Assessing directory rights

In networks that have leaped beyond the traditional client/server environment to intranets and extranets, assigning rights to users is becoming complex. How do you really assess who has access to what?

Network directories such as Microsoft's Active Directory, the Sun-Netscape alliance's iPlanet Directory Server and Novell Directory Services eDirectory are meant to introduce some control over rogue users, with centralized tracking of rights assignments to sensitive data.

But a directory isn’t all that is needed for internal security. For example, network administrators also need to watch how much disk space users are consuming with questionable content, which could include large multimedia files.

I know of many IT professionals who at the first mention of network directory assessment will say, "I have no time" or "we’ve got a firewall." Well, a reality check’s required here. Why invest significant resources in a firewall if other avenues for stealing data or attacking systems are neglected?

What is required is a way to perform unmanned scrutinizing of network directory settings for vulnerabilities that would otherwise let malicious insiders steal, store, damage or disrupt.

One company that has been at the forefront of network directory security assessment is BindView. The Houston, Texas, company’s bv-Control line of products automatically scrutinizes Active Directory and eDirectory for the kinds of rights violations that might otherwise take forever to determine. Ask any network administrator how much time it would take to perform an effective rights analysis for all users with inappropriate rights to directory objects or the file system. Add to that assessing where users obtained those rights and you can understand the raised blood pressure in some network administrators.

Bv-Control is able to do what many network administrators would rather not -- that is, automatically scrutinize, audit and report on the many critical aspects of a network directory implementation. Because every business has unique needs, bv-Control is able to produce finely tuned, customized reports in numerous formats. This formatting is important, because most high-level IT directors need to know "yes or no, are we secure?" and getting a summary of a security assessment is all they need.

A common concern with products like bv-Control is the implementation overhead of interrogating a complex directory structure for vulnerabilities. BindView over the years has kept this in mind and has kept the bv-Control implementation as lightweight as possible.

Of course, just like the detective interrogating to find the truth from a perpetrator, the most complex assessments take more time and should be run as an overnight process. The peace of mind is worth it.

Lastly, it should be mentioned that BindView’s bv-Control products are not just focused on network directories. There are bv-Control solutions for Microsoft Exchange, Unix and SAP.

This story, "Assessing directory rights " was originally published by Network World.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon