Posts

Real Time Event Notifications

IT admins don’t want small problems to snowball into an issue that can cause severe damage to a company’s infrastructure and Active Directory. They need a robust alert mechanism which identifies any threats in REAL TIME.  Most IT organizations are unaware of the changes until something breaks. This leads to downtime, loss of productivity, and higher cost. Becoming proactive and more aware is part of the overall IT optimization strategy.
Consider this scenario: An administrative account in Active Directory has been hacked or accessed by someone with malicious intent and you as the administrator of the network are not aware. Logging into an administrative account is an activity that is very critical and ignoring it could result in irreparable damage to your network security.
A reporting solution while outlining what happened and when, will do so after considerable time has passed, when it could be too late to be acted upon. The usual audit solutions will help you outline and analyze who made changes to what- after you’ve discovered the damage. What is needed is a proactive approach to AD security- a product that will let you know Who made What changes When and Where, in REAL TIME.  For such a product to work accurately, it cannot and should not rely only on Even Log information. The most reliable info is in Active Directory. The best solution in this case is to pull the data from both. Other changes in Active Directory might not necessarily require an administrators’ intervention, so adequate filtering is also needed.
Unmanaged changes are a problem in every company. They are THE primary cause of outages. If they are not prevented, the company will fail a security audit. However, even planned changes should be monitored to ensure that policies are being followed. Active Directory Change Notifier allows IT administrators to configure (define) alerts for one or more desired Active Directory events. Any alert is then delivered to the mailbox of intended recipients.
Active Directory Change Notifier is a flexible, scalable, easy to use application that will help you with your day-to-day activities. This application is part of our Active Directory solutions that are designed to simplify your IT environment and enable you to work better, faster, and more efficiently.

Administrative Security Risks

IT personnel cannot effectively manage their infrastructure without admin-level access. But with gaining this access comes great responsibility. Most companies do not effectively allocate their resources or implement enough technology tools to prevent information security risks. Often enough the response to countless regulations is to concentrate on building controls against external and internal business users, while ignoring IT administrators who more often than not have access to information well beyond the scope of their jobs. Recent damaging and costly incidents (UBS, City of San Francisco) prove that companies in any vertical industry, and of any size can be affected.

 

Giving administrators unlimited system authority is a reality for the foreseeable future, especially in SMB organizations that cannot afford Enterprise-level solutions. Traditional controls are ineffective against administrators armed with full access to all resources. Controlling administrative authority risks is key, and protecting the integrity of the company’s Active Directory is paramount- this is recognized as a vital piece of any organization’s security strategy. A domain administrator in an Active Directory forest can gain root access to any other domain (and therefore member system) in the forest.

 

Having sufficient separation between the AD administrators and other IT personnel has its own special set of challenges. The best ways of meeting these challenges differ according to an organization’s size. Small and midsized organizations often lack dedicated IT security staff. In those organizations, IT professionals are already busy keeping many different technologies operational. Other small or midsized organizations may employ an information security officer but that individual is often a generalist and frequently lacks the time or technical knowledge to manage this process. Large enterprises generally have dedicated staff to ensure this separation, but they end up overloaded by unnecessary fragmentation. Organizations in any one of these situations can benefit from the role delegation available in the Active Directory Manager. This application will allow the creation of specific roles, accessing specific containers, objects or reports within AD- depending on specific job functions. IT users can be assigned to these roles and thus maintain the separation between HelpDesk, system admins, IT generalists, etc. The Active Directory Manager reduces administrative costs by providing a dynamically configured and customized Web-based interface for each job function. IT personnel have access only to the resources necessary to perform their job function and nothing else. Thus a tighter security policy can be implemented- one that will reduce the threat and impact derived from the actions of rogue IT personnel and mitigate the information security risks.

Server 2008 Backup

Recently, someone asked about that Windows Server 2008 Backup feature and I wanted to include a quick note about it on the blog as well.
The Windows Server 2008 Backup feature can be installed separately, and has a couple of subsets- Windows Server Backup and Command-line Tools. Through the helpful interface you can run your scheduled backups, but there are some changes worth noting:
-only direct attached storage (disks) with NTFS formatted volumes can be backed up
-you can only select to do a backup for an entire disk volume (even if you choose the Custom backup type). Yeah, it’s an all-or-nothing type of deal
-you can’t pick individual files, folders or Windows system state for backup
-you need to have a different location for your target backup
-you can no longer perform a backup to tape
Windows Server 2008 Backup has many new features and Microsoft does a good job of outlining them in the on-line help- check it out for more on this topic.

Retrieving object details from Active Directory

Obtaining any type of info from your Directory Services requires scripting, if you’re using the native tools. There’s an easier and faster way- you can use third party Active Directory solutions like the Active Directory Manager, or Active Directory Reporter.
So let’s compare the two approaches; let’s try to get something simple… say “User” details:
1- Scripting. Ok, we’re not big fans of scripting around here. Still, let’s follow this through, painful as it is:
public void GetUserDetails()
{
try
{
drpUsersList.Items.Clear();
ListItem li =new ListItem(“– Users List –“,””);
drpUsersList.Items.Add(li);
string _path =”LDAP://Your Domain Name”;
_filterAttribute =txtSearchEmployee.Text;
DirectorySearcher dSearch = new DirectorySearcher(_path);
dSearch.Filter = “(&(objectClass=user)(givenName=” + _filterAttribute + “*))”;
foreach(SearchResult sResultSet in dSearch.FindAll())
{
LoginName=GetProperty(sResultSet,”cn”); // Login Name
FirstName=GetProperty(sResultSet,”givenName”); // First Name
MiddleInitials=GetProperty(sResultSet,”initials”);// Middle Name
LastName=GetProperty(sResultSet,”sn”); // Last Name
Company=GetProperty(sResultSet,”company”); // Company
State=GetProperty(sResultSet,”st”); //State
City=GetProperty(sResultSet,”l”); //City
Country=GetProperty(sResultSet,”co”); //Country
Postalcode=GetProperty(sResultSet,”postalCode”); //Postalcode
TelephoneNumber=GetProperty(sResultSet,”telephoneNumber”);
Email=GetProperty(sResultSet,”mail”); //Email
uniqueName = GetProperty(sResultSet,”mailnickname”);
ListItem newitem = new ListItem(uniqueName,uniqueName);
drpUsersList.Items.Add(newitem);
}
}
catch(Exception ex)
{
Response.Write(ex.Message.ToString());
}
}

public static string GetProperty(SearchResult searchResult, string PropertyName)
{
if(searchResult.Properties.Contains(PropertyName))
{
return searchResult.Properties[PropertyName][0].ToString() ;
}
else
{
return string.Empty;
}
}

2- Active Directory Manager/Active Directory Reporter. First off- NO SCRIPTING. Once you log in through the web interface (that’s your bowser), it’s pretty easy to obtain any details about User objects. It’s a 3 step process taking virtually seconds- click on the “Reports Tab/User reports”, click “General Reports” and “All Users”. In the next screen, search for the user you’re looking for, and the Active Directory Manger will display all the User details.
The script in the first example is quite simple. By all accounts, if you want to do anything more involved in AD the script is only going to get more complicated. And we all know the longer the script is, the more chances you have of something going wrong.
In today’s world, you have to simplify your IT– why add more complexity to your environment?

Quick note about Group Policies – Server 2003 vs. Server 2008

A major issue in Server 2003 implementations of Group Policies is the huge amount of space they take up. For each Policy, there’s a corresponding .ADM file. The .ADM file supports only the English language, and it’s also 3.5MB in size. Not much right? When you consider that for each policy you have, there’s a new .ADM file and another 3.5MB, you can see how this can get out of control. For example, let’s say you have 200 policies– that’s 700MB of extra data that you have to back up. Even if you only have 100 policies, that’s still 350MB.
Server 2008 offers a new way of dealing with this issue. In Server 2008 you can use ADMX files, which are based on XML- more lightweight by comparison. With the new ADML files, you now also have multiple language support.
The Active Directory solutions we provide will help with your Group Policies management. Contact us for more information.

Failed to access IIS metabase

When setting up the Active Directory Manager, some people may encounter issues related to the IIS setup.
The possible cause: When you install IIS AFTER .NET 2.0 framework, the rights of the ASPNET user had not been set correctly.
Suggested resolution: Repair (Uninstall if repair does not work for you) .NET Framework 2.0
You can run the following from the command line to reset the IIS registry settings for aspnet user. In most cases, framework directory for .Net Framework 2.0 resides under C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727


Microsoft KB Resources
Contact us for more Active Directory help.