Policy
1. Add-QADPasswordSettingsObjectAppliesTo
Add PSO links on a Password Settings object. Windows Server 2008 is required.

2. Get-QADPasswordSettingsObject
Retrieve Password Settings objects that match the specified conditions. Windows Server 2008 is required.

3. New-QADPasswordSettingsObject
Create a new Password Settings object (PSO). Windows Server 2008 is required.

4. Remove-QADPasswordSettingsObjectAppliesTo
Remove PSO links on a Password Settings object. Windows Server 2008 is required.

*** Object Management
5. Move-QADObject
Move the specified object to a different location (container) in Active Directory.

6. Remove-QADObject
Delete the specified objects in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

7. Rename-QADObject
Change the name of the specified object in Active Directory.

8. Get-QADObject
Retrieve all directory objects in a domain or container that match the specified conditions. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

9. New-QADObject
Create a new object of in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

10. Set-QADObject
Modify attributes of an object in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

11. Convert-QADAttributeValue
Convert attribute values of a directory object to the specified .NET type.

***Group Management
12. Set-QADGroup
Modify attributes of a group in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

13. Add-QADGroupMember
Add one or more objects to a group in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

14. Get-QADGroup
Retrieve all groups in a domain or container that match the specified conditions. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

15. Get-QADGroupMember
Retrieve the members of a group in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

16. New-QADGroup
Create a new group in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

17. Remove-QADGroupMember
Remove one or more members from a group in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

***Computer Management
18. Get-QADComputer
Retrieve all computer objects in a domain or container that match the specified conditions.
(This command looks lonely...)

*** Users Management
19. Get-QADUser
Retrieve all users in a domain or container that match the specified conditions. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

20. Enable-QADUser
Enable a user account in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

21. Disable-QADUser
Disable a user account in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

22. Unlock-QADUser
Unlock a user account in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

23. New-QADUser
Create a new user account in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

24. Set-QADUser
Modify attributes of a user account in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

***Other
25. Get-QADPSSnapinSettings
View default settings that apply to all cmdlets of this PowerShell snap-in.

26. Set-QADPSSnapinSettings
Modify default settings that apply to all cmdlets of this PowerShell snap-in.

27. Connect-QADService
Connect to the ActiveRoles Server Administration Service via the ActiveRoles Server ADSI Provider, or to a certain Active Directory domain controller or a certain server running an Active Directory Lightweight Directory Services (AD LDS) instance via the regular LDAP ADSI Provider.

28. Disconnect-QADService
Close the connection, if any exists. A connection could be established by using the Connect-QADService cmdlet.

Technorati Tags:
, , ,

Friday, October 12, 2007

Listen up Oracle and IBM!! You should support direct authentication against Active Directory

I caught this post and the original post about Oracle 11g security over at over at James McGovern's blog. If you aren't regularly reading his blog you need to.

Oracle 11g Password algorithm revealed: Kinda interesting how easy it is to crack Oracle passwords. Maybe this begs the question of whether databases should store passwords anyway? I am of the belief that Oracle and IBM should within their products support direct authentication against Active Directory for this type of functionality.

I totally agree with what James states - IBM, Oracle and others should be supporting direct authentication against Active Directory. What does that *really* mean? Good question, I'm glad you asked. Well, for one thing, it doesn't mean just LDAP authentication, in my opinion. Let's go a step further and request the Holy Grail, please! We want Kerberos-based authentication.

If we have Kerberos-based authentication the world of SOA, protocol transitioning, web services and multi-tier architectures is opened up in addition to enabling the Holy Grail - true end-to-end single sign-on. There's no reason for you guys (IBM, Oracle, etc) to feel that you have to own this piece of the puzzle. Isn't there enough value-add in the rest of your platform?

Technorati Tags:
, , , ,

Wednesday, October 10, 2007

An extensible admin console based on PowerShell

It's PowerGUI. We released a new version last night and you can see the excitement in my friend Dmitry Sotnikov's email that he sent out...

Yesterday night we put PowerGUI 1.0.11 on the downloads page, I posted the announcement on my blog, and (eventually after my wife started threatening me with divorce) went to bed.

Today when I came to the office PowerGUI went well over 25K downloads – 500+ of which happened during the night, and my blog is having the best day ever with 1000+ visits already.

There are quite a few references on the web:

We are in the middle of incredible growth – the one we never had before, and I think in retrospect this is basically because a few factors played together in a perfect storm:

  • We implemented a great feature – lightweight PowerShell editor – and significantly improved it thanks to internal feedback.
  • We pre-announced the feature right before the weekend. This generated interest and made people wait for what was coming.
  • The catchy name of the announcement – Notepad for PowerShell – helped as well.
  • Good execution by the team on all sides: listening to feedback, implementing well, setting up perfect guerrilla marketing.
There are loads of videos, documentation, cmdlets and a community that are contributing to this free tool. If you haven't checked it out yet you should...

P.S. It keeps getting better: 2,000 blog hits and almost a 1,000 downloads at this point today!

Technorati Tags:
, ,

Tuesday, October 09, 2007

Quest Experts

We (Quest Software) recently published a web page with a list and description of our "experts". Very useful information for me because even in a 3,000 person organization you don't get to meet everyone plus we are a global organization and expertise exists in more places than the United States after all.

In the Microsoft area there are nine chaps featured on the page. Check them out. Their expertise crosses Active Directory, Exchange, PowerShell, SharePoint and Identity Management. In fact, a couple of them are MVPs (Microsoft Value Professionals).

Technorati Tags:

Monday, October 08, 2007

Do you have an Identity management disaster plan?


I'm sure some folks will disagree with me here but I think there is a difference between a business continuity disaster plan and an identity management disaster plan. Most companies, I hope, have a business continuity disaster plan which basically documents what needs to get done if a server room is flooded, the mainframe catches on fire or the really bad scenarios of buildings or locales being "destroyed".

However, how do you handle the situation of your primary authentication directory "blowing up"? New hardware and restore the latest backup? What about the new identities that were created between the last backup and the incident? Just lost? Sorry, you can't pay your credit card bill?

I know of a bank which moves millions of dollars a day based on a Linux system that authenticates to Active Directory. What happens if AD is not available for 5 minutes? What then?

Let's even go further down the food chain. Your AD (or name your favorite directory) administrator decides to leave on a Friday and deletes or changes a bunch of information. What do you do? Do you restore from the last backup? What about all the changes? What if the admin accidentally deletes an OU? What about any changes that occured between the last backup and the incident?

I would posit that you need near continuous backup for your identity and authentication repositories. If you aren't there yet you really need to be thinking about it...

Technorati Tags:
,

Thursday, October 04, 2007

InTrust for Active Directory is Microsoft certified

InTrust for Active Directory has been certified by Veritest for Windows Server 2003 Standard and Enterprise edition! The certification statements have finally been posted by Veritest. That's a total of 13 Quest products that are now Veritest certified for Windows Server 2003 - and there are more on the way - including preliminary Windows Server 2008 certifications!




Technorati Tags:
, ,

Tuesday, October 02, 2007

We have a position open...

If you or anyone you know is interested as clearly those that read this blog would be awesome candidates...

The job description can be found here. Summary below...

We are currently seeking to identify a P&L minded Product Manager to manage the strategic direction of the InTrust product line to ensure a competitive market advantage and champions the development of new solutions to meet emerging market opportunities consistent with the organization's short- and long-term goals and objectives.

RESPONSIBILITIES:

  • Participate as a proactive member of the Quest Product Management team and contributes to the company by meeting short- and long-term revenue results for the InTrust security platform-centric product line;
  • Take accountability and resolve issues preventing the achievement of timely, quality, and cost effective results;
  • Take strategic risks toward achieving operational excellence;
  • Create and maintain an accurate and up-to-date executive overview of product(s) including market, financial, and strategic data analysis to ensure effective
    communications of goals, key issues, and progress towards objectives;
  • Develop accurate and timely Market Requirements Documents (MRDs) that
    contain feature functionality descriptions to be used by development team and
    Business Requirements Documents (BRDs) to assess the validity of proposed new features or new product offerings;
  • Conduct market analysis to determine product relevancy and adjust course as needed;
  • Influence industry Analysts to maximize market position and share;
  • Understand the competitive landscape and provide direction accordingly. This includes exploring strategic acquisition opportunities as well as analyzing build/buy options;
  • Provide necessary content to Product Marketing team to ensure effective product collateral materials to support short- and long-term revenue objectives;
  • Work effectively, cross-functionally, with Development, Support, Marketing,
    etc. to ensure the efficient operation of product development and release;
  • Work with management to set revenue forecasts.

Technorati Tags:

Quest and Microsoft

Following up on my previous post about winning the Global ISV of the Year award from Microsoft here's a web page that Microsoft has posted about Quest...

Quest Software, Inc. is Microsoft’s 2007 Global Independent Software Vendor (ISV) Partner of the Year. Quest also won this award in 2004 and was a finalist in 2005 and 2006. The Global ISV Partner of the Year Award is given to the Microsoft partner that has demonstrated outstanding leadership and excellence in partnering with Microsoft and its customers.

Quest was recognized for superior technology and innovation as a Global ISV, specifically in working with Microsoft product teams, marketing teams and the Microsoft field sales organization. This award is the culmination of the year’s work engaging with Microsoft on product roadmap strategy, marketing initiatives and campaigns, as well as joint sales opportunities and sales team interaction in the field.

This award highlights how Quest and Microsoft are working together every day to give customers the best possible software solutions.

Technorati Tags:
,

Monday, October 01, 2007

Barry University and ActiveRoles

Barry University deployed ActiveRoles Server and are clearly happy with it...

"ActiveRoles Server was the most complete out-of-the-box provisioning and Active Directory management solution we saw."

This is a good example of a customer who has transitioned from a difficult-to-work-with, home grown application that required constant customization and never seemed to do what they need it to do.

Technorati Tags:
, ,