Introduction

Managing information system security is a priority for every organization. In fact, the level of security provided by software vendors has become a differentiating factor for IT purchase decisions. Quest strives to meet standards designed to provide its customers with their desired level of security as it relates to privacy, confidentiality, integrity, and availability.

This document describes the security features of Binary Tree Migrator Pro for Active Directory. It reviews access control, protection of customer data, secure network communication, cryptographic standards and more.

About Migrator Pro for Active Directory

Binary Tree Migrator Pro for Active Directory provides the following functionality:

• Full directory synchronization of users, groups, and devices with configurable profiles.

• Data transformation and customizable mapping of directory attributes.

• Password hash synchronization.

• SID History migration.

• Device migration including permissions and offline domain join.

• Network share permissions migration.

Architecture Overview

Overview of Data Handled by Migrator Pro for Active Directory

Migrator Pro for Active Directory collects data for a variety of directory objects.  The directory objects and properties collected are configurable to ensure only the desired objects and properties are processed.

• A directory sync service, running within the customers network, processes Active Directory objects using LDAP. Objects include users, groups, contacts, and computers. Properties include account name, email addresses, contact information, department, membership and more.

• LDAP credentials, provided by migration operators, are encrypted with AES-256 and stored in SQL Server.

• When the optional password sync feature is enabled, the NTLM password hash of all user accounts in scope are collected, encrypted with AES-256 and stored in SQL Server.

• Device agents running locally on the end user’s workstation collect device properties using WMI and PowerShell. Device properties include device name, domain name, user profile locations and more.

• Migrator Pro for Active Directory optionally stores credentials required for network share re-permission and Active Directory domain joins. These credentials, provided by migration operators, are encrypted with AES-256 and stored in SQL Server.

Overview of Data Handled by Migrator Pro for Active Directory

Migrator Pro for Active Directory collects data for a variety of directory objects.  The directory objects and properties collected are configurable to ensure only the desired objects and properties are processed.

• A directory sync service, running within the customers network, processes Active Directory objects using LDAP. Objects include users, groups, contacts, and computers. Properties include account name, email addresses, contact information, department, membership and more.

• LDAP credentials, provided by migration operators, are encrypted with AES-256 and stored in SQL Server.

• When the optional password sync feature is enabled, the NTLM password hash of all user accounts in scope are collected, encrypted with AES-256 and stored in SQL Server.

• Device agents running locally on the end user’s workstation collect device properties using WMI and PowerShell. Device properties include device name, domain name, user profile locations and more.

• Migrator Pro for Active Directory optionally stores credentials required for network share re-permission and Active Directory domain joins. These credentials, provided by migration operators, are encrypted with AES-256 and stored in SQL Server.