Identifying Disabled Users

Great question came up today in Varonis training. How can we identify when a user account was disabled and who performed the operation? For those of you running Varonis' DA for Directory Services module the answer can be gathered from the Directory Services log. The key items to select are the user account that you want to investigate and select select the Change Description filter with the operation Like and using the text field:

Property "User Account Control" modified: 514


This is a good candidate to set up as a monthly report to audit all of the user accounts that were disabled during the last month; something that will keep the auditors happy. If you would like the XML for the template please email me and I will send it to you.

Varonis's new DatAdvantage for Directory Services

The job of securing information continues to get harder. The technology that we are managing is becoming more complicated, the threat vectors are increasing through new channel such as mobile devices, and the adversaries are getting more sophisticated.

One of the most difficult areas to protect is the unstructured data on file servers. I like to use the analogy of bank vaults to describe the file server world. We buy these very expensive bank vaults to store all of our confidential data and we deploy safe deposit boxes (think folders) to allow users to organize and protect that data. The Active Directory groups and passwords are the keys we hand to users to give them access to the safe deposit boxes.

However, with the current technology from the storage vendors the analogy breaks down. Here are some of the challenges:

• We have no log of who goes in and out of the bank vault or safe deposit boxes.


• If someone adds an additional keyhole to a safe deposit box, we rarely know who else is holding keys that will let them in.


• We have no idea how big the boxes are and what is stored in inside of them.


• Companies continue to buy new vaults because there is no easy way to manage the data in the existing vaults.


• And every once in a while, IT people take a door off the safe deposit box to give someone access and because the vault is in the dark, we have no idea that this has taken place.

The Varonis DatAdvantage solution gives us the visibility into who access to the safe deposit boxes, audits what they do with the data stored in them, and provides the tools to increase the security of the vault.

What Varonis is bringing to the table with its new DatAdvantage for Directory Services product is the ability to monitor the people who build and assign the keys to the boxes in the bank vaults. When a new key holder (a user) is created we know that. When a user is assigned keys we have a record of who gave them to him. Varonis has provided the IT professional with a comprehensive set of tools to protect and manage their organization’s unstructured data.

Where are AD Groups Used?

Utilizing Varonis DatAdvantage, one can determine how an Active Directory group is being used on a file server. To find where a security group is applied to a folder directly, run the 4a – Effective Permissions for User or Group report. You need to select each File Server that you want Varonis to investigate and since we are only interested where the group is in the “ACL” there are two options that need to be selected and set to True:

• "Show only direct permissions"
• "Distinguished unique"
  

This allows you to see every folder where the security group is directly applied.

Harden Your Service Accounts

In many cases we have service accounts that need powerful privileges to perform their tasks. This power also means that there is an elevated level of risk associanted with these accounts. They could be used inappropriately to access resources without accountability, since they are not tied directly to a person. There are two steps that I recommend that people follow in locking fown these accounts. Both of these activities involve starting Active Directory Users and Groups and then selecting the Properties options on the selected service acccout. First, select the Terminal Services Profile and check the option to Deny this user permissions to log on to any Terminal Server. The screen shot is listed here:

Then we want to restrict the computers that the service account cal log into. This is found on the Account tab. Once on this tab, click on the Log On To command button. At this point enter the computer name(s) where the service account is used. This will limit the account to logging into only this machine.

Restoring Deleted Permissions with Varonis

This afternoon a hedge fund client called with a high profile problem. One of the system admins from their outsourcer had deleted all of the Active Directory permissions of the General Counsel. Not a great person to prevent from accessing the system. Since they are a Varonis DatAdvantage user, I was able to help them solve this problem.

We ran a query from the log area and selected "History of differences" as the data source. The keys were to set the "File Server" to "IDU" and set the "Change Description" to start with his fully defined domain account. Then we got a list of all of the groups that he belogned to and my client was able to restore them all and get the General Counsel up and running ASAP.

DatAdvantage to the rescue.

Active Directory Security Groups

Yesterday, during a Varonis training session, Paul Ezhaya started a great discussion by asking my opinion on strategies for naming security groups and organizing folders on file servers. The primary debate was whether to use security groups named after departments and roles or to use security groups named after folders that they provide access to. For example, if there was folder called Human Resources with sub-folders such as Employee Data, Forms, and Terminations, and folders specific to several departments how would we set this up from a security perspective? Would we create Active Directory groups based on Roles for the HR people who handle each department and then apply those groups to the corresponding folders on the file server? Or would we create AD groups named after the specific sub-folders and then add the specific people to those groups as needed? Along with the security groups we would take the lead in organizing the folder structure to match the security group naming conventions.

There is no “right” answer, but here are some of my thoughts on the Role versus Folder question.

In general, I prefer the Folder-based solution. The first reason is for the long-term security of your organization. Finding the data is always top priority so regardless of how you organize the folders; users will learn the taxonomy and adjust to it. You need to force the organization to apply security; therefore, if you organize the infrastructure in a secure manner, they won’t have to. Second, When you first set up your Role-based Security Groups you might have an accurate grouping of the users by department. However, over time people will not make the appropriate adjustments to those groups. After the initial setup fades away, when you add someone to a role-based security group to they can access a particular set of data, you may not realize what else that gives them access to. You may not it even give it any consideration because security will always be an afterthought. In a Folder-based solution, the security of the data is pushed to the forefront as the IT department knows what folders the Active Directory group gives them access to. And if the access is insufficient user will surely let you know, where the odds of them notifying you that they were given too much access in the Role-based scenario is highly unlikely.

Of course, we may have a hybrid approach. At the top level shares we might want to have security groups for the department and apply those at that level. Then we would turn off inheritance on folders with confidential data and apply the folder-based security to those folders. So we end up with a set of groups like this:

grp_HumanResources
grp_Terminations-RO
grp_Terminations-RW

Where RO is for the group with Read Only privileges and RW is the group with Modify privileges.

If there are other reasons for you to use a Role-based strategy then I would highly recommend an automated Identify Access Management system. I think that you will still find that the default will be to provide too much access, but the results will be better.

TechRepublic Reviews Varonis Suite

The TechRepublic blogger Mark Kaelin has a review of the Varonis Data Governance suite.

Here is a link to the review.

Nice to see the product get some coverage, since it is the greatest thing since sliced bread (actually since VMware). The review mentioned three things that are wrong with the product, I take issue with two of them.

Issue 1 that I disagree with:

"Culture shock: The general principle of placing decision making concerning data governance in the hands of employees deep in the organization may be a significant change of policy for many established organizations, especially those with established hierarchical structures and controlling IT departments. "

One of the advantages of the Varonis solution is that you can start small, with one directory if you want, so that there is no need for any culture shock. Security provisioning by the user community can be rolled out as slowly or as quickly as the organization can handle.

Issue 2 that I disagree with:

"Cost and scope: The scope of the Varonis Data Governance Suite 4.0 does not come cheap. Not only will the entire organization have to buy-in to the concept, the initial software installation and training cost will be significant. This suite of software is most likely to be used in larger organizations with very specific and vital data governance needs. "

The cost of the solution relative to the value of the data is not significant and in terms of improved efficiency of IT administration the product more than justifies the cost. We have a number of customers that are small (250 users) and see significant benefit from the DatAdvantage product. Again the "enterprise" buy in is not a necessity for implementing the solution. Behind the scenes the DatAdvantage solution monitors and reports and access without disturbing anyone and the Data Privilege component can be rolled out directory by directory if you so desire.

Unresolved SIDs

When we are working on cleaning up security in a Active Directory environment using Varonis DatAdvantage, one of the common problems that we run across are SIDs that Varonis cannot resolve to a useful name. In most cases this is because someone has deleted the user from Active Directory, rather than just disabling the user account. However, there are cases when the SID (security identifier) represents a group or machine account. Here is an example:

SID: S-1-5-32-544

Nobody ever remembers what those are. In walks Jennifer!

A Varonis user that we were working with, Jennifer Crusade, found this great Knowledge Base article that explains common security identifiers in Windows operating systems.

http://support.microsoft.com/kb/243330

Hope this helps you resolve a question or two.