Buyer’s Guide

Active Directory Optimization Selecting the Right Solution www.stealthbits.com | 201-447-9300

Identify Threats. Secure data. Reduce risk.

Table of Contents About this Guide ................................................................................................... 2 Current State of Active Directory .......................................................................... 3 Acknowledging the Source of the Problem ........................................................... 4 Correcting the Course ........................................................................................... 7 The End State: AD Optimization Lifecycle ............................................................. 9 Selecting the Right Solution ................................................................................ 10 Who is STEALTHbits?........................................................................................... 14

About This Guide The purpose of this guide is to introduce you to the concept of Active Directory Optimization and how it can be applied in any organization in a practical way. The guide is designed to provide a comprehensive view into the problems and potential risks that arise from limitations in Active Directory before laying out an in-depth breakdown of the questions that an Active Directory Optimization solution answers. The information and checklists in the pages that follow can be used to gain general knowledge about Active Directory or to aid in the evaluation of Active Directory Optimization products. Additionally, this guide can be used for creating a request for information (RFI) or request for proposal (RFP).

Active Directory Optimization Buyer's Guide

2

Current State of Active Directory Since it was introduced over a decade ago, Active Directory has become the standard directory services platform in the enterprise. When it was released with Microsoft’s Windows Server 2000, it quickly became the backbone on top of which many other technologies were built. AD provides authentication and authorization services to provide both users and electronic services to the information and resources they need in order to do their jobs while protecting company data from malicious threats. Businesses are rapidly embracing new technologies designed to increase efficiency in a multitude of ways and creating more data and resources than ever in the process. Cloud and online collaboration services are being adopted to increase communication Did You Know? and the ease with which ideas can be shared. Identity 76% of organizations are unable and Access Management solutions are being employed to to determine who has access to manage how people are gaining access to information and the data to streamline the process of providing and removing that access. New applications are being built and deployed in 91% of organizations lack a every organization to increase automation and leverage IT process to determine group/ to increase profits. But no matter how many new ways ownership there are for consuming, sharing, or managing access to Over 90% of organizations information they will all rely on AD. manage AD manually without the aid of automation

This trend of embracing new technology that relies on AD doesn’t seem to be slowing down, either. Eight of the twelve categories that Gartner has identified as likely for future investment rely heavily on Active Directory. Many people don’t make the connection between AD and these investments in new technology until their initiatives have failed – costing them time, money, and resources. And this brings us to the problem. After years of growth and change, businesses look very different from the way they did when they first set up their AD environments. Personnel have come and gone, departments have been created or deprecated, entire companies have been acquired or divested and those tasked with managing AD have had an almost impossible time keeping up. Unfortunately, Active Directory doesn’t provide the necessary functionality to manage such rapid change and most organizations are ultimately unable to answer some of the most basic, yet crucial, questions about their own environments.

Active Directory Optimization Buyer's Guide

3

The goal of optimizing AD is to help organizations answer these types of questions:

Questions of Relevance

Questions of Access

When was the last time this user logged into the domain? Do the users in this security group still work here?

Who has access to the data? Where is that security group applied?

Questions of Ownership

Questions of Membership

Who owns that security group? Is ownership updated accurately as the business changes?

What is this group’s effective membership? Which groups is that user effectively a member of?

Questions of Resources

Questions of Enablement

Which users, groups, and computer objects can be safely deleted from the environment?

Which projects or initiatives may fail without cleaning up AD first?

These questions are only the tip of the iceberg. The next section of this guide will dive deeper into the limitations in AD that prevent someone from answering these types of questions.

Acknowledging the Source of the Problem Active Directory has become so engrained in most organizations it is easy to overlook the fact that there are several limitations inherent in its design. Heroic efforts by IT have masked these gaps in the technology. The key to managing Active Directory effectively is understanding these limitations and finding ways to mitigate them. Some of the shortcomings which challenge organizations today include the following:

Increasing Complexity Due to Stale Objects According to Gartner, Active Directory is often needlessly complex due to the lack of built-in delegation and for most organizations and is difficult to manage and tends to become more complex over time due to ineffective native management tools. User, group, and computer objects become stale over time. As users join and leave the organization, computers are added to the domain and decommissioned, and group memberships change over time, there end up being a large quantity of objects within AD that are simply no longer needed. Many organizations pay software licensing costs based on user, computer, or total AD objects, and many are overpaying because of the high percentage of stale objects in their environment.

Active Directory Optimization Buyer's Guide

4

Reducing complexity starts with identifying these stale objects and taking action without impacting the users and services that rely on AD authentication to work. Whether because a user is no longer with the company, a desktop or server has been taken out of the environment, or a group is empty or simply duplicates another, stale objects left in AD mean greater complexity and potential for risk. Safely removing them is one of the first steps toward effectively managing Active Directory.

No Control Over Group Nesting Next to authentication, security groups are the used feature of Active Directory. Users can be nested within groups to form logical representations of departments, roles, project teams, and geographical locations. These groups can be granted rights to resources, for instance by being places on the access control list (ACL) of a shared folder. Groups can also be nested within other groups. In fact, Microsoft recommends doing so and a commonly followed best practice is referred to as AGDLP (account, global, domain local, permission), which outlines ways to effectively nest groups. While nesting groups within one another does allow organizations to follow this security model and others like it, there is no way to enforce that group nesting is done appropriately and for the right reasons. Without proper control over group nesting, it is common to end up with conditions such as very deeply nested groups which obscure membership, circularly nested groups which can lead to unintended access being granted and performance issues, and overall group structures that are so complex it is nearly impossible to understand what a particular group is, or should be, actually used for. If you cannot understand your security group structure and what users are members of them due to nesting complexity, you cannot control the security of resources tied to Active Directory.

No Awareness of Group Permissions Security groups can serve two purposes. The first is to contain a set of users. This is typically done to combine like users together to represent a role, a department or a physical location. The second purpose for groups is to grant rights to resources through permissions. It is relatively straightforward in Active Directory to explore a group’s direct membership but it is entirely impossible to understand where groups have been granted permissions across the organization. Due to Active Directory’s design this information is not stored centrally and permissions live only on the end-points to which they were assigned. While that approach offers practical benefits, from a security standpoint it is a blatant gap in Active Directory that can be very hard to overcome.

Active Directory Optimization Buyer's Guide

5

Without understanding where groups have been granted rights, how do you know what access a user will get when they are added to a group? How do you know which groups are tied to administrative privileges? How do you know that your groups have been used for their original intent? Unfortunately there is no way to answer these questions natively.

No Ability to Set and Validate Required Attributes Active Directory, like any directory, is most useful when populated with accurate information. Most organizations rely on the use of attributes to store information about their users such as their name, department, manager and employee ID. Many organizations also leverage group attributes such as Managed By and Description to try to capture the intended use of groups and who is responsible for their membership. Attributes are indeed crucial to a wellmaintained directory structure. However, Active Directory has no easy way to require that attributes are filled out properly, or filled out at all. This puts organizations in a constant state of disorganization as the attributes they depend on are not reliably filled out.

No Group Membership Expiration When a user needs access within an organization they are typically provisioned to an Active Directory group to provide that access. In reality, many access needs are temporary and even the long-term access rights should be reevaluated periodically as employees change roles and their access needs shift. Active Directory offers ways to expire user accounts, which is useful for temporary workers and contractors who only need access to the organization for a predefined time period. However, this same concept does not exist on a group membership basis and once a user account is added to a group it remains within that group indefinitely. This subtle omission from Active Directory contributes to many of the security challenges that organizations face as users go through their normal lifecycle of moving into, through, and ultimately out of the organization’s boundaries. Granting a user membership to a group is often a business, not a technical, decision, since membership often confers access to a business resource, like an application or set of data. This means that having users with the right context making decisions about group membership is critical—group owners outside of IT need to be identified, assigned, and empowered to make these decisions.

Active Directory Optimization Buyer's Guide

6

No Ability to Disable Groups There comes a time when most organizations realize they have far too many groups and far too little understanding of what those groups are actually used for. However, due to fear of breaking access or disrupting business operations, most organizations are unwilling to delete these groups. Deleting a group can break access and be very difficult, if not impossible, to restore. Unlike groups, user accounts in Active Directory can be disabled. Disabling a user account makes it so that account can no longer be used to authenticate to the domain. However, it does not delete the account and if it is discovered that this account is needed it is very easy to enable the account and return it to its prior state. The inability of Active Directory to handle groups the same way is one of the reasons organizations tend to not delete or clean up their Active Directory groups at all. These are just a few examples of ways that Active Directory cannot offer features needed to properly manage information and access. These problems are exactly the reason why Active Directory Optimization solutions are leveraged by organizations. By finding solutions for these shortcomings it is possible to achieve significantly improved security and control over Active Directory.

Correcting the Course Regardless of what state your organization’s Active Directory environment is in, it is never too late to restore order. There are simple ways to regain control over Active Directory.

Delete Stale Objects User, group, and computer objects which are no longer needed should not be kept in Active Directory. Identifying these objects regularly and safely removing them will reduce complexity, increase performance, and reduce software licensing costs across the enterprise.

Control Toxic Nesting Improper group nesting is the quickest way to create chaos within Active Directory. This will not only create unacceptable security controls but make the management of access and provisioning of users a costly, time-consuming and inaccurate task. Identifying where groups have been improperly nested and having a process to remediate these conditions is a critical step to maintaining order.

Active Directory Optimization Buyer's Guide

7

Inspect, Apply, and Validate Attributes A directory is where people go to find information and when it’s absent or inaccurate that can be fatal to all the efforts that rely on the directory. Attributes for users and groups need to be closely monitored. This means making sure that the attributes you know your processes and applications will need are consistently filled out and making sure that it’s exposed when they are not. But having data in the attribute isn’t good enough. The data must be in compliance with your organization’s policies and controls. That means watching both the content and the quality of the attribute content to ensure the best information is exactly where everything expects it to be.

Control Privileged Access A subset of Active Directory groups are typically tied to highly privileged access. This includes not only the well-known groups such as Domain Admins and Enterprise Admins, but also normal security groups that have been granted rights as Local Administrators on critical systems and applications. These groups should be treated with the highest importance and implementing a process to identify and manage these groups is paramount to enforcing proper security.

Manage Security Group Membership All Active Directory groups are created to serve a purpose, not just those with privileged access. Whether that is to contain users to represent a role, or to be granted a permission to a server or file share, each group must be managed according to its intent. To effectively manage groups, owners must be assigned. Those owners must be able to validate the need for that group and the accuracy in its membership on a recurring basis to ensure that each group is relevant and any irrelevant groups are identified and removed right away. They also must be enabled to change their groups as needed in a controlled manner.

Identify Group Grants Understanding where a group has been used to grant access is extremely valuable information for validating the group is being used as intended, as well as finding instances where groups are being used inappropriately. Also, during a group cleanup cycle it is useful information to understand what impact a group has on the organization and what access it is providing.

Active Directory Optimization Buyer's Guide

8

The End State: AD Optimization Lifecycle Throughout this guide, we have discussed issues that the native limitations in Active Directory can lead to and highlighted the use cases that an Active Directory Optimization solution can address. However, it is imperative to note that the questions an AD Optimization solution can help answer are not static. These questions will change and come up again and again as the business moves through its lifecycle. Every M&A, every new set of access requirements the directory must fulfill, every 4 out of 5 time there is a reorganization that will affect group structure requirements, Active Directory Optimization will be required IAM projects fail in large to ensure both the best start and the best results. Because part due to issues with AD Active Directory is chartered with continuously keeping up with the business, optimizing AD should be thought of as its own lifecycle process. In the end, the goal of the AD optimization lifecycle is to 59% establish and maintain Active Directory’s state so that it can of CFOs indicated that data adapt to rapid changes in the business without affecting its breaches are the top data/ ability to accomplish its primary job as the authentication privacy concern at their and authorization gatekeeper to information and resources. organization Imagine if the next time your organization wants to adopt a new piece of technology to enhance the business, Active Directory is ready and able to connect to it without modification. Ensure your CFO and CISO can sleep soundly at night knowing that your Active Directory environment is secure and that access is provisioned correctly at all times, even with the constant turnover and reorganization of personnel. Feel confident that when your organization is ready to merge with another company, the environment is prepared for the consolidation effort and can represent the standard that any incoming environments need to meet in order for success to be achieved. The Active Directory Optimization lifecycle allows AD to be as agile as your business

Active Directory Optimization Buyer's Guide

9

Selecting the Right Solution Making sure an Active Directory product aligns with business goals is important to choose the right solution and ensure a successful project. Evaluation of the following features and capabilities will help guarantee the chosen solution can address these goals. Group Reporting Requirements

STEALTHbits

Does the product collect groups and group membership information from multiple Active Directory forests and domains into a single repository for reporting? Is the product able to collect information about security groups?

YES

Is the product able to collect information about distribution lists?

YES

Can the product determine the effective membership of a group by recursively expanding all nested groups? Will the product identify groups with circular nesting conditions? A circular nesting condition occurs when a group is effectively nested inside of itself. Is the product able to identify deep nesting conditions where there are many levels of group nesting beneath a single group? Does the product find large groups that contain vast amount of user accounts either directly or through group nesting conditions? Will the product determine which groups are effectively empty and have no members? Will the product determine which groups have only one effective member? Can the solution detect stale groups where the user accounts that are effectively members of the group are not active within the domain? Is the product able to show stale groups by the last time the group was changed? Will the product find similar groups where the users that are effectively members of the groups are nearly identical, representing an opportunity to consolidate or collapse groups? Is the product able to show groups that are duplicates and have identical direct membership? Can the solution provide focused reporting on sensitive and highlyprivileged domain security groups such as Domain Admins and Enterprise Admins to identify issues with membership in these groups? Will the solution detect where improper group nesting has occurred that violates Microsoft best practices, such as improper relationships based off of Group Scope (Domain local, Global, Universal)? Will the solution scan for attribute completeness to ensure critical data is available for group objects? Will the solution scan for attribute content compliance to organization policy to ensure critical group object data in the directory is accurate?

YES

Active Directory Optimization Buyer's Guide

Other Vendor

Other Vendor

YES

YES

YES YES YES YES YES YES YES

YES YES

YES

YES YES

10

User Reporting Requirements

STEALTHbits

Does the product collect user information from multiple Active Directory forests and domains into a single repository for reporting? Will the product collect all standard user attributes as well as extended attributes custom to your organization? Can the product identify stale user accounts by the last logon time of the account? Can the product identify expired user accounts?

YES

Will the solution determine which user accounts are disabled?

YES

Does the product identify user accounts that are “orphaned”, meaning they are not members of any security groups or distribution lists? Can the solution identify duplicate user accounts across multiple domains by evaluating distinguishing attributes such as email address and account name? Will the solution scan for attribute completeness to ensure critical data is available for user objects? Will the solution scan for attribute content compliance to organization policy to ensure critical user object data in the directory is accurate?

YES

Other Vendor

Other Vendor

Other Vendor

Other Vendor

YES YES YES

YES

YES YES

Remediation Requirements

STEALTHbits

Can the product perform changes to Active Directory without installing an agent on a Domain Controller? Will the solution remediate objects across multiple domains and forests from a single, central location? Is the product able to model changes to Active Directory groups, showing the impact of the change to the group’s membership and affected users before applying the change? Does the product support interactive changes?

YES

Does the product support scheduled bulk changes?

YES

Will the product allow roll-back of changes to return objects that were modified to their original state? Does the product offer remediation interfaces for advanced technical users? Does the product offer remediation interfaces for non-technical business users? Will the product track all changes made with details of the changes including the time and the account which initiated the change for compliance purposes? Is the product able to “disable” groups via a workflow?

YES

Can the product remediate stale user accounts?

YES

Can the product remediate disabled user accounts?

YES

Will the solution provide workflows to interact with end users through emails and web-based surveys? Is the solution capable of authoring custom remediation workflows based on the needs of your organization and the configuration and security model of your Active Directory?

YES

Active Directory Optimization Buyer's Guide

YES YES

YES

YES YES YES

YES

YES

11

Group Governance Requirements

STEALTHbits

Is the solution capable of identifying probable owners of Active Directory groups based on out-of-the box algorithms? Can the product perform workflows to email probable owners and validate that they are the appropriate owner? Does the product allow confirmed owners to perform reviews of group membership to certify it is appropriate and remove any inappropriate group members? Will the product allow multiple owners to be assigned to a group for purposes such as escalation if the primary owner is unavailable or needs to delegate responsibility? Does the solution enable employees to submit requests to be added to a group or distribution list and allow the owner to approve or deny the request? Can the product enable the membership to a group to be allowed but only for a designated amount of time, and after that time has elapsed remove the user from the group? Does the solution enable group owners to make ad-hoc changes to group membership as needed through a simple web portal without having to grant those owners access to Active Directory?

YES

Group Permission Requirements

STEALTHbits

Is the solution able to scan end-points for permissions to identify where security groups grant access? Does the solution offer scanning of file share permissions for Windows shares? Does the solution offer scanning of file share permissions for NAS devices? Will the product scan Windows servers for group membership nested inside of Local Groups (e.g. Administrators, Power Users and Backup Operators)? Is the product able to scan for permissions granted to Microsoft SharePoint? Can the product identify group permissions granted to Office 365?

YES

Does the product scan Microsoft Exchange mailboxes and Public Folders for group permissions? Is the product able to collect permissions from Active Directory objects and containers? Will the product scan Microsoft SQL server for group permissions?

YES

Can the solution perform imports of permissions across other applications where out-of-box scans are not provided? Is the product able to identify groups that do not have any permissions assigned to audited resources? Will the product show groups that have excessive permissions and may represent security risks? Does the solution highlight groups that have inappropriate permissions to find groups being used outside of their intended purpose? Will the product take the collected permissions and write them back to the group object so that the group’s permissions can be viewed within Active Directory?

YES

Other Vendor

Other Vendor

Other Vendor

Other Vendor

YES YES

YES

YES

YES

YES

Active Directory Optimization Buyer's Guide

YES YES YES

YES YES

YES YES

YES YES YES YES

12

Change Monitoring Requirements

STEALTHbits

Does the solution offer change monitoring to audit changes to Active Directory objects? Will the product display before and after values for changed attributes of Active Directory objects? Does the product identify the user account that made the change as well as the time of the change? Can the solution offer multiple change tracking approaches based on your organization’s needs? This includes agentless event log collection as well as agent-based collection with no reliance on event logs? Is the product able to send real time alerts when inappropriate or highrisk changes occur? Will the product show the IP address of the host from where the change originated? Does the product support change tracking to group policies in addition to users, groups, computers and organizational units?

YES

Group Policy Requirements

STEALTHbits

Does the solution offer collection of group policies including all settings?

YES

Will the solution identify group policies that have no associated settings? Can the solution identify group policies that are not linked and therefore not in effect? Will the product identify duplicate group policies that can be consolidated? Is the product able to identify where group policies are overlapping in the settings they apply?

YES

Product Architecture

Other Vendor

Other Vendor

Other Vendor

Other Vendor

YES YES YES

YES YES YES

YES YES YES

STEALTHbits

Does the product support agentless collection of Active Directory information? Can the solution operate from a single, centrally managed installation and only require a single database back-end? Can the product perform differential updates where the first scan collects all information and subsequent scans only collect changes? Does the product support on-demand and scheduled scans?

YES

Does the product support a least privilege scanning model and only require read access, not domain administrator access? Does the product provide documentation on its database schema and an API for integration? Does the product offer integrations into the leading IAM solutions on the market to ensure the data gathered can be reused if needed? Does the product support custom authoring of reports, data collection routines, data analysis, and remediation jobs? Does the product support integration into leading ticketing systems such as ServiceNow?

YES

Active Directory Optimization Buyer's Guide

Other Vendor

Other Vendor

YES YES YES

YES YES YES YES

13

About STEALTHbits Technologies, Inc. STEALTHbits secures your data, ensuring only the right people have access at all times. A critical component of data security, regardless of where that data may reside, is understanding Active Directory and its impact as the authentication and authorization hub of almost any organization’s IT infrastructure. STEALTHbits’ long history and domain expertise in the management and security of Active Directory enriches our Data Access Governance solutions, in addition to programs and initiatives taking place in most businesses today, like Identity & Access Management projects, cloud migrations, and application rollouts. Enabling our customers to optimize, govern, and control Active Directory is ultimately what allows them to achieve success in many of the projects they’re engaged in, mitigate security risks they face daily, and achieve operational efficiencies that reduce cost, increase security, and enforce compliance. Visit www.stealthbits.com for more information.

Learn More Attend a Demo - http://www.stealthbits.com/events Browse the Resource Library - http://www.stealthbits.com/resources Ask us a Question - http://www.stealthbits.com/company/contact-us Request a Free Trial - http://www.stealthbits.com/free-trial Visit the Official STEALTHbits Blog - http://www.stealthbits.com/blog

STEALTHbits Technologies, Inc. 200 Central Avenue Hawthorne, NJ 07506 P: 1.201.447.9300 | F: 1.201.447.1818 [email protected] | [email protected] www.stealthbits.com

©2015 STEALTHbits Technologies, Inc. | STEALTHbits is a registered trademark of STEALTHbits Technologies, Inc. All other product and company names are property of their respective owners. All rights reserved. WP-TEMP-0215

Active Directory Optimization Buyer's Guide

14