Latest posts by Brandon Lee (see all)
- SystemTools Hyena: Simplify Active Directory management - Thu, Dec 5 2019
- SolarWinds Kiwi Syslog Server: A versatile syslog solution - Tue, Dec 3 2019
- New features in SQL Server 2019 GA - Thu, Nov 28 2019
- What is SolarWinds Access Rights Manager?
- Key use cases of Access Rights Manager
- Access Rights Manager versions
- Installation components
- Installation requirements
- Installing SolarWinds Access Rights Manager
- Access Rights Manager configuration utility
- ARM Server GUI features and functionality
- Impressions and wrapping up
Businesses today are facing ever-increasing challenges to bolster security and meet compliance regulations. With the complex and very extensive nature of today's environments, including both physical and virtual resources, it can become extremely difficult to secure and audit resources effectively across your IT infrastructure.
An extremely important aspect of auditing the security and compliance of business systems is auditing access rights and accounts. Manually auditing access rights and accounts across a wide range of physical and virtual resources can be tedious, error prone, and painstakingly difficult. There is no question that businesses must use an automated approach to meet today's growing security and auditing challenges around access rights management.
One such automated solution that holds the promise of assisting your business with auditing access rights in your IT infrastructure is SolarWinds Access Rights Manager (ARM). What is Access Rights Manager? How well does it allow you to meet the challenges of managing and auditing access rights across your IT infrastructure? Let's see.
What is SolarWinds Access Rights Manager? ^
Access Rights Manager is an application that provides automated management and auditing of access rights within your IT infrastructure. It contains several key features that allow organizations to be able to accomplish these objectives effectively. These include automated tools that allow you to:
- Understand and have visibility to high-risk access in your infrastructure
- Discover and minimize insider threats
- Improve compliance and detect changes in your environment
- Quickly discover who has access to what resources
- Provision accounts quickly and accurately
- Identify and monitor high-risk accounts
Key use cases of Access Rights Manager ^
Why should you consider using an Access Rights Manager solution in your environment? What are key symptoms or characteristics to look for in your environment that indicate a need for an automated solution?
- Your Active Directory (AD) structure has grown constantly, and you find it difficult to have context in its structure
- You are unsure of who or what may have access to file servers, Exchange, SharePoint, or other business-critical resources
- You are unaware of current as-is processes in AD, files servers, Exchange, or SharePoint
- There are no processes or responsibilities in place for securing access rights in your organization
- Changes to important accounts and file/folder resources often "fly under the radar"
- You may currently be managing your access rights by hand and documenting these in Excel or Word documents
SolarWinds Access Rights Manager lets you focus on five central disciplines for securing access rights in your IT infrastructure environments. These include:
- Permission analysis
- Documentation and reporting
- Security monitoring
- Role and process optimization
- User provisioning.
In harmony with these five disciplines, Access Rights Manager's security and compliance automation allows you effectively to:
- Have visibility into the rights of users in your organization: With ARM, you can scan your Active Directory and file servers to analyze user access to systems, data, and files, and help protect against the risks of data loss and breaches.
- Automate and orchestrate the provisioning and deprovisioning of user accounts. When users leave, it can become a headache to remember where all permissions for that user are applied. However, using ARM, you can provision and deprovision users and their permissions in seconds. Delegating permissions becomes easy as well by using ARM in the environment.
- Identify users with insecure configurations; build a full audit trail of all permissions and access-level changes to help with timelines and other artifacts of cybersecurity investigations.
- Automate regulatory compliance reporting: have access to comprehensive audit reporting for auditors.
- Simplify SharePoint permissions management: Assess user permissions to SharePoint folders and files, automate SharePoint permissions management, monitor suspicious activity, and respond to security risks.
- Active Directory reporting tool: Analyze AD user and group permissions to validate compliance, detect escalated privilege attempts or credential misuse, and automate deprovisioning to prevent data exfiltration.
- Support your compliance mandates, such as the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA) to ensure that all Active Directory permissions are compliant with these mandates. Additionally, you can effectively report on relevant AD user and group permissions data and receive notifications when changes occur.
- Detect credential misuse and have an effective way to examine insights into credential abuse.
- Automate account deletion: you can automate account discovery and deprovisioning of inactive or expired accounts.
- Demonstrate compliance: Without an automated solution, demonstrating compliance and having the required data to prove you are compliant can be difficult. With the Access Rights Manager solution, you have access to the automated reporting tools that allow collecting and presenting data in a way to demonstrate this compliance effectively.
What versions of SolarWinds Access Rights Manager are available?
Access Rights Manager versions ^
When it comes to installing SolarWinds Access Rights Manager, there are two versions to choose from for the installation:
- ARM Audit Edition
- ARM Full Version
The following table compares the feature details of each version of the product.
|Feature||ARM Audit Edition||ARM Full Version|
|User permission analysis for Active Directory, Azure AD, file servers (Windows, EMC, NetApp), SharePoint, SharePoint Online, Exchange, Exchange Online, OneDrive, SAP||Yes||Yes|
|Monitoring (logging) for Active Directory, file servers (Windows, EMC, NetApp), SharePoint Online, Exchange, Exchange Online, OneDrive||Yes||Yes|
|Risk analysis overview||Yes||Yes|
|User provisioning for Active Directory and Azure AD||No||Yes|
|Permission management for Active Directory, file servers (Windows, EMC, NetApp), SharePoint, SharePoint Online, Exchange, Exchange Online, OneDrive||No||Yes|
|Data owner concept (delegation of access rights management)||No||Yes|
|Self-service permission portal||No||Yes|
Installation components ^
The Access Rights Management suite comprises the following components:
Included with the ARM installation package:
- The ARM server: Process new data and requests from the main application, including the first collector to connect your resource and data systems
- The ARM application: The front-end GUI for using ARM
- The ARM configuration application: The front-end GUI for configuring ARM
- Web components: The web client and Web API for accessing and using ARM
- Microsoft SQL Server Express database server: Use an existing MS SQL Server instance or install the included Express Edition to store ARM's collected information (great for the basic installation or evaluations)
Included with the ARM installation package:
- Additional ARM collectors: install more collectors to balance loads in large environments
Installation requirements ^
The following are the requirements for a basic installation of the ARM Server. Additional requirements may be necessary for the ARM collector and GUI application requirements. If you decide to use an external SQL Server outside of the included SQL Server Express installation, you will want to note the SQL Server requirements provided by SolarWinds on their requirements page.
|Operating system||Windows Server 2008 R2|
|Windows Server 2012|
|Windows Server 2012 R2|
|Windows Server 2016|
|Windows Server 2019|
|CPU (number of processor cores)||Active Directory users||Number of cores|
|up to 1,000||2|
|up to 4,000||4|
|No support for Intel Itanium platforms|
|Hard drive space||Active Directory users||Disk space|
|up to 1,000||30 GB|
|up to 4,000||40 GB|
|Memory||Active Directory users||RAM|
|up to 1,000||4 GB|
|up to 4,000||8 GB|
|.NET Framework||.NET 4.8 (or higher)|
|Access rights||The service account requires local administrator rights on the ARM server.|
|Other||The ARM server must be a member of an Active Directory domain.|
|No support for clusters|
|No support for Server Core|
Let's look at installing the SolarWinds Access Rights Manager solution.
Installing SolarWinds Access Rights Manager ^
I found installing SolarWinds Access Rights Manager was very straightforward. The following walkthrough shows the installation of the Evaluation edition. When you install the 30-day Evaluation version, you can easily use the "all-in-one" installation of ARM that installs the SQL Express installation along with ARM. This makes evaluating the product extremely easy from a components standpoint to get the installation up and running.
As you can see, the Evaluation installation:
- Installs everything you need to run ARM
- Installs SQL Server Express locally
- Is recommended for evaluating ARM
Next, accept the end-user license agreement (EULA).
The next screen is the Install Report. The name is not that intuitive at first; however, this is basically a preinstallation check of the underlying hardware, components, and requirements to make sure there are no "showstoppers" to the installation before proceeding.
Once the preinstallation Install Report is complete, you can continue with the actual installation of Access Rights Manager Server.
One issue the preinstallation check did not catch in my case was the lack of a certificate for use with the web server components. I received the Failed to automatically configure web client message. I clicked the Configure manually button to move on.
Initially, after investigating, I found the certificate blank. You can use the new-self signed certificate cmdlet to generate a new certificate for testing. This is what I did, and after clicking the Refresh button, the certificate appeared.
After resolving the certificate issue, I was able to move forward, click Apply, and then Launch ARM Configuration.
Click the button to Login to the Access Rights Manager configuration utility.
Access Rights Manager configuration utility ^
Before using the Access Rights Manager Server for auditing permissions, you first need to configure gathering security and accessing information from your infrastructure. The installation process workflow by default takes you into the configuration utility.
One of the first things you will want to do is populate the Credentials for Active Directory and SQL Server access.
Once you do this, the configuration status should test successfully. Save the configuration.
Confirm saving the changes.
Now that you have completed this initial configuration task in the Access Rights Manager configuration utility, you can set up your first scan. Navigate back out to the main configuration utility page. The first button you will see underneath the Server Status is the Scans configuration. Click Scans.
One of the first logical places to start if you are using Microsoft Active Directory in your environment is adding a Domain/Active Directory Resource to scan.
ARM automatically fills in a few details here from the initial credentials entered earlier in the configuration utility. The user and domain are already populated. Click Apply.
Once you click Apply, it adds the new domain scan configuration to the ARM scan configuration. Notice the "play" button. You can click this to kick off an ad-hoc scan of the domain manually. The defaults will automatically schedule the scan to run at 10:00 p.m. every night. You can change the configuration of the hyperlinked items.
As an example, clicking the "Permissions will not be scanned" link opens the Scan permissions on Active Directory window. You can configure additional permission scans for Active Directory here.
Now that we have a scan configured for Active Directory, let's take a look at the ARM Server GUI to get an overview of the functionality contained.
ARM Server GUI features and functionality ^
One point to keep in mind to avoid confusion is the configuration utility is not the Server GUI for viewing auditing, permissions, and other information. You need to launch the Access Rights Manager GUI to view your scans, reporting, and so forth. First, you will need to log in to the ARM Server interface.
One of the first things that will strike you when launching the Access Rights Manager interface is the wealth of quick links to take you to very valuable information right from the start.
This includes quick links for permissions analysis, user provisioning, documentation and reporting, and many others. This provides a great way to start getting value from the product quickly.
Another thing you will notice quickly is the large Search field at the top. This allows you to search on any objects or keywords contained in the ARM system. This is also customizable as to the scope of the search.
By clicking the "settings cog" in the search field, you can add different types of objects to return in the search queries from the search form.
I found the Resources dashboard was a great first stop in the interface. You can browse your AD structure and get detailed reporting on objects as you click on them. Once you click an object, you will see the Report drop-down menu. This contains various reports, including Account Details, "Who did what?" and many others.
One of the great features you will find under the Resources menu is the ability to create Alerts. With the Alerts feature, you can create fully customizable alerts on objects for any number of changes that might be made.
The Create Alert screen allows you to customize the parameters for the alert, event, threshold, actions, and so on. This allows the product to notify administrators proactively on changes to specified objects.
On the Permissions dashboard, you can build queries on resources accessed. You can easily see the resulting permissions for the various resources.
The Accounts dashboard provides an interesting graphical view of your resources, memberships, and so on. You can also easily view the attributes for the resource.
You can even use the ARM interface to create objects if you have a writeable account configured for making AD changes.
Under the Dashboard menu, you get a great deal of valuable metrics from your Active Directory infrastructure. You can see the dashboard primarily focuses on details from AD that can possibly be security risks. This can help give great visibility to potential issues an admin should address quickly.
The Multi-selection screen allows filtering down objects and selecting objects from the AD infrastructure.
The Logbook screen provides an automated way to show changes documented in your infrastructure. It records changes in this section, including time, author, and specific changes.
Moving on to the Scan comparison screen, you can compare the state of your infrastructure with a specific scan time so you can have visibility to changes that have happened in the various intervals between scans.
As you can see below, the scan comparison captured a user added as well as a group membership change that also occurred.
Keep in mind that you can export all the information displayed throughout the various dashboards in easy-to-read reports provided as needed, which is a great feature.
Impressions and wrapping up ^
All in all, I found SolarWinds Access Rights Manager to be a powerful tool for giving visibility to potential security risks, changes in the environment, as well as a great way to capture changes for auditing. The various dashboards contained in the ARM interface were intuitive and featured basic "point-and-click" navigation and workflow. This was much easier to use than other access rights and auditing solutions I have used.
I can see this utility being a great fit for organizations that find it difficult to track changes in their environments and need visibility to what is actually going on, including who or what is responsible for changes. Additionally, in terms of compliance regulations, the automated tools contained in ARM provide just what is needed for documenting and tracking changes and access rights to resources across your infrastructure.
Regardless of the size of your environment, SolarWinds Access Rights Manager is a great tool for gaining the visibility needed along with the management capabilities to control access to business-critical resources within your infrastructure. You can download a fully functional evaluation of SolarWinds Access Rights Manager here.