Below is an English translation of a product review of NetWrix Identity Management Suite. This was originally posted by Damir Dizdarevic in his blog last month. It was also published in the local Bosnian-Herzegovinian IT community on the Info.ba site. We are always delighted and proud to see IT professionals from overseas review our solutions and experience their value.
PRODUCT REVIEW: NETWRIX IDENTITY MANAGEMENT SUITE: “JUST RIGHT”
A few months ago we wrote about Change Reporter tool from NetWrix Corporation and impressions were really good. Let’s see if the the set of NetWrix tools for identity management would share the same attributes.
Identity and general management of service and user accounts, passwords and related stuff is a daily routine for almost any AD administrator. Automation of these processes often requires the purchase and deployment of expensive and complex solutions such as Microsoft Forefront Identity Manager or similar tools from other software vendors. Alternatively, you can write and use scripts for these tasks, but such a solution is usually difficult to support and definitely not easy to implement. And this is where an integrated identity management solution from NetWrix comes in.
NetWrix Identity Management Suite is composed of several largely independent products, which can be installed individually or together. Prerequisites are not particularly large. You will need a member server with Windows 2003 or newer (can be installed on a domain controller but that is neither necessary nor recommended) installed with the Web Server role included or IIS .NET Framework and Silverlight. For reporting features some tools require SQL Server Express /SQL Server full version (if available).
NetWrix Password Manager
Now let’s see what components make up NetWrix Identity Management Suite. To me the most interesting part is NetWrix Password Manager. The customer support due to problems with passwords and locked accounts makes a good deal of each administrator or support services – Active Directory does not allow any kind of self-servicing for the users (in terms of self-reset forgotten passwords and unlocked accounts) and therefore all the work was transferred to the administrative side. Only products like ForeFront Identity Manager provide certain degree of functionality in this regard, but the implementation of FIM just to achieve this functionality is not an optimal solution.
NetWrix Password Manager is just about self-servicing in terms of account and password for the user. After the implementation of this component, and the appropriate configuration users will have the opportunity, , to reset their own forgotten password or to unlock a locked account through a very simple web-based interface. Before this functionality becomes available the administrator must make a couple of things related to the configuration. In the administrative portal you can configure the title and text of a self-service site, set up the company logo, contact information for support, and links to documents that specify requirements for the password.
Also, it is possible to manage the available functionality – the user can enable one or more of the following features: reset passwords, set options to change your password on the next logon, set “Password never expires” option on the account, account unlock and update the existing password (in the knowledge prior). These individual features can be switched on or off as needed.
Probably many will choose not to allow users to set attributes such as “Password never expires” on their account. Unfortunately in this version you cannot control on a per-user (or user group) basis as options to adjust the administrative section apply to all self-service users. Otherwise, almost all self-servicing options are based on challenge-response technique and pre-defined answers to the questions. This is a well-known technique to reset the password that is being used on Internet for years, but in AD this is, by design, not supported. You can define a total of 8 questions that are used for this purpose (such as mother’s maiden name, name of first pet, etc), but you can also add your own or modify existing ones. Each user during the enrollment process has to choose which questions to use as their own, and set answers only known to them.
The administrative side allows the configuration in the sense that you can define the minimum length of the answer to any question, the minimum required number of questions that must be set at enrollment, and the minimum number of responses that must be given exactly to unlock the account and perform password reset. Furthermore, it is possible to set a limitation that more questions have the same response or that response contains any string that is mentioned in the question. A very useful option, which definitely strengthens the whole security system. What is particularly interesting is that the user may be obliged to define not only answers but also questions.. In this way we achieve a high degree of safety, but also relatively inconsistent configuration, so it is recommended to consider this before allowing users to define their own questions.
Events or actions that are performed by using self-service portal can be forwarded via e-mail to administrator, or anyone else who is doing the auditing. In addition to the administrative console, and console for the end user, NetWrix Password Manager provides the Help Desk Portal. This web portal, as its name suggests, is intended for those who work on the help desk. Somewhat as an alternative to the Self Service portal, the web portal through its interface allows a support technician to quickly and efficiently perform tasks that unlock locked accounts and reset passwords s. Also, this portal provides the ability to quickly and simply report on the actions that are carried through it and the customers who have done this in the enrollment system.
Alternatively, if you do not want to direct users to the web portal for performing these tasks, you can install the Password Manager client software on client computers to access self-service password / account for operations with the logon screen. In the event that the client is installed, users are offered enrollment in the system at the first logon after installing the client.
The whole system of account management and the password function is relatively simple. All operations are performed in the context of service that is installed on the computer / server on which NetWrix Password Manager and portal run. Account under which the service runs can be specified during the installation of software and it must be delegated the right to manipulate user accounts in terms of resetting passwords and unlocking, and a few additional operations listed in software documentation. This approach is somewhat manual, but it allows an administrator to retain full control over the software.
NetWrix Account Lockout Examiner
NetWrix Account Lockout Examiner is quite simple but very useful piece of software that is designed for management of locked AD accounts and examining the causes for locking user accounts. Upon its launch, it will show the list of user accounts that were previously locked up for whatever reason along with information about the workstation on which the lock has happened, the domain controller that has locked the account and a few more details.
Except the possibility to unlock the account directly from the console, it can also be used to discover the reasons why account is locked. This is done by running a series of tests which include testing scheduled task that run under that account (and who may have the old password and causing lock), who use the service account, mapped drive or share-this application. The aim is that the administrator receives a more detailed insight into the potential reason why account is locked, if it is not some trivial reason, such as forgotten password. It is also possible to establish a certain degree of automation in the management of locked accounts, such as the ability to unlock it via e-mail from the administrator, or notified by mail when the lock occurs.
NetWrix Inactive Users Tracker and NetWrix Password Expiration Notifier
NetWrix Inactive Users Tracker is part of NetWrix Identity Management Suite that monitors user activity as well as accounts and sends notifications accordingly or takes a specific action. Extremely useful and easy to use, this tool helps administrators to handle a fairly common concern such as old and remaining accounts in the AD.
The first setting you should define is the number of days since last login, after which the account is considered inactive. After that, you can take more action. For example, you can send an e-mail to a manager of inactive user or you can automatically set random password to the account, disable the account or move it to another OU. The final option is to delete the account. Each of these actions is individually configurable and can be adjusted in relation to the number of days since last login. Technically, this tool actually reads the latest Logon attribute on user accounts and based on the result , uses the appropriate service account to run certain operations.
A related tool is located in the same console as well, and it is called NetWrix Password Expiration Notifier. This component tracks the last change of password on user accounts and in relation to the set value of the maximum duration of passwords notifies administrators or users that the time to change the password is near. This is a very simple tool, but that does its job and allows users to start thinking about new passwords beforehand.
NetWrix Privileged Account Manager
Another distinct piece of software featuring Silverlight-based console is NetWrix Privileged Account Manager which was the latest addition to the NetWrix Identity Management Suite. Actually it is a solution designed for managing accounts which in any way were delegated higher rights or privileges including both system administration and service accounts on one or more servers. The essential purpose of NetWrix Privileged Account Manager is to centralize password management for all privileged accounts shared between multiple users or multiple services and applications. Adding accounts within the PAM console automatically sets a random password that is synchronized with all systems where this account is used. Password change also takes place in the console, by default once a day and as such is synchronized with all the places where you used the account. If necessary, the password can be read from the console (through the so-called check out process but when it is used again, and you make a check-in for an account, password changes again for security reasons. This solution is very interesting and definitely quite original. Passwords that are set to managed account through this console are random generated, 15 characters long, and one is able to maneuver in terms of defining the number of occurrences of uppercase and lowercase letters, numbers or special characters.
NetWrix Logon Reporter
Finally, within NetWrix Identity Management Suite we have NetWrix Logon Reporter. This tool collects event logs, which are primarily related to logging (or logoff) or attempts to login to servers and workstations in the domain and collects the same in the .evtx file stored in an SQL database for later analysis. It also monitors events and changes to the typed passwords, reset passwords and locked and unlocked accounts. Like other tools, everything can be sent via e-mail notification.
Finally, it is difficult to say anything except that this set of tools is definitely on the wish list of every Active Directory administrator. Just like the change auditing solution set that we reviewed earlier, NetWrix Identity Management Suite shares the same attributes, namely ease of use and configuration, minimal software-hardware requirements and all the components of the Suite did exactly what we expected. At first glance, anyone can see that it significantly improves the work with digital identities and accounts in general. However, it should be noted that the field in which these tools operate is very sensitive and is therefore very important to understand how each of the tools works, and to control their use. License fee, which ranges from 5.25 USD per user is also very reasonable and we can say that it really justifies the functionality. After 13 years of experience in working with Active Directory service I can really recommend this software to all system administrators.