IT Security Search 11.5.2 - User Guide

Case Study: Making the Most of Multiple Connectors

Suppose a user complains about being unable to log in through VPN. Use IT Security Search to investigate and resolve the situation.

What you will need

For best results, enable the following connectors:

• For security events: InTrust and Change Auditor
• For Active Directory object modification and recovery: Recovery Manager for Active Directory
• For user information: Enterprise Reporter

Where to start

You should start by searching for the David Shore user account, which is having problems. To get results quickly, use the Whom:"David Shore" query. This will take you directly to the events that affected the account.

How to proceed

Suppose the search results include group membership change events from InTrust and Change Auditor indicating that the user was removed from one or more groups. Examine these events and find the one about the group used for providing VPN access. Note that the timestamp of the event is later than the last Active Directory backup. Also note the other event details such as who did this.

In the breadcrumbs line, click the user name to open the user details, and go to the History tab. In the change history view on the Backups tab, locate the state before the VPN-related group membership change, and click the corresponding Restore from backup link.

VPN access for David Shore is restored now, and you know who interfered with his group membership.

Case Study: Active Roles Dynamic Group Membership Tracking

Suppose a new user is not getting the expected permissions to open a network share. You want to use IT Security Search to look into this.

What you will need

To make the investigation as efficient as possible, make sure that data from the following sources is available:

• For network share and user information: Enterprise Reporter
• For dynamic group membership information: Active Roles

Where to start

You are about to examine share access, so it makes sense to start by looking at share permissions.

How to proceed

Search for the share path. Click the share you need in the list of results and open its details. In the permissions table, you find the Marketing group, which is used for controlling access to the share. Apparently the user is supposed to be a member of this group, but is not.

Do a search for the Marketing group; click the group in the results and go to the details view for the it. It turns out to be an Active Roles dynamic group. Click the Membership Rules tab in the details table to see how the group is populated. In the Rule Details column, you find the following rule: "[User] department Is (exactly) Marketing".

The user's department information is probably wrong, making the user unfit for membership in the Marketing dynamic group. See if this guess is correct: search for the user name, locate the user in the results and open the user's details.

You find that the value of the Department attribute has a typo: "Markering" instead of "Marketing", and you notify security administrator about this issue.

When you get a response from the administrator saying that the problem has been resolved, you do another search for the Marketing group to confirm that the user is now a member.

Additional Utility Scripts

IT Security Search comes with additional PowerShell scripts that help automate configuration. These scripts are available in the Scripts subfolder of your IT Security Search installation folder. At this time, the following scripts are shipped:

Providing Information to Support

If you need to contact Support, you should provide various technical details for a speedy response. IT Security Search includes a utility that automatically gathers all the information that support engineers may need and stores it in a single ZIP file.

To create such a file, open the About box in the IT Security Search UI, select the Contact tab and click Save Information for Support. The file is not transferred to Support automatically. To submit it, open a service request at https://support.quest.com/contact-support.

Quest needs your consent for gathering the data, because some information in the resulting file may be considered sensitive. Quest ensures that storage and processing of this information are duly protected to safeguard your privacy.

The following information is gathered:

• Settings of connected products (InTrust, Change Auditor and others); passwords are encrypted
• Security settings
• IT Security Search log files, which contain queries, counts of found objects and IT Security Search users’ names
• IT Security Search configuration files
• Information about IT Security Search files: path, last write time, version
• Status of IT Security Search stores: path, counts of collected items, sizes
• The user-agent string of the browser
• Products installed on the server: name, version, publisher, install date, PSChildName
• Services installed on the server and the list of running services
• List of running processes and their details
• Server configuration: name, description, OS, amount of available memory, country code, current time zone, local time, encryption level, number of users, organization, OS language, DNS host name, domain, domain role, number of processors
• Logical drive details: caption, description, drive type, size, free space, path, file system

IT Security Search uses PowerShell to collect the data.