BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

PowerBroker Recovery for Active Directory Takes the Pain and Uncertainty out of AD Recovery

Post by Morgan Holm March 19, 2012

I remember back in school working on an essay for days, saving it to my local 5 ¼ inch floppy just to find a disk error when trying to print it the day before it was due. Remembering all that I wrote, and then actually doing the work, gave me an unsettling feeling in my lower stomach. I am sure we have all been there. Well, having more than a decade of experience with Active Directory I can tell you I have come across a fair share of administrators who have come across a similar scenario.

The thought of a blown away OU or massive disruption caused by an automated script “gone bad” is definitely not fun for an administration team and can greatly affect a business’s bottom line. When rewriting my lost essay it was just me making additions and changes to the source, and therefore foreseeable that I could remember most of the additions and edits that I had made. However, in Active Directory there could be dozens of administrators, help desk staff, users, and automated processes making changes to the directory objects. When a malicious or inadvertent change affects the health of the directory, restoring it is not only a daunting administrative task, it is also an expensive and timely exercise that includes:

Backup Identification and Verification: The administrators need to find and verify the last “good” backup from which to start their recovery operations.

Data Loss Discovery and Validation: The administrators need to identify the good changes, and inform the business that these changes made will need to be reapplied. The volume of these changes and potential for data loss could be significant. Take for example a scenario where the directory troubles are discovered at 3:00 PM and the last good backup was the previous evening—say 1:00 AM. In this example there are 14 hours of potential user and system driven changes that may have been applied to the production Active Directory, but not reflected in the backup source. This could include user and group changes dictated by help desk and HR processes. Not only do these changes need to be re-applied, but also any supplementary documentation to support compliance and security initiatives may also need to be updated to reflect these issues and remediation efforts.

Data re-application: Once the source backup and good changes have been identified, they need to be re-applied to the directory. This could be done manually, but it is preferred that these changes can be applied in an automated way to speed recovery and reduce errors. This may involve re-running automated processes, creating and running some scripts. However, when performing the recovery you need to ensure that you are only applying the good changes in a way that does not affect other objects and attributes—again, not a trivial process.

While these steps are somewhat generalized, they outline some of the high-level steps required to recover from a domain and object level directory issues and outages. Finding a good backup is typically not that difficult, assuming that you are performing and verifying Active Directory backups within your environment. But, that is only a small component of the recovery operation. Reducing data loss, verifying the final directory state, and ensuring that all supporting documentation and processes have been updated can take a significant amount of time and resources.

This is why Active Directory recovery solutions have become a staple for many organizations in which their AD environment has become a critical component of their IT and business processes.

PowerBroker eliminates and automates much of the recovery process to reduce errors, eliminate data loss and ensure the business is up and running as quickly as possible.

Backup Identification and Verification
PowerBroker Recovery for Active Directory eliminates the need to find and load various backup files by providing a single-instance online change log, which enables organizations to quickly review and compare directory objects back to previous point-in-time backups from a single interface.

Data Loss Discovery, Validation and Re-application
PowerBroker Recovery for Active Directory also provides online object and attribute level comparisons and rollbacks to target only those specific changes that need to be rolled back. This greatly reduces possible data loss and errors, as well as the labor cost of locating and reapplying specific changes from a point-in-time backup.

Ensuring Zero Data Loss
In addition to point-in-time backups, PowerBroker Recovery for AD is the only solution to provide a continuous change log for Active Directory. This online log protects directory content up to the point of the error or malicious event. If a user, or even an entire OU, is deleted, the change log will enable the user to recover all object and attribute data up to the point of the deletion event, resulting in ZERO data loss with a few clicks of the mouse. The continuous audit log also features an “UNDO” button that enables changes to objects and attributes to be rolled back with a single mouse click.

If you’re organization is serious about Active Directory and concerned about the potential impact of outages, you may want to have a look at our award winning solution
http://www.beyondtrust.com/Home/AllProducts/

Tags:
, , ,

Leave a Reply

Additional articles

smart rules manager for vulnerabilities - v2

A New Way of Looking at Vulnerabilities in Your Environment

Assets, users, vulnerabilities and exploits; all are common themes in my posts on BeyondInsight. With BeyondInsight v5.1, we unveiled a new way to view exploitable assets. Sure, most vulnerability management solutions link vulnerability data to exploit information, allowing tools like NeXpose and QualysGuard to list an asset, its vulnerabilities, and any related exploits. BeyondInsight does…

Post by Morey Haber April 23, 2014
Tags:
, , , , ,
smart rules manager for vulnerabilities

Staying on Top of the Latest Vulnerabilities with BeyondInsight v5.1

It’s no secret that dozens of new OS and application vulnerabilities are revealed every day. Staying on top of these new exposures normally requires paying for services or subscribing to multiple RSS feeds. BeyondInsight 5.1 provides customers with another option: a built-in, customizable vulnerability alerting system that delivers up-to-date information on the latest vulnerabilities in…

Post by Morey Haber April 21, 2014
Tags:
, , , , , ,
BI-Qualys-Connector-IMG1

Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
Tags:
, , , , , , , ,