Tracking changes and access rights across complex IT infrastructures can be difficult. In a review of SolarWinds Access Rights Manager let's look at features, functionality, and impressions of this automated access rights management and auditing tool.

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Businesses today are facing ever-increasing challenges to bolster security and meet compliance regulations. With the complex and very extensive nature of today's environments, including both physical and virtual resources, it can become extremely difficult to secure and audit resources effectively across your IT infrastructure.

An extremely important aspect of auditing the security and compliance of business systems is auditing access rights and accounts. Manually auditing access rights and accounts across a wide range of physical and virtual resources can be tedious, error prone, and painstakingly difficult. There is no question that businesses must use an automated approach to meet today's growing security and auditing challenges around access rights management.

One such automated solution that holds the promise of assisting your business with auditing access rights in your IT infrastructure is SolarWinds Access Rights Manager (ARM). What is Access Rights Manager? How well does it allow you to meet the challenges of managing and auditing access rights across your IT infrastructure? Let's see.

What is SolarWinds Access Rights Manager? ^

Access Rights Manager is an application that provides automated management and auditing of access rights within your IT infrastructure. It contains several key features that allow organizations to be able to accomplish these objectives effectively. These include automated tools that allow you to:

  • Understand and have visibility to high-risk access in your infrastructure
  • Discover and minimize insider threats
  • Improve compliance and detect changes in your environment
  • Quickly discover who has access to what resources
  • Provision accounts quickly and accurately
  • Identify and monitor high-risk accounts

Key use cases of Access Rights Manager ^

Why should you consider using an Access Rights Manager solution in your environment? What are key symptoms or characteristics to look for in your environment that indicate a need for an automated solution?

  1. Your Active Directory (AD) structure has grown constantly, and you find it difficult to have context in its structure
  2. You are unsure of who or what may have access to file servers, Exchange, SharePoint, or other business-critical resources
  3. You are unaware of current as-is processes in AD, files servers, Exchange, or SharePoint
  4. There are no processes or responsibilities in place for securing access rights in your organization
  5. Changes to important accounts and file/folder resources often "fly under the radar"
  6. You may currently be managing your access rights by hand and documenting these in Excel or Word documents

SolarWinds Access Rights Manager lets you focus on five central disciplines for securing access rights in your IT infrastructure environments. These include:

  1. Permission analysis
  2. Documentation and reporting
  3. Security monitoring
  4. Role and process optimization
  5. User provisioning.
SolarWinds Access Rights Manager's five disciplines of securing access rights (Image courtesy of SolarWinds)

SolarWinds Access Rights Manager's five disciplines of securing access rights (Image courtesy of SolarWinds)

In harmony with these five disciplines, Access Rights Manager's security and compliance automation allows you effectively to:

  • Have visibility into the rights of users in your organization: With ARM, you can scan your Active Directory and file servers to analyze user access to systems, data, and files, and help protect against the risks of data loss and breaches.
    • Automate and orchestrate the provisioning and deprovisioning of user accounts. When users leave, it can become a headache to remember where all permissions for that user are applied. However, using ARM, you can provision and deprovision users and their permissions in seconds. Delegating permissions becomes easy as well by using ARM in the environment.
    • Identify users with insecure configurations; build a full audit trail of all permissions and access-level changes to help with timelines and other artifacts of cybersecurity investigations.
    • Automate regulatory compliance reporting: have access to comprehensive audit reporting for auditors.
  • Simplify SharePoint permissions management: Assess user permissions to SharePoint folders and files, automate SharePoint permissions management, monitor suspicious activity, and respond to security risks.
  • Active Directory reporting tool: Analyze AD user and group permissions to validate compliance, detect escalated privilege attempts or credential misuse, and automate deprovisioning to prevent data exfiltration.
    • Support your compliance mandates, such as the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA) to ensure that all Active Directory permissions are compliant with these mandates. Additionally, you can effectively report on relevant AD user and group permissions data and receive notifications when changes occur.
    • Detect credential misuse and have an effective way to examine insights into credential abuse.
    • Automate account deletion: you can automate account discovery and deprovisioning of inactive or expired accounts.
  • Demonstrate compliance: Without an automated solution, demonstrating compliance and having the required data to prove you are compliant can be difficult. With the Access Rights Manager solution, you have access to the automated reporting tools that allow collecting and presenting data in a way to demonstrate this compliance effectively.

What versions of SolarWinds Access Rights Manager are available?

Access Rights Manager versions ^

When it comes to installing SolarWinds Access Rights Manager, there are two versions to choose from for the installation:

  • ARM Audit Edition
  • ARM Full Version

The following table compares the feature details of each version of the product.

FeatureARM Audit EditionARM Full Version
User permission analysis for Active Directory, Azure AD, file servers (Windows, EMC, NetApp), SharePoint, SharePoint Online, Exchange, Exchange Online, OneDrive, SAPYesYes
Monitoring (logging) for Active Directory, file servers (Windows, EMC, NetApp), SharePoint Online, Exchange, Exchange Online, OneDriveYesYes
Risk analysis overviewYesYes
Risk managementNoYes
User provisioning for Active Directory and Azure ADNoYes
Permission management for Active Directory, file servers (Windows, EMC, NetApp), SharePoint, SharePoint Online, Exchange, Exchange Online, OneDriveNoYes
Data owner concept (delegation of access rights management)NoYes
Self-service permission portalNoYes
RemediationNoYes

Installation components ^

The Access Rights Management suite comprises the following components:

Required components

Included with the ARM installation package:

  • The ARM server: Process new data and requests from the main application, including the first collector to connect your resource and data systems
  • The ARM application: The front-end GUI for using ARM
  • The ARM configuration application: The front-end GUI for configuring ARM
  • Web components: The web client and Web API for accessing and using ARM
  • Microsoft SQL Server Express database server: Use an existing MS SQL Server instance or install the included Express Edition to store ARM's collected information (great for the basic installation or evaluations)

Optional components

Included with the ARM installation package:

  • Additional ARM collectors: install more collectors to balance loads in large environments

Installation requirements ^

The following are the requirements for a basic installation of the ARM Server. Additional requirements may be necessary for the ARM collector and GUI application requirements. If you decide to use an external SQL Server outside of the included SQL Server Express installation, you will want to note the SQL Server requirements provided by SolarWinds on their requirements page.

Hardware/softwareRequirements 
Operating systemWindows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
CPU (number of processor cores)Active Directory usersNumber of cores
up to 1,0002
up to 4,0004
4,000+4
No support for Intel Itanium platforms
Hard drive spaceActive Directory usersDisk space
up to 1,00030 GB
up to 4,00040 GB
4,000+40 GB
MemoryActive Directory usersRAM
up to 1,0004 GB
up to 4,0008 GB
4,000+16 GB
.NET Framework.NET 4.8 (or higher)
Access rightsThe service account requires local administrator rights on the ARM server.
OtherThe ARM server must be a member of an Active Directory domain.
No support for clusters
No support for Server Core


Let's look at installing the SolarWinds Access Rights Manager solution.

Installing SolarWinds Access Rights Manager ^

I found installing SolarWinds Access Rights Manager was very straightforward. The following walkthrough shows the installation of the Evaluation edition. When you install the 30-day Evaluation version, you can easily use the "all-in-one" installation of ARM that installs the SQL Express installation along with ARM. This makes evaluating the product extremely easy from a components standpoint to get the installation up and running.

As you can see, the Evaluation installation:

  • Installs everything you need to run ARM
  • Installs SQL Server Express locally
  • Is recommended for evaluating ARM
Running the ARM installer

Running the ARM installer

Next, accept the end-user license agreement (EULA).

Accept the EULA for SolarWinds ARM

Accept the EULA for SolarWinds ARM

The next screen is the Install Report. The name is not that intuitive at first; however, this is basically a preinstallation check of the underlying hardware, components, and requirements to make sure there are no "showstoppers" to the installation before proceeding.

SolarWinds ARM preinstallation report

SolarWinds ARM preinstallation report

Once the preinstallation Install Report is complete, you can continue with the actual installation of Access Rights Manager Server.

Installation of SolarWinds ARM begins and progresses

Installation of SolarWinds ARM begins and progresses

One issue the preinstallation check did not catch in my case was the lack of a certificate for use with the web server components. I received the Failed to automatically configure web client message. I clicked the Configure manually button to move on.

Issue with web components during the installation

Issue with web components during the installation

Initially, after investigating, I found the certificate blank. You can use the new-self signed certificate cmdlet to generate a new certificate for testing. This is what I did, and after clicking the Refresh button, the certificate appeared.

After creating a self signed certificate and refreshing the configuration

After creating a self signed certificate and refreshing the configuration

After resolving the certificate issue, I was able to move forward, click Apply, and then Launch ARM Configuration.

After applying the certificate, launch the ARM configuration utility

After applying the certificate, launch the ARM configuration utility

Click the button to Login to the Access Rights Manager configuration utility.

Access Rights Manager configuration utility ^

Before using the Access Rights Manager Server for auditing permissions, you first need to configure gathering security and accessing information from your infrastructure. The installation process workflow by default takes you into the configuration utility.

Log in to the Access Rights Configuration Manager

Log in to the Access Rights Configuration Manager

One of the first things you will want to do is populate the Credentials for Active Directory and SQL Server access.

Populate credentials for Active Directory and SQL access

Populate credentials for Active Directory and SQL access

Once you do this, the configuration status should test successfully. Save the configuration.

Save the credentials and configuration

Save the credentials and configuration

Confirm saving the changes.

Submit changes for the ARM configuration

Submit changes for the ARM configuration

Now that you have completed this initial configuration task in the Access Rights Manager configuration utility, you can set up your first scan. Navigate back out to the main configuration utility page. The first button you will see underneath the Server Status is the Scans configuration. Click Scans.

Configure Access Rights Manager scans in the configuration utility

Configure Access Rights Manager scans in the configuration utility

Configuring the technology to add to the resource configuration of ARM

Configuring the technology to add to the resource configuration of ARM

One of the first logical places to start if you are using Microsoft Active Directory in your environment is adding a Domain/Active Directory Resource to scan.

ARM automatically fills in a few details here from the initial credentials entered earlier in the configuration utility. The user and domain are already populated. Click Apply.

Specifying Active Directory scan parameters in the ARM scan configuration

Specifying Active Directory scan parameters in the ARM scan configuration

Once you click Apply, it adds the new domain scan configuration to the ARM scan configuration. Notice the "play" button. You can click this to kick off an ad-hoc scan of the domain manually. The defaults will automatically schedule the scan to run at 10:00 p.m. every night. You can change the configuration of the hyperlinked items.

Add a new domain scan automatically to the ARM scan configuration

Add a new domain scan automatically to the ARM scan configuration

As an example, clicking the "Permissions will not be scanned" link opens the Scan permissions on Active Directory window. You can configure additional permission scans for Active Directory here.

Changing the scan permissions of an Active Directory scan

Changing the scan permissions of an Active Directory scan

Now that we have a scan configured for Active Directory, let's take a look at the ARM Server GUI to get an overview of the functionality contained.

ARM Server GUI features and functionality ^

One point to keep in mind to avoid confusion is the configuration utility is not the Server GUI for viewing auditing, permissions, and other information. You need to launch the Access Rights Manager GUI to view your scans, reporting, and so forth. First, you will need to log in to the ARM Server interface.

Log in to the Access Rights Manager GUI

Log in to the Access Rights Manager GUI

One of the first things that will strike you when launching the Access Rights Manager interface is the wealth of quick links to take you to very valuable information right from the start.

This includes quick links for permissions analysis, user provisioning, documentation and reporting, and many others. This provides a great way to start getting value from the product quickly.

Viewing the Start dashboard in the Access Rights Manager interface

Viewing the Start dashboard in the Access Rights Manager interface

Another thing you will notice quickly is the large Search field at the top. This allows you to search on any objects or keywords contained in the ARM system. This is also customizable as to the scope of the search.

Using the search functionality in the Access Rights Manager GUI

Using the search functionality in the Access Rights Manager GUI

By clicking the "settings cog" in the search field, you can add different types of objects to return in the search queries from the search form.

Customizing search settings for Access Rights Manager

Customizing search settings for Access Rights Manager

I found the Resources dashboard was a great first stop in the interface. You can browse your AD structure and get detailed reporting on objects as you click on them. Once you click an object, you will see the Report drop-down menu. This contains various reports, including Account Details, "Who did what?" and many others.

Viewing access rights based on Active Directory resource and reporting

Viewing access rights based on Active Directory resource and reporting

One of the great features you will find under the Resources menu is the ability to create Alerts. With the Alerts feature, you can create fully customizable alerts on objects for any number of changes that might be made.

Create alerts on objects to be notified of changes

Create alerts on objects to be notified of changes

The Create Alert screen allows you to customize the parameters for the alert, event, threshold, actions, and so on. This allows the product to notify administrators proactively on changes to specified objects.

Customizing alerts for objects

Customizing alerts for objects

On the Permissions dashboard, you can build queries on resources accessed. You can easily see the resulting permissions for the various resources.

The permissions dashboard lets you determine permissions for resources quickly and easily

The permissions dashboard lets you determine permissions for resources quickly and easily

The Accounts dashboard provides an interesting graphical view of your resources, memberships, and so on. You can also easily view the attributes for the resource.

ARM accounts dashboard showing visual display of users and groups

ARM accounts dashboard showing visual display of users and groups

You can even use the ARM interface to create objects if you have a writeable account configured for making AD changes.

Create a new user or group from the Accounts screen

Create a new user or group from the Accounts screen

Under the Dashboard menu, you get a great deal of valuable metrics from your Active Directory infrastructure. You can see the dashboard primarily focuses on details from AD that can possibly be security risks. This can help give great visibility to potential issues an admin should address quickly.

The ARM Dashboard gives detailed information for interesting security reporting for AD and other infrastructures

The ARM Dashboard gives detailed information for interesting security reporting for AD and other infrastructures

The Multi-selection screen allows filtering down objects and selecting objects from the AD infrastructure.

Multi selection provides an easy way to filter by type of AD objects you want to focus on

Multi selection provides an easy way to filter by type of AD objects you want to focus on

The Logbook screen provides an automated way to show changes documented in your infrastructure. It records changes in this section, including time, author, and specific changes.

The Logbook provides an audit trail for changes

The Logbook provides an audit trail for changes

Moving on to the Scan comparison screen, you can compare the state of your infrastructure with a specific scan time so you can have visibility to changes that have happened in the various intervals between scans.

As you can see below, the scan comparison captured a user added as well as a group membership change that also occurred.

Scan comparison helps track changes made between scan intervals

Scan comparison helps track changes made between scan intervals

Keep in mind that you can export all the information displayed throughout the various dashboards in easy-to-read reports provided as needed, which is a great feature.

Impressions and wrapping up ^

All in all, I found SolarWinds Access Rights Manager to be a powerful tool for giving visibility to potential security risks, changes in the environment, as well as a great way to capture changes for auditing. The various dashboards contained in the ARM interface were intuitive and featured basic "point-and-click" navigation and workflow. This was much easier to use than other access rights and auditing solutions I have used.

I can see this utility being a great fit for organizations that find it difficult to track changes in their environments and need visibility to what is actually going on, including who or what is responsible for changes. Additionally, in terms of compliance regulations, the automated tools contained in ARM provide just what is needed for documenting and tracking changes and access rights to resources across your infrastructure.

Regardless of the size of your environment, SolarWinds Access Rights Manager is a great tool for gaining the visibility needed along with the management capabilities to control access to business-critical resources within your infrastructure. You can download a fully functional evaluation of  SolarWinds Access Rights Manager here.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

1+

Users who have LIKED this post:

  • avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account