Use case: Tracking user logons across the heterogeneous enterprise IT

The IT world is not unipolar. Although Windows continues to dominate server and desktop markets almost every enterprise IT has a mixture of other operating systems supporting business critical applications and users desktops – Linux, Solaris, HP-UX, AIX, Mac, you name it. This is what we call a heterogeneous enterprise IT.

 

Managing a heterogeneous enterprise IT can be painful without appropriate tools in place.

Quest Authentication Services can make non-Windows operating systems full citizens of Active Directory domains. It solves one of the most critical pains of identity and access management – letting employees use a single user id and password to log on and get access to any network resources no matter what operating system they happen to be on.

 

Once a Unix box is joined to the AD domain through QAS it follows the authentication and authorization rules established in the Active Directory environment. So, when users log onto Unix boxes a Kerberos authentication takes place on Active Directory domain controllers and this is captured in the Security log as Kerberos ticket exchange events like the one below.

 

 

With a help of another Quest product – InTrust – events like this can be easily picked up from any spread out IT infrastructure and stored in a centralized archive for subsequent analysis and reporting.

 

Now let’s imagine that your auditor or boss tasked you to pull up a report showing logons of a specific user everywhere throughout the enterprise network.

 

How would you do that without appropriate tools like QAS and InTrust? Most likely you would start with collecting Security logs from DCs and syslog or other audit logs from Unix boxes. Then you’d probably write down all the account names a specific user can be represented with on different systems and then query all the diverse log data that you collected to find logons in each of those logs. What does not make things easier is since the login entries vary in their format from one log to another it would be very painful to put all the pieces of logon events together and find out who actually logged on, to what server, from which workstation or laptop and when it actually happened.

 

How would it work with QAS and InTrust in place?

It would be as easy as collecting Security log events from domain controllers with InTrust and running pre-defined searches in Repository Viewer. The latter would pull up all Kerberos authentication events and present them in an easy to digest W5 format telling you who logged in, whether it was a successful or failed logon, where the logon took place, which workstation it originated from and when it happened.

So in a single report you would see logins taking place on both Windows and Unix desktops or servers and sharing the same user id namespace - Microsoft Active Directory.

 

Never thought that it could be made that easy? Here are the links to both products that make it possible

 

Quest Authentication Services

Quest InTrust

 

Enjoy,

Alexey

About the Author