What's New
Active Directory
Exchange
Windows
Quest InTrust
Abstract
This document describes the new features and capabilities of Quest InTrust 8.0.
QUEST SOFTWARE Windows Management Phone: 614-336-9223 1-800-263-0036 URL: www.quest.com/microsoft 6500 Emerald Parkway Suite 400 Columbus, OH 43016,USA
Copyright © 2004 Quest Software, Inc. and Quest are registered trademarks of Quest Software. The information in this publication is furnished for information use only, does not constitute a commitment from Quest Software Inc. of any features or functions discussed and is subject to change without notice. Quest Software, Inc. assumes no responsibility or liability for any errors or inaccuracies that may appear in this publication.
CONTENTS
OVERVIEW ...5
REAL-TIME MONITORING OF BUSINESS-CRITICAL SECURITY EVENTS ...6
BUILT-IN NOTIFICATION AND RESPONSE ACTIONS...6
WEB-BASED MONITORING CONSOLE...7
ENHANCED SUPPORT FOR HETEROGENEOUS ENVIRONMENT...7
NEW SCALABLE ARCHITECTURE ...8
FLEXIBLE, AUTOMATED WORKFLOW ...9
ENHANCED RESOURCE IDENTIFICATION ...10
FIREWALL-FRIENDLY AUDIT DATA GATHERING AND MONITORING...11
ENHANCED AGENT MANAGEMENT ...11
FLEXIBLE BUILT-IN REPORTING ...12
BRAND-NEW REPORTS ...12
ABOUT QUEST WINDOWS MANAGEMENT...13
ABOUT QUEST SOFTWARE, INC...13
OVERVIEW
Quest InTrust 8.0 delivers a dependable enterprise platform for auditing and security monitoring of multi-location environments built around Microsoft Windows and Active Directory.
Key features of InTrust 8.0 include:
•
•
•
•
Real-time monitoring of business-critical security events Native support for Sun Solaris systems
Firewall-friendly data collection Built-in notification and reporting
These features and other innovations implemented with Quest InTrust 8.0 are described below in detail.
REAL-TIME MONITORING OF
BUSINESS-CRITICAL SECURITY EVENTS
Quest InTrust 8.0
brings in the following capabilities:•
•
•
•
Checking and notifying on business-critical security events on the monitored computers.
Correlating the events, that means handling not only single events, but also paired events, missing events, and so on.
Automatically taking predefined response actions, if specified, to provide for audit integrity, prevent possible attacks, and minimize system downtime.
Using a web-based console for centralized alert management. InTrust 8.0 comes with a set of predefined monitoring rules that help you track administrative activity (for example, user account changes, policy management, rights assignment) and detect common attacks, such as guessing user password or gaining administrative rights. You can also create custom rules to monitor for the specific events you need and take the response actions required by your organization’s policy.
Built-in Notification and Response Actions
To inform persons in charge about the specific occurrences detected by the real-time monitoring, InTrust 8.0 offers automatic notification that creates and sends messages (for example, e-mail messages) to the specified recipients (individual operators or notification groups). Notification can be configured according to your organization’s workflow. For example, in addition to fixed text, messages can contain data included dynamically as messages are created.
To take corrective measures upon certain conditions, InTrust provides the automatic response actions which can
•
•
•
•
•
Enforce audit policies Execute scripts
Execute programs Send SNMP traps
Run InTrust Scheduled Tasks
For example, if an audit policy changes, you can automatically restore the audit policy and disable the initiator’s account.
Web-based Monitoring Console
InTrust Monitoring Console is a web-based application, which you can use to view the alerts generated during real-time monitoring. Monitoring Console allows you to manage the alert records from any location using Microsoft Internet Explorer (no additional software is required).
Monitoring Console features the profile-based access control to alert records, allowing you to:
•
•
•
Define whether the user can resolve the alerts or merely view them Specify the InTrust server that provides the alerts available to user Specify the alert database where alerts records are kept.
ENHANCED SUPPORT FOR HETEROGENEOUS
ENVIRONMENT
InTrust 8.0 supports audit data gathering and monitoring of heterogeneous environments (Windows and Sun Solaris). Agents are installed on Sun Solaris computers to process syslog messages and monitor for critical occurrences. Predefined reports help you analyze critical security events like privileged user logins in your Sun Solaris environment.
NEW SCALABLE ARCHITECTURE
InTrust 8.0 was designed using new, scalable, multi-server architecture. As shown in the figure below, the main component of
this architecture is
InTrust Server
:InTrust Server Microsoft Windows Microsoft IIS Sun Solaris
...
Microsoft Windows Microsoft IIS Sun Solaris...
Knowledge Modules Knowledge Modules InTrust Audit InTrust Real-TimeInTrust Server is the basis on which the components responsible for audit data collection and real-time monitoring reside. You can have
several InTrust servers united into an
InTrust organization.
AnInTrust organization
is a group of InTrust servers with sharedconfiguration, providing for:
•
•
Load balancing between InTrust servers
Distribution and enforcement of uniform gathering policies and monitoring rules across the enterprise
Information about the audited and monitored platforms and applications is provided by Knowledge Modules. Thus, to provide support for a new platform or application, you needn’t reconfigure or re-deploy the whole framework—simply install the corresponding Knowledge Module on the InTrust Server.
InTrust servers’ configuration data is stored in the configuration database on Microsoft SQL Server 2000 (MSDE can also be used).
FLEXIBLE, AUTOMATED WORKFLOW
InTrust task-based workflow provides for scheduled, automated
audit data collection, management, and reporting. An InTrust
task
can include a chain of different jobs. A
job
can:•
•
•
•
•
•
•
•
•
Gather data from a live network to a repository and/or a database Consolidate data between repositories
Import data from a repository to an audit database for reporting purposes
Automatically generate, save, e-mail and publish reports on collected data
Automatically update a Report Library
Clean up a repository, audit database, or alert database Launch a Windows Scheduled Task
Launch an application Notify of task completion
Each job is performed by a certain InTrust server; jobs in a task can be configured to run simultaneously or one after another.
Users can either work with the predefined tasks, easily customizing them to fit the organization’s workflow, or create new tasks of their own.
ENHANCED RESOURCE IDENTIFICATION
In InTrust 8.0 computers that should be audited or monitored are
arranged into collections called
InTrust sites
. Typically, InTrustsites are organized based on a company’s administrative and geographical boundaries.
You can populate InTrust sites with the following objects:
•
•
•
•
•
•
•
•
•
•
Computers (same as in EventAdmin and InTrust for Events) Computer lists (loaded from a text file)
Windows domains (same as in EventAdmin and InTrust for Events)
AD organizational units AD sites
IP addresses (same as in EventAdmin and InTrust for Events) IP ranges
An InTrust site can be populated based on:
Computer roles (domain controllers, workstations, and others) OS versions
Specific applications installed on computers, such as Microsoft IIS or Microsoft Exchange. You can define your own applications based on registry values.
InTrust automatically discovers and enumerates site resources if shortcuts to domains, Active Directory organizational units, Active Directory sites, or IP ranges are used. So, if you add a new domain controller to a domain processed by InTrust, it will be automatically discovered and included in the corresponding site.
For InTrust audit data gathering, site objects are re-enumerated each time a gathering session starts. For InTrust real-time monitoring, you can schedule re-enumeration using InTrust site properties.
Quest InTrust 8.0 • What’s New 11
FIREWALL-FRIENDLY AUDIT DATA
GATHERING AND MONITORING
InTrust 8.0 facilitates audit data gathering and real-time monitoring of the computers located in a network area behind a firewall or in a non-trusted domain. This is due to a proprietary TCP-based protocol used for agent-server data communication, and strong data encryption and agent-server authentication. For example, you can collect event data from a Web farm, or monitor for suspicious activity in the DMZ. Simply install InTrust agents manually on the target computers. To let agents operate over the firewall, open a port on the firewall to allow incoming traffic from outside to the address or port of the specific InTrust server
(
listening port
). You specify thelistening port
number duringInTrust Server installation.
ENHANCED AGENT MANAGEMENT
InTrust 8.0 agents are required for real-time monitoring and optional for audit data gathering. However, using agents when gathering audit data allows you to drastically reduce network load and increase security when communicating information to InTrust Server. In particular, if gathering without agents, the size of communicated data is nearly equal to the size of the original audit trail, while using agents makes it 50 times less due to agent-side data compression. To strengthen the security, use the agent-side encryption (3DES) of the log data.
Agents can be installed
•
Automatically, usingInTrust Manager
—to all InTrust sitecomputers
•
Manually—to specific computers, for example, located behind afirewall, or to Sun Solaris computers
Also, a Windows Installer package provided for InTrust agent makes it possible to install agents using Group Policy and such management tools as Microsoft Systems Management Server or HP OpenView.
FLEXIBLE BUILT-IN REPORTING
InTrust 8.0 offers powerful and flexible reporting capabilities:
•
•
•
•
•
•
•
Now you can generate predefined reports on schedule not only with Reporting Console, but also on the InTrust Server, using a built-in reporting job. This job is much like the Reporting Console scheduled task. It can be scheduled after the audit data is gathered and put to the audit databases, allowing you to generate reports as soon as data becomes available for analysis. Users access these reports via Reporting Web Portal. You can also send the reports by e-mail or publish them to Microsoft SharePoint Portal Server.
Traditionally, you can generate, view, save, print and publish your reports (interactively or on schedule) from the Reporting Console. In addition, the Reporting Console enables you to create custom plain and hyper-reports and charts.
BRAND-NEW REPORTS
Quest InTrust 8.0 comes with a variety of predefined report packs for different Knowledge Modules, namely:
Microsoft Windows/Active Directory Microsoft Exchange Server
Microsoft IIS
Microsoft ISA Server Sun Solaris
These reports can be helpful for user activity tracking, forensic analysis, investigation of security incidents, and software and system audit. Many reports offer drill-down links. Besides, a special report pack includes about 20 reports, charts and OLAP cubes for analyzing real-time alert records, including alert occurrences, delivery and tracking. All report packs are carefully designed and structured, providing easy-to-use and appealing data presentation.
Quest InTrust 8.0 • What’s New 13
ABOUT QUEST WINDOWS MANAGEMENT
Quest Software, now including the people and products of Aelita Software, provides solutions that simplify, automate and secure Active Directory, Exchange and Windows environments. The Quest Windows Management group delivers comprehensive capabilities for secure Windows management and migration. For more information on Quest Software’s Windows Management group,
please visit
http://www.quest.com/microsoft
.ABOUT QUEST SOFTWARE, INC.
Quest Software, Inc. provides business-critical software for 18,000 customers worldwide, including 75 percent of the Fortune 500. Quest
offers products for application performance management for
packaged applications and Java environments; database management for Oracle, DB2, SQL Server, Sybase and MySQL environments; and Windows management in Active Directory and Exchange. These management solutions help customers develop, deploy, manage and maintain the IT enterprise without expensive downtime or business interruption. Headquartered in Irvine, Calif., Quest Software can be found in offices around the globe and at
