200 likes | 331 Views
Automated Groups and Service Accounts in Active Directory. TechDays June 2014 Presented by Andrew Hamilton and Chuck Phillips. IBM Mainframe (1970s) First system requiring ‘Management’ of accounts via the User Number Clerk Growth of UNIX on campus early 1990s
E N D
Automated Groups and Service Accounts in Active Directory TechDays June 2014 Presented by Andrew Hamilton and Chuck Phillips
IBM Mainframe (1970s) • First system requiring ‘Management’ of accounts via the User Number Clerk • Growth of UNIX on campus early 1990s • Network Information Service or NIS (originally called Yellow Pages or YP) • Need for automated account management and synchronization • CCAT “Convenient Computer Access Today” was developed (1992-1993) • Automated management of MVS, CMS, VMS and UNIX accounts. • LDAP “Lightweight Directory Access Protocol” installed (1996) • Simple scripts were put in place to sync LDAP and UNIX accounts. • LAMB “LDAP Access Management Bundle” Was Born (2003) • CCAT was demised • Real time provisioning of accounts • Real time synchronization of passwords between LDAP, Unix, Oracle. • PICES Was Spawned (2007) • Provided structured way to provision directories across campus. • Enterprise Active Directory adopted (2008) • Campus wide committee re-designed active directory structure and standards. Brief HISTORY of IDM @ UNM
Agenda • Auto Populated Groups From Banner To Active Directory • Provide secure central access to Banner sourced data. • Reduce complexity and red tape for consuming data. • Active Directory Service Account Management • Process to obtaining privileged access • Changes to Service Accounts that are planned. Ask questions when they arise
Auto-populated AD groups • Student college • Student major • Student program of study • Student level • Student year • Student registration status • Student sections • Student courses Groups Based on Role • Staff org code • Staff org level 3 • Staff org level 2 • Person’s role at UNM • Person’s campus Example roles
Groups: Staff Level 3 Org Groups Based On Organization • Name format: banner-orglevel3-AAB • Data source: Banner job record • Sample values:
Groups: Staff Level 2 Org Groups Based On Organization • Name format: banner-orglevel2-AD • Data source: Banner job record • Current values:
Groups: Staff Org Code Groups Based on Department Number • Name format: banner-org-324A • Data source: Banner job record • Sample values:
Groups: Student College Groups Based On College • Name format: banner-stucollege-AD • Data source: Banner student record, current term • Current values:
Auto-populated CLASS groups • Obfuscated Name of group to honor FERPA. • Group Name can be obtained by searching description of group CLASSGroup Security Name is unrelated to section data. New groups for every semester. Provisioned two weeks before Old groups destroyed when finished Removed two weeks after. Built based on registration data.
Groups • Access Management, WES use only • SysAccounts • Reserved for future use • SysBannerGroups • Unrestricted employee roles • SysGroups • Protected data Group Categorization Structured Automated
“Securing Private Data” • Fastinfo 7064 defines how to request access to view the student data. • Attach certificate to Service Request • OU Admin training • Use standard Group management techniques • Create group w/permissions • Assign membership • Service Account • Extra layer of security • New/Old Requesting access fastinfo.unm.edu Search for ‘Autopop group’ Sign up for training! Learning Central OU admin training from WES
Service Accounts • Active Directory is becoming more integral and IDs are becoming centrally managed. • Eventually there will no longer be a need to create or delete user accounts manually in AD. • Centralizing Identity management around a consistent standard AccountManagement Central IdM Transparency More resilient More adaptable More flexible
Secondary Account For System Administrators • Elevated privileges • Access to Services to manage sensitive data • Enterprise appliances and applications. • OU Administration • Workstation or Server admin logins • Software Account. • Software is installed to run as this account to isolate it from system and other users. • Overhead Accounts. Used to run Scripts. WhyService (SVC)Accounts? System accounts Admin accounts
Active Directory Structure • Separated into Organizational Units • Accounts (people) are populated automatically based on Banner • Groups, Servers and Workstations managed by Departmental “OU Administrators”. • Svc Accounts • Should end in ‘svc’ • Reside in a sub-OU called SvcAcnts Retain control and flexibility Simplify account management
OU Admin is responsible for maintaining them • WES creates the initial OU delegation • OU Admin removes them when finished • How can UNM’s Accounts Management team help? • Elimination of abandoned privileged accounts. • Adapt to UNM’s needs • LAMB will sync to the SvcAcnts sub-OU. • Belongs to an owner that can be tracked. • Privileged accounts to terminate with their owner. • OU Admins can delegate sensitive administration Goals Administrative accounts will be more structured. Active Directory will be cleaner and more secure.
Email Notifications • File shares reaching the quota limit • Service availability • Server performance • Reporting Tools • OU audit and activity reporting • Monthly reporting and Real Time alerts Distribution Lists New early warning mechanisms
Management of service accounts is moving to HELP.unm.edu service requests. • There will be FastInfodescribing the method for creating service accounts. • Through Help a request for a service account is requested. • Needs a department sponsor. • Needs a written justification. • The service account will be tied to the requestor's account. • Once created OU Administrators will Authorize the account to their services. • Control and responsibility is still in the OU Admin’s hands Service (SVC)Accounts Delegation will be more transparent. Audits will be easier to perform..
Serviced with LAMB/netid process • Password Changes to Service Accounts can be made through netid.unm.edu just like other accounts. • Previous password must be known. • Password Policy to be in sync with LDAP • Account Passwords will expire in LDAP every 180 days. • Password Expiration notices will go to the Identified Owner of the Service Account. • Renewal of Service Accounts on a regular basis. • Accounts will be renewed yearly to ensure need and functionality. • Service Account Owners will be put on a mailing list for notification of service changes/notifications. Service (SVC)Accounts Self servicing password resets for non-OU admins.
Over 9,000 Summer groups ready to use right this moment! • Close to 16,000 groups during Fall and Spring semesters. • Service Account management and automation • Coming later this summer • Keep an eye on standard communication paths for further announcements regarding this. • I.e. OUAdmins-L@list.unm.edu, IT Alerts, IT Agents, and other Communication How does this affect you?