AD Change Happens on DCs

Change Happens. Users come and go, their properties change, policy needs are revised, and groups have their memberships updated. Changes are made all over your organization, and they eventually find their way to your Domain Controllers where objects are modified and the changes replicate throughout your organization. Keeping tabs on all of these changes is a tricky proposition, but it’s our job to make it simple here at STEALTHbits.

We all know that changes actually happen on DCs, and when the change happens the actual source DC is stamped on the object, so that's easy to figure out. The much trickier part is understanding where the change request is coming from. It's only on rare occasions that the application making the request is actually on the DC itself, so the vast majority of the time the changes come from elsewhere - and this is where a good product will give you that leg up on the standard change events that Microsoft provides. Armed with the workstation that the change originated from, the protocol used, and the port bound to for the change, you can answer questions like:

• Which of the services that this service account is running on actually made the change? What machine is it on?
• Where does Bob the Administrator make most of his changes?
• Bob just made 250 changes from CindyWorkStation. Is this an intended set of changes, or is someone getting access to Bob's account to make an out-of-bounds change?
• Are my admins making their changes on machines in the same site, or are they reaching outside of site boundaries to make changes on DCs that aren't best for them? Are my sites misconfigured somewhere?

Clearly, this is valuable information and it's annoying that you can't get it from Microsoft's native event logging for AD Changes. Luckily there’s an alternative, and that alternative is StealthINTERCEPT Directory Authority. Direct, in-line integration within the Active Directory event stream itself allows StealthINTERCEPT to elevate hidden change event details to the surface, such as the machine or application a change originated from, providing that missing piece of information that can be critical to making not just good, but informed decisions in the management of your Active Directory implementation.

File Share Entitlement Review: Finding the Owner

One thing top of mind for information security professionals in 2012 is understanding who has access to what and being able to provide clear, concise reporting around it. We call it Access Governance or Data Governance and it consists of entitlement reviews, access reviews, or audit reporting. The terms overlap and the complete superset of product features around this challenge can seem overwhelming and difficult to comprehend. At STEALTHbits, we simplify things. We’ve developed quick-win solutions that get you from where you are today to the next step with a proven and pragmatic methodology.

Data Owners

One small example is how we’re able to identify owners of file shares and other resources. First, we have an algorithm that provides a list of probable owners based on a number of factors – who has rights, who is doing what, etc. The algorithm is adjustable to meet specific requirements, but we know that there isn’t an algorithm on earth that could determine ownership with 100% accuracy across large scale environments. So, we leverage the STEALTHAudit Platform survey modules to reach out to probable data owners to ask them if we’re right.

If we are, we provide a set of instructions on what we need them to do. If they’re not, we move on to the next probable owner to see if we can track down the right people. Each step of the way, we report on where things stand: which shares are high-risk, which have owners, which are still awaiting response, etc.

In large scale environments, there is no easy button. But there is experience and expertise. Experience counts. If you’re trying to figure out who owns your content, let’s chat and we’ll let you know what we’ve learned about this challenge as we’ve helped a number of the world’s largest organizations solve it.

Open File Shares: A Pragmatic Approach

A number of STEALTHbits’ customers have reported that their #1 audit challenge boils down to open file shares. Auditors are clearly concerned with access and while it’s difficult to understand access rights across millions of individual files, it’s immediately apparent when there are file shares that are open to anyone.

But, how do you approach a problem that spans across thousands of servers? Do you implement a monitoring solution for three months? Manually sift through each one? Well, you could do either of those things. And if you’re interested in activity monitoring, we’ve got the best solution on the market. But, I’d argue that the best way to deal with open shares is to move through a quick, pragmatic process that scopes resources, identifies high-risk, and automates cleanup without significant infrastructure or investment.

STEALTHbits has developed a step-by-step approach to closing down open file shares and has proven it out at a number of the world’s largest organizations. It’s simple to deploy, uses a just single server, can scan remotely, and it works. We’re able to provide real results in about one week. Give us 5 days, and we’ll have your arms comfortably around the problem and your mind at rest.

You've heard it before – that nagging phrase that makes you feel like you're underachieving or stretching yourself too thin: Jack of all trades, Master of none. Yet, in today's world of click-happy multi-tasking, that phrase is ringing less and less true. To be effective, the demand within organizations now seems to be for Jacks of all trades, people who can wear multiple hats in order to obtain a complete picture.

Perhaps nowhere is this more obvious than within the IT Governance space. While there are certainly distinctions among and separations between administrative teams within IT (and for good reason!), the team responsible for an organization's governance and security program needs to be able to access and leverage all of those individual teams and their technologies to truly determine security and compliance levels, and curb potential threats.

While it makes perfect sense to have, for instance, an Exchange team managing Mailboxes or a Collaboration team managing SharePoint from a functional and administrative perspective, security management often requires a "grey area" to ensure governance at the intersection of these teams' endeavors. For instance, if a company is undergoing a Public Folder retirement campaign in preparation for a migration to SharePoint, the Governance team plays a crucial role in answering questions like:

1. Are any of the PF's open to security threats (excessive permissions, sensitive data with improper access assignments, etc.)?

2. Are those threats the result of effective access?

3. Who owns the PF, and are they aware of the people it's available to?

4. Are the folders being migrated to SharePoint locked down as tight as possible, even when considering effective access?

And that's just one scenario. With IT departments often composed of dozens of teams – one or more for each critical area of the enterprise – it's no wonder that Data & Access Governance and Security folks have a tough time gaining the kind of cross-disciplinary insight needed to say with confidence: "Yes, my environment is compliant and secure."

The ability to have insight into security at all levels and across all resources – from Exchange to SharePoint, Active Directory, the file system, SQL, NetApp Storage Controllers, Windows Servers, and even into mobility applications like BES—is critical for anyone brave enough to wear the Security and Compliance Hat. The thing to remember, though, is that IT Governance Teams are still evolving and expanding to address security issues as folders move from Exchange to SharePoint (as above), and usually require the individual Exchange or SharePoint administrators to take on a governance role.

So, to all the Jacks of all Governance trades out there, remember the original (and long-forgotten) addendum to the "Jack of all Trades" phrase:

"Jack of all trades, master of none,
Though oftentimes better than master of one."