This document discusses managing privileged users in Active Directory. It covers four main steps: 1) discovering all privileged accounts, 2) monitoring accounts to determine active usage, 3) cleaning up accounts that are no longer in use, and 4) placing all accounts under a managed lifecycle with ownership, expiration dates, and access controls. The document also discusses how NetIQ software can help with delegated administration, auditing, enforcing policies, and automating tasks to better manage privileged users.
3. 3
The situation for privileged users
Often these accounts are Non Personal
Created during Projects for Specific Task
Clear and Static set of Entitlements
When Created an End Date is not Foreseen
4. 4
That creates Challenges
Often Privileged Accounts do not get Cleaned Up
Nobody knows How Many there are
Nobody knows Which Entitlements they have
Nobody knows which ones are No Longer In Use
5. Which steps do you need to
follow to get back in to control
6. 6
Step 1: Discover
In the Discovery Phase all NPA’s / Privileged Accounts
are detected within the infrastructure. For most of
those we can assess right away if they are
still actively being used or not.
7. 7
Step 2: Monitor
For those accounts for which not directly can
be established if/how they are being used,
a monitoring process is started.
8. 8
Step 3: Clean Up!
All NPA’s / Privileged Accounts that are no longer
being used, will be decommissioned during
the third phase: the Clean Up.
9. 9
Step 4: Manage
All accounts are being put into a Managed Lifecycle.
Responsibility is placed under a role, owned by a
‘normal’ identity and an expiration date is added.
10. 10
Focus on the basics
Enforce
access
controls
Monitor
user
activity
Minimize
rights
11. How to make your Active
Directory safe and compliant