“Can you run a Windows report on Edgar Mann for security purposes? We need to know about his access, groups and permissions.”
Do you ever get requests like that from HR? It’s gratifying to play a role in buttoning down your organization, isn’t it?
At least, it’s gratifying if you can run that Windows report without spending your entire day on it. Even though the search is limited to Windows-based machines, it can still require a lot of queries, copies and pastes just to put together something meaningful. And if you’ve had a security breach, fast results are even more essential.
IT forensics in your Windows environment with IT Security Search
I’ve been posting lately about using IT Security Search, our web-based, interactive search engine that correlates disparate IT data for fast incident response and forensic analysis. IT Security Search is like an intelligent looking glass into your environment with a search-based approach to uncovering details and letting you drill into them.
It’s a feature of Quest® platform management products like Enterprise Reporter, Change Auditor, InTrust, Recovery Manager for Active Directory and Active Roles. The more of those products you use, the more comprehensive the picture you get and the more accurately you can drill.
In combination with Enterprise Reporter, IT Security Search uses Active Directory objects and Windows Server logs to help you quickly find the answers to common audit and compliance questions:
- Who has access to what?
- How do they have that access?
- To whom do they report?
- To which groups do they belong?
- Which permissions do they have to files, shares, etc.?
When you can easily put your hands on the answers to questions like those, you can give HR the information they need, without spending your entire day on it.
Use case: Researching an employee’s access with IT Security Search and Enterprise Reporter
Suppose Edgar Mann has recently left the organization. It’s the kind of thing you usually find out from an HR manager, who also alerts you to disable or delete Edgar’s IT footprint as a security precaution.
Few companies are set up to ensure that all of a former employee’s access points are disabled. The larger the environment, the more difficult it is to determine how much access that employee had, let alone remove it all. Deleting the AD account is a good start, but there’s plenty more out there.
At the main screen of IT Security Search, you enter several variations on the spelling of Edgar’s name:
You can also set a date range to limit the search duration, or if you know for how long Edgar had accounts on the network.
IT Security Search immediately returns information about Edgar’s accounts:
You see that he has 3 domain accounts: one in sitraka.com and two in titancorp.local. You can delete those in Active Directory.
However, IT Security Search also finds that he has local accounts on the MEM1. and SQL. servers. Merely deleting his AD accounts won’t affect those, so depending on your company policy, you’ll need to delete or disable his accounts there.
Furthermore, from the organizational unit you can tell that one of the domain accounts was an administrator account:
You drill into it to find out more:
The Actions links take you to events collected by Enterprise Reporter: activity Edgar initiated, files and folders he owned, his permissions, and changes to his user object in AD. This is fertile ground for more investigation, which can be especially useful if Edgar left the company on less-than-rosy terms.
IT Security Search organizes data by categories:
In this example, the interesting categories of data from Enterprise Reporter include the events, groups and users associated with Edgar Mann. The Groups link takes you deeper into the groups he belonged to:
As HR requested, it would be prudent to remove him from those groups.
Get started with IT Security Search
Employees and contractors leave your organization every week. If it’s part of your job to ensure that they are completely removed from your network, then this is the tool for you.
Because IT Security Search is a feature of multiple Quest platform management products, it can display information in a single screen that you’d normally have to use several query tools to find. For example, if you run it with both Enterprise Reporter and Change Auditor, IT Security Search will allow you to examine events like changes to files and folders even more closely.
Download your 30-day free trial of Enterprise Reporter, Change Auditor, InTrust, Recovery Manager for Active Directory or Active Roles. You can use IT Security Search at no additional cost during and after your trial for fast security incident response and forensic analysis.
Next time, I’ll describe how IT Security Search integrates with Recovery Manager for Active Directory to let you search for an AD object that’s been deleted, then restore it from backup in just a few seconds.