[MUSIC PLAYING] Welcome.
This is "Quest Unscripted."
The log series on trending topics.
And Quest solutions related to Active Directory.
Office 365.
Oh, and don't forget Azure AD.
You're here because you have questions.
We're here because we have answers.
I think.
We will address questions we've received from customers,
Experiencing the same challenges as you.
All with the goal of helping you confidently move,
Manage,
And secure
Your Microsoft environment.
We call the show "Quest Unscripted" because
Except for this intro,
Nothing we say scripted or rehearsed.
And we're pretty sure you will notice that right away.
Hey, guys, thanks for joining. This is Ghazwan Khairi, strategic systems consultant with Quest that I'm joined, as you can see on the screen, by Bryan Patton, principal systems consultant with Quest. And Rob, do you want to say hi?
Here's Rob. Rob Tovar senior solutions architect with Quest. So today, we're super excited to talk about what's coming new in Change Auditor 7.1 release. 7.1 release, actually, is going to go live as of yesterday. Did it go live guys?
June 2nd. It's out there.
Cool, so it's out there as of yesterday. And we're super excited about the new capabilities. Bryan, I see your like on fire. Talk to us about what is going to come or what just released for Change Auditor long activity.
So the first item that would release I'm really excited about is Golden Ticket detection, where we can see the time to live of any kind of the Kerberos tickets are greater than 10 hours. Not only that, but the identification of NTLM where we can see a version one, or for version two of NTLM is being used, as well. Have both been added to the product.
OK so let's zoom out from this technical talk and why do I care?
The go to ticket detection, this means that somebody may be in your network. Typically, you authenticate and you have a ticket, the default is 10 hours. Those lost or forged tickets that may be created by Mimikatz or some other different type of tool, and those tickets can actually last up to 10 years.
So the fact we're looking that's between 10 hours and that 10 year lifetime, indicates that something bad's happening. That's the first thing we, kind of, indicate with those exist in your environment. The other one around NTLM version 1 and version 2, a lot of people want to get rid of NTLM authentication.
So the first one, the most insecure, is NTLM version 1. Knowing that that's being used is really bad, but some applications do use it. So identifying which applications are using it can help you remediate and fix that. NTLM version 2, if you can get rid of it, you should.
Although a lot of the scalp cases don't but just identifying which applications are using it can help you on later on down the road.
Cool, from an operational standpoint, say I upgrade Change Auditor to 7.1, how do I go about finding out where, just give me one screen show me all Golden Tickets or all NTLM events that are happening in the environment from one screen. How do we go about doing that and Change Auditor log on activity?
Yes, so there is a component, I guess a portal, that we have incorporated with many of our products called IP Security Search. IP Security Search, if you guys aren't familiar with it, it's a portal that can tap into multiple resources. Quest resources and Splunk for that matter.
But the whole idea is to feed this portal the information from our Quest products, including Change Auditor. So it's a portal that allows you to plug-in keywords and do a Google like search. That you plug-in the keywords, hit Enter, and you get the results within seconds.
So it's a nice way to do searches, get your details, get your information regardless of what product you're talking about. But in this case with Change Auditor we can quickly get that information.
So today, I probably logged in and out and left my screen up and came back to it, probably, I don't know a dozen times. And I'm sure you guys have done the same thing. Where I'm trying to get at is, these are going to be generating a lot of events. A lot of noisy events. Rob, how do we control that, so that we're cutting the noise out but we're still gaining value from Change Auditor.
So there's some options, right. Some customers will choose-- I mean there's an option to disable events, if the events aren't necessary. But if you do want to see them, one option that we have is to allow the events to come through and then apply a purge job that's very specific or detailed as to what it's going to eliminate or get rid of.
You can also archive the events. So there's multiple options. One would be to purge the events more frequently. Another option would be to archive the events to a second database. Another option is to move events to a third party tool, or to even use our InTrust solution that would allow you to compress the data in our repository with a 20 to 1 compression ratio.
So there's many ways to either eliminate the data or move the data for further use, in the future. I know with some compliance regulations, there is a need to store or keep information for longer periods of time. So we have both options.
Bryan, is there anything else you want to add?
Yeah, another option maybe turning it on for just a little while. Identifying the application that's still using NTLM. Disabling it. Then turn it back on after you've remediated authentication, maybe to curb everything else.
See if those different events are being generated or not. And still use that go one by one each different application maybe to
10:32