Thursday, June 30, 2011

Top 10 Secrets for Managing NTFS File Permissions

Randy Franklin Smith will be holding this technical webinar on managing NTFS file permissions on July 21…

Title: Top 10 Secrets for Managing NTFS File Permissions
Date: Thursday, July 21, 2011 11:00:00 AM EDT

Keeping files secure on file servers – and really any other type of server – is critical especially with the kinds of advanced persistent threats we’re up against today.  But managing file permissions is laborious and error prone and done poorly or irregularly leads to significant access control risks.  Factors that make file access control difficult include:
  1. Conflicts between share and NT FS permissions, especially when multiple shares exist on a given branch
  2. Difficulty of finding folders with inherited permissions or blocked inheritance
  3. The sheer number of files
  4. Loss of continuity with the admin who set everything up
  5. Lack of knowledge about the files, the type of information they hold and who should really be the owner
  6. Difficulty in finding all the files a given user or group has access to
  7. Confusion over how permission inheritance works
On top of that, Windows Server 2008 has new features such as Access Based Enumeration and User Account Control can cause confusing situations when it comes to how permissions are applied as well.
In this webinar I will update you on how NTFS permissions work today and I will tackle the challenges listed above.  In particular, I’ll demonstrate several free tools that will help easily list all shared folders and their share permissions, analyze a given folder hierarchy and find all explicitly defined permissions and analyze an entire server to find all objects a given user or group have access to.

I’ll also provide other proven tips on managing file permissions including how to backup permissions and compare a folder hierarchy’s current permissions to a previous snapshot to detect what’s changed.

Then I think you will benefit from learning briefly about how Quest Access Manager fills in the remaining gaps with some very advanced and imaginative techniques.  For instance, Sudha Iyer, Quest product manager, will demonstrate how Access Manager helps you figure out who should be the business owner of file server folders by analyzing the activity on the folder’s files.  You’ll also see how Access Manager provides an enterprise wide view of a user or groups entitlements and helps you implement business owner approved access control.
Please join me for this very technical, real training for free (TM) webinar. Click here to register

Friday, June 24, 2011

Controlling & Managing Super User Access

This “Primer on Privileged Account Management” was written by Kris Zupan who was one of the founders of eDMZ and is now Chief Architect here at Quest Software.
Effectively managing privileged accounts (sometimes called super user accounts) is becoming more and more critical as security and compliance emerge as the driving force behind most IT initiatives. Unfortunately, native tools and manual practices for privileged account management are proving to be inadequate for today’s complex heterogeneous enterprise.

This white paper explores the risks associated with privileged accounts, and explains how Quest’s solutions mitigate those risks by enabling granular access control and accountability while preserving necessary access and ease of use. This paper is intended for CIOs, IT directors and managers, security and compliance officers and administrators in enterprises of all sizes, especially those who have not established firm control over all of their organization’s privileged user accounts.
You can download a copy of this primer from the Quest website here.

Tuesday, June 21, 2011

Find out who and what applications are hogging your Active Directory resources

Do you ever feel like your Active Directory is slow to authenticate or that your domain controllers are working harder than they really should be? Do you feel like users or applications are not being efficient in their use of your AD domain controllers? Quest ChangeAuditor can help you prove it. ChangeAuditor for LDAP tracks queries to your Active Directory environment, and then translates raw data into meaningful intelligent data to keep your infrastructure efficient and it also provides detailed analysis. It analyzes all LDAP queries against your domain controllers to tell you in simple terms of “Who, What, When, Where and originating Workstation," saving you the time you once spent digging for more details.

A couple of examples to illustrate how and when you can use ChangeAuditor for LDAP to get answers to the questions about your Active Directory:

1. Improve in-house and COTS use of Active Directory:
A logistic company noticed that over time their AD logon process slowed down to the point where it was a problem for users. Other than buying new hardware or re-architecting their AD, they wanted to know if there were applications or users that were taking up more resources than are reasonable for day to day business use. Using CA for LDAP – they were able to identify some internal applications that were querying AD for a large number of objects over and over. They were able to refine the queries to gather only the attributes they required, on an as needed basis, and the resource utilization was brought back in line – improving their overall user AD responsiveness without any hardware or AD design changes.

2. Don’t migrate before you know who is using your AD and how:
During a migration, an internal application was hard-coded to attach to a specific domain controller – but the users and administrators didn’t realize this until the domain controller was shut down. This broke a critical application. If they knew ahead of time that there was an application that was hard-coded, they would have updated the application before the migration, rather than having to restore an old domain controller and maintain 2 directories until the application was updated

How does it look? Here’s an example screen shot:

clip_image002

You can immediately see the container the application is querying, the scope of the query, the number of results, how many times (occurrences) the query has been made in the last few minutes – and the actual query they are making. All information you can use to see who’s using your directory resources.

Save yourself the headache of finding out the hard way that someone or something is not being a good “directory citizen” or abusing their access to Active Directory. Querying over and over, scoping queries that retrieve way too much information, or even hard-coded queries that go against specific domain controllers – all of which can be problematic to your directory. You can even see if someone is NOT using secure and signed queries. Quest ChangeAuditor for LDAP provides you with a proactive solution to problems you may not know you’re already having.

Monday, June 20, 2011

Controlling Privileged Account Access

Tomorrow (Tuesday, 6/21) at 1PM eastern we are presenting a webcast on this topic…

Access through privileged accounts is one of the most troublesome security and compliance challenges. Manually controlling administrative access is tedious and error prone and leads to a lack of accountability, auditing and, at times, administrators having more access than necessary.

Join Quest Software for this informative webcast where we will walk you through the issues of common privileged account scenarios such as:
  • Controlling remote vendor access
  • Enabling developer access to production
  • Managing the issuance and approval of credentials
  • Facilitating separation of duties
  • Providing limited rights for daily administrative tasks
  • Managing a Sudo environment
You will also see how Quest One Privileged Account Management solutions help you control access. They make it easy through granular delegation and policy-based control of administrative accounts as well as tightly controlled and audited issuance of full administrative credentials.

Register for the webcast today

Monday, June 06, 2011

Quest acquires Symlabs for their virtual directory and federation technology

Today, Quest Software announced the acquisition of Symlabs a privately held solutions provider that specializes in virtual directories and federation solutions. The addition of Symlabs virtual directory software will enable Quest products to easily consolidate identity data that is stored in a distributed environment whether it be stored in directories or databases. Symlabs also brings additional federated identity capabilities that will broaden our federated single sign-on solutions and capabilities.

Quest has been an OEM customer of the Symlabs virtual directory product for some time now. It was actually this exercise that started me to think about how customers – including Quest – weren’t really deploying a virtual directory (VDS) for the sake of having a virtual directory. Customers are deploying a VDS to solve very particular problems like easing the integration of identity data and systems into an existing identity management project or allowing directory-enabled applications to be kept in place despite the fact that the underlying directory was being re-architected or migrated.

So one of our goals will be to incorporate Symlabs’ VDS technology into a number of existing Quest products to make it easier to solve some of these problems. Our existing migration products have successfully helped thousands of customers migrate from one platform to the another but one of the problems that keeps coming up is: How do I migrate my directory-enabled applications? Most customers turned to a virtual directory for help. That’s why we feel that including a virtual directory capability as part of our migration products will prove useful to our customers. The same goes for our identity and access management product Quest One Identity Manager. We already provide a wealth of connectors for our customers to integrate their systems with Q1IM. Why not expand their capabilities and benefits by including a virtual directory as part of our identity and access management product?

I think Quest is uniquely positioned to leverage virtual directory technology into a host of products that the traditional virtual directory companies just don’t have today – like migration products. We'll also leverage  Symlabs’ federation product by incorporating it into our existing federation and WebSSO products giving them broader reach and extended capabilities.

Exciting times!