The SOX (Sarbanes-Oxley) and other auditing compliance have a great impact on the need of monitoring and auditing of IT environments. Experts says that many attacks gain access through a user account that has one or more incorrect and insecure settings, it makes sense to focus on user account properties during the audit.
Here are the key user account properties that need to be audited in windows Active Directory environment.
| Quote: |
| Basic User Account Properties to be AuditedLogonScript ? this is important if the logon script performs any tasks that might establish some security settings, copy key security files, or any other security related task. If the incorrect logon script is being applied, it could leave the computer less secure.Workstations ? this is an important setting if your company uses this setting to restrict user accounts to logon to only a single or few computers. Typically this setting is left for service accounts, not typically used for user accounts used by employees.Last time password was set ? this setting can help determine stale user accounts. If a user has not changed the password within the time frame dictated by the password policy for maximum time that the password is valid, then this might be an indication that the user account is no longer being used. Another important issue to always consider is a malicious administrator who does not have his user account configured to expire the password. In this instance, the administrator will toggle the user account to expire the password, run the report for the audit, then toggle the password not to expire. If the password has not been changed in a year, but the password policy requires that all passwords be changed every 30 days, it is clear the administrator is trying to fool the audit report.Password is required ? in a Windows Active Directory environment, it is not easily possible to configure one user to have a password that expires and another that does not. There are some user accounts that are configured to not require a password by default, which includes the Guest account and IWAM_{computername} account.Password Expires ? when a user account is configured to not have the password expire, the password is not under the same rules as the domain Password Policy. This allows the user to keep the same password for an unlimited time and potentially have a weak password. Of course, this is not desired and standard user accounts (including administrators and other IT staff) should have the password expire.
Password Expires Time ? not only can you determine whether the password expires, you can also audit when the password will expire next. The key audit point here is to ensure that all users will have their password expire within the password policy which requires that the password be changed within a set number of days. If the password expiration time is outside this range, it means that there might be an error within the user property or someone has modified the property to make the password expire later than desired. Account is Disabled ? this is an important property to audit for accounts that have been disabled and might need to be deleted. Most companies have a standard policy for when to delete user accounts. This might be 6 months, one year, or longer after the account is disabled. The main reason for such a long time for deletion is that a user account can?t be recreated after it is deleted, it can only be recovered, which is not an easy process. Last Logon Time ? this setting will indicate a key aspect for each user account. It will indicate whether or not users are logging off at night, which is important to ensure that users change their passwords to adhere to Password Policy settings. If a user has not logged in for quite some time, it would be important to investigate whether the user account should be disabled, or why the user has not logged out in the recent past. Advanced User Properties to be Audited There are still other properties that need to be considered when performing an audit on user accounts. Some of these might be on your basic list, were others might be completely omitted. Regardless, you should consider including these in your next audit. Remote Access ? Both dial-up and virtual private network (VPN) access is controlled through Active Directory. The catch with Active Directory is whether the setting is configured for Allow, Deny, or Use Remote Access Policy. If set for the latter, then you will need to also investigate the Remote Access Policies configured on the RAS server or the RADIUS (Remote Authentication Dial-In User Service) server. Terminal Service access ? With Terminal Services being such an important aspect of Windows 2000/2003/XP, it is essential to audit whether users can logon using this service. With the Terminal Service access, you need to not only check the user property for this access, but also the user rights. For Windows 2000 the user right that must be audited is ?Logon Locally.? For Windows XP and Server 2003, the user right that allows users to logon with Terminal Services is ?Allow logon through Terminal Services.? |
As the vulnerability of IT environment is increasing day by day, a transparent and reliable auditing system is deserved to ensure the security of information. Auditing of all the user properties mentioned above will serve the purpose of Secured IT.
Senthil Nath
Help others find this article:
| 
| 
| 
Here’s a handy reporting script I found while looking for something else: it shows the number of Users, Contacts and Groups in a OU and sub OU’s.
| Quote: |
| What this script does is takes the name of the OU where you want to start the query at as a command-line parameter. It then does an ADSI query to find the distinguished name of the first OU that matches the text entered. It then does 3 separate subtree queries of all the Users, contacts and group objects that are located under the root OU. To group the information that is returned this is where the ADO datashaping provider is used. The information is then stored temporary in a multi dimensional array and then used to finally build a HTM report called ?c:\temp\report.htm? which has a table that shows the OU Name, Description, Path and the number of users, groups and contacts within each OU.The script takes one command-line parameter which is the name of the OU you want to run it against eg to run the script ?cscript.exe lobjectsv2.vbs OUname?. I?ve also created a provision to let the script be run against the entire Active Directory domain instead of just and OU branch to do this instead of using the name of the OU as a command-line parameter use rootdse as the command-line parameter eg ?cscript lobjectsv2.vbs rootdse? |
Happy Reporting!
Senthil Nath
Help others find this article:
| | |
We would love to hear your comments on ADManager Plus and we’d like to have a quote from you on how ADManager Plus helped you,let us make your testimonial so that we can share with others, and paste it up all over town, along with your photo! Well OK, not exactly all over town, but sprinkled around ADManager website and brochure. Are you ready for your close-up?
Click here to share your story with us. Disclosing your organization’s name is not mandatory” what we need is what you feel about our product”
Here is a taste:
Much appreciate your time for doing this. Thanks!
Senthil Nath
Help others find this article:
| | |
A lot of people have been asking if we were going to integrate Active Directory Reports with Management in ADManager Plus.The answer is of course YES.
For the initial version of the integration, we added options like Delete, Disable, Enable Users or Computers in Active Directory. This feature will release soon, once the testing team gives the green signal.
We’re working on more integration between Reports and Management, so consider this just a sip.
If you have any, questions, comments, or feedback for us, we are all ears
Senthil Nath
Help others find this article:
| | |
Learn how to make your own Naming Format, while creating a users in Active Directory using ADManager Plus.
If you want to create Naming Format as “FirstName + . + First 1 Characters of LastName” Please follow the steps,
1. Under Admin Tab->Customize Naming Formats.
2. Choose “FirstName” for the field.
3. Click “Add-To-Format”, it will show you the “Format Value” as “%givenName%” and “Display Name” as “FirstName”.
4. And then,Choose “Dot” for the field and Click “Add-To-Format”, it will show you the “Format Value” as “%givenName%”.”
5. Choose “LastName” for the field “Select the Data” with “1″ character instead of “All Characters” (default)
6. Click save,the above specified format is saved and added in the available formats list.
So, what do you think? Do tell how helpful you find this feature, either through comments or the forum. Thanks!
Senthil Nath
Help others find this article:
| | |
Whew, what a week! We just released a batch of long-awaited new features and we hope you’re as excited about them as we are.
One of the questions we see most frequently is, “Is it posible to have help desk user use this application and have only a limited access to the active directory?” The answer is: Yes, and it’s easier than you think!
The new Version of ADManager Plus has a great new feature called “Help Desk Pack.”
Using ADManager Plus Help Desk pack, ADManager Plus administrator can set different permissions (e.g: Reset Password, Add New Users, Modifying Users Attributes, Modifying Computers Attributes, etc.) for different Help Desk users. The delegated Help Desk users can only see the particular feature in ADManager Plus web client and do their allocated task in Active Directory using ADManager Plus. Interesting feature eh? You can grap the latest version from http://manageengine.adventnet.com/products/ad-manager/download.html
So, what do you think? Whatever is on your mind, chime in and let us know through comments or the feedback form. Thanks!
Senthil Nath
Help others find this article:
| | |
We’ve had a ton of people in the forums asking when the 4.1 would be available. Today, we’re happy to inform you that 4.1 GA is released and is ready for download. Get the latest ADManager Plus here.You will need to uninstall and reinstall the new version.
The main features are listed below:
| Quote: |
| * Support for different logons for each admin users.* Setting different permissions for different users on ADManager Plus(can restrict users on ADManager Plus).
* Modifying Bulk User Attributes from the CSV file * Bulk User Modification - Displaying the Attribute value before updation |
We have plenty of features and fixes in the pipeline, so stay tuned for more…
Senthil Nath
Help others find this article:
| | |
It’s nice to see that people are starting to find out ADManager Plus. Tatsumi at http://www.itproffs.se/forumv2/tm.aspx?m=64161 in an Swedish forum post tittled ‘Advice about new web based tools’ has metioned about the advantages of using ADManager Plus and version 4.1 (which is expected to be available soon)
Here’s the translation of the Tatsumi’s post
| Quote: |
| HelloFor your all that wants to get away to program own web based Active DirectoryWants to share tips about a new web based AD management tool.
Special that the is free of charge for 1 domain. Becomes specially interesting when v 4.1 now releases at the end of July Overall http://manageengine.adventnet.com/products/ad-manager/index.html?ad-main and V4.1 features |
Thanks to Tatsumi for talking about ADManager Plus.
Senthil Nath
Help others find this article:
| | |
We just released our ADManager Plus 4008 build.
Here are some of the major fixes and enhancements:
1. Customized Naming Formats.
2. Computer Modifications.
3. Additional Reports.
Click here to learn more about 4008 build fixes and enhancements
Please visit http://manageengine.adventnet.com/products/ad-manager/download.html for downloading this and try our live demo at http://demo.admanagerplus.com
Here’s the 4.1 news 
Early Access (EA) of ADManager Plus 4.1 is available now, just shoot a mail to support[at]admanagerplus[dot]com. We will send you the link to download.
We are just not quite ready with the ADManager Plus 4.1 General Availability . We are working hard on making it available in the next few weeks.
Click here to learn what’s new in 4.1
As always, the ADManager Plus team looks to you for feedback about this ? and all ? features.
-Senthil Nath
Help others find this article:
| | |
It’s been a long time since I blogged. After the Release of ADManager Plus 4 GA on April 1st 06, our team is engaged in developing more features and enhacing the existing features requested by our users.
We are getting requests on many interesting features (some of which are in our Roadmap). We got more requests on these two features especially.
1.Naming Format Customization. User can customize Naming format as per their company policy. Example: FirstName +.+ MiddleName +.+ LastName, FirstName + MiddleName + LastName, etc.
2.Mulitple Login Feature. Setting different permissions for different users on ADManager Plus(can restrict users on ADManager Plus).
We have already completed the first one - ‘Naming Format Customization’ and have sent early access to few users. We have also completed ‘Multiple Login’ and started testing it vigorously. This feature should be available for use in ADManager Plus 4.1. Once this feature is up, users should be able to set various access permissions for individual users.
We will also be bundling ADManager Plus 4.1 with lot of useful features. Check out our Roadmap. We will be giving out early access of ADManager Plus 4.1 build, so people interested out there just shoot a mail to support[at]admanagerplus[dot]com. We will send you the link to download.
I thank you for all the useful suggesstions which you have been giving us so far, Please keep it coming.
-Senthil Nath
Help others find this article:
| | |
