policing the power of identity controls power behavior verify that controls are in place and...
TRANSCRIPT
Policing the Power of Identity
Controls
PowerBehavior
Verify that controls are in place and functioning
Monitor user behavior and verify that people are acting in accordance with policies
Report on user accounts, status and group memberships to see what users are empowered to do on the network
Security Mechanisms that grant or deny access
What Users are actually doing
What rights have been given to users: Potential Risk
Identity Audit
[ ]
Identity Audit solutions for
reporting and monitoring of
identity controls, user behavior and the power given
to users
Controls
* Specific platforms and versions should be verified for exact functionality
CapabilitiesMicrosoft
Windows- Active Directory Group
Memberships
- File System permissions
- Active Directory GPOs
- Monitor for accounts created outside of provisioning process or other controls
Novell NDS and eDirectory
- File System explicit or effective rights
- eDirectory LDAP ACLs
- eDirectory User Templates
- Universal Password Snapin
- Prevent specific file types
Behavior
* Specific platforms and versions should be verified for exact functionality
CapabilitiesMicrosoft
Windows- Active Directory account creations
or group membership changes
- File System file or folder access creates, mods, deletes
- Changes to file system permissions
- Changes to GPO policies
- Authentication Attempts & failed logon attempts
Novell NDS and eDirectory
- Monitor account or group creates, mods, deletes
- Monitor eDirectory object ACL changes
- File System file or folder access, creates, mods, deletes(including specific file types)
- Authentication Attempts
Power
* Specific platforms and versions should be verified for exact functionality
CapabilitiesMicrosoft
Windows- Active Directory group
memberships
- File System file or folder explicit rights
- Search for dormant accounts & disable per policy
- Any object and attribute combination (power based on user attributes)
Novell NDS and eDirectory
- Monitor account creations
- File System file or folder explicit and effective rights
- Any object and attribute combination (power based on user attributes)
- Security Equivalence Reports