This document discusses managing privileged users in Active Directory. It covers four main steps: 1) discovering all privileged accounts, 2) monitoring accounts to determine active usage, 3) cleaning up accounts that are no longer in use, and 4) placing all accounts under a managed lifecycle with ownership, expiration dates, and access controls. The document also discusses how NetIQ software can help with delegated administration, auditing, enforcing policies, and automating tasks to better manage privileged users.

1. Risk Management
of Privileged Users
June, 2014

2. Understanding the Challenge

3. 3
The situation for privileged users
 Often these accounts are Non Personal
 Created during Projects for Specific Task
 Clear and Static set of Entitlements
 When Created an End Date is not Foreseen

4. 4
That creates Challenges
 Often Privileged Accounts do not get Cleaned Up
 Nobody knows How Many there are
 Nobody knows Which Entitlements they have
 Nobody knows which ones are No Longer In Use

5. Which steps do you need to
follow to get back in to control

6. 6
Step 1: Discover
In the Discovery Phase all NPA’s / Privileged Accounts
are detected within the infrastructure. For most of
those we can assess right away if they are
still actively being used or not.

7. 7
Step 2: Monitor
For those accounts for which not directly can
be established if/how they are being used,
a monitoring process is started.

8. 8
Step 3: Clean Up!
All NPA’s / Privileged Accounts that are no longer
being used, will be decommissioned during
the third phase: the Clean Up.

9. 9
Step 4: Manage
All accounts are being put into a Managed Lifecycle.
Responsibility is placed under a role, owned by a
‘normal’ identity and an expiration date is added.

10. 10
Focus on the basics
Enforce
access
controls
Monitor
user
activity
Minimize
rights

11. How to make your Active
Directory safe and compliant

12. 12 © 2012 NetIQ Corporation. All rights reserved.
The Current State of Active Directory
Where are we at? Where are we going?
Demand for better controls over
user permissions and changes,
richer reporting and auditing
capabilities
Active Directory’s role
in the enterprise is
evolving to meet
business demands
Microsoft native tools lack
fine-tuned administration
features
Automating
processes could
decrease workload
and simplify
compliance

13. 13 © 2012 NetIQ Corporation. All rights reserved.
What NetIQ Provides
NetIQ Directory and Resource Administrator
• Features
‒ Secure delegated administration
‒ Centralized auditing & reporting of account
management tasks
‒ Automation of repetitive tasks
‒ Enforcement of account policies
• Benefits
‒ Reduces administration costs
‒ Increases administration efficiency
‒ Assures enterprise security
‒ Helps achieve compliance

14. 14 © 2012 NetIQ Corporation. All rights reserved.
Secure, Delegated Administration
NetIQ Directory and Resource Administrator
• What is it?
‒ Dramatically simplifies the delegation
of administrative entitlements across
Active Directory
• Benefits
‒ Reduces the number of native
privileged accounts
‒ Delegate administrative tasks out
across the organization
‒ Using ActiveView technology,
administrators only see what they are
allowed to manage
Puts greater control over
administrative capabilities,
assuring the security of
Active Directory

15. 15 © 2012 NetIQ Corporation. All rights reserved.
Centralized Auditing of Administration
NetIQ Directory and Resource Administrator
• What is it?
‒ Captures all account management
activities
‒ Identifies who did what, when, and
where
• Benefits
‒ Enforcement of activity auditing
‒ Capturing & centralizing activities in a
multi-master environment
‒ AD security audit log conciseness &
interpretation
‒ Complete audit trail
Helps achieve regulatory
compliance and security
best practices

16. 16 © 2012 NetIQ Corporation. All rights reserved.
‒ The Reporting Center Console allows you to view,
configure, and create reports based on data collected by
DRA servers.
Reporting Center Console

17. 17 © 2012 NetIQ Corporation. All rights reserved.
Enforcement of Account Policies
NetIQ Directory and Resource Administrator
• What is it?
‒ Ensure policy is enforced across
administrative-related activities
• Benefits
‒ Content control through data validation
policies
‒ Data correctness and compliance
‒ Assures content consistency as well as
contextual control
‒ What and when changes are made
‒ Ability to review and rollback deleted
objects
Assures data integrity,
accuracy, and improved
control over changes

18. 18 © 2012 NetIQ Corporation. All rights reserved.
Automation of Repetitive Tasks
NetIQ Directory and Resource Administrator
• What is it?
‒ Facilitates the automation of
repetitive activities to reduce the level
of required human interaction
• Benefits
‒ Assures that all steps are carried out
correctly, in order, and completely
‒ Ability to integrate and launch 3rd-
party applications and scripts from
within the console
‒ Examples: Mailbox creation, disk
quota reporting and more
Increases administrator
efficiency

19. 19 © 2012 NetIQ Corporation. All rights reserved.
Privileged User Management
Microsoft AD

20. 20 © 2012 NetIQ Corporation. All rights reserved.
Administrationlayer
Privileged User Management
Microsoft AD

21. 21 © 2012 NetIQ Corporation. All rights reserved.
Administrationlayer
Privileged User Management
Privileged Users
Microsoft AD
Delegated
Admin

22. 22 © 2012 NetIQ Corporation. All rights reserved.
Granular Delegated Administration
Administrationlayer
Privileged Users
Microsoft AD
Delegated
Admin

23. 23 © 2012 NetIQ Corporation. All rights reserved.
Administrationlayer
Recycle Bin for Easy Restoration
Privileged Users
Microsoft AD
Delegated
Admin

24. 24 © 2012 NetIQ Corporation. All rights reserved.
Administrationlayer
Full Audit Trail & Enhanced Reporting
Privileged Users
Microsoft AD
Delegated
Admin

25. 25 © 2012 NetIQ Corporation. All rights reserved.
Administrationlayer
AD user provisioning through DRA
Privileged Users
Microsoft AD
Delegated
Admin
Identity Manager

26. © 2014 NetIQ Corporation and its affiliates. All Rights Reserved.26
Thank you.

27. © 2014 NetIQ Corporation and its affiliates. All Rights Reserved.27
+1 713.548.1700 (Worldwide)
888.323.6768 (Toll-free)
info@netiq.com
NetIQ.com
Worldwide Headquarters
1233 West Loop South
Suite 810
Houston, TX 77027 USA
www.netiq.com/communities

28. This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein. These changes may be incorporated in new
editions of this document. NetIQ Corporation may make improvements in or changes to the
software described in this document at any time.
Copyright © 2014 NetIQ Corporation. All rights reserved.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the
cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration
Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy
Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit,
PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite,
Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ
Corporation or its subsidiaries in the United States and other countries.