NetPro offers protection for Active Directory

NetPro this week plans to upgrade its directory management tools to help customers better protect their environments from unplanned or malicious changes.

The company is set to ship Directory Lockdown 4.0 with new controls to protect a directory’s configuration and schema settings from being altered on Windows domain controllers where Microsoft’s Active Directory runs. The software also features a notification system that signals all attempted changes to IT executives, a customizable list of permitted changes and a new console interface.

As Active Directory has found its legs in corporate networks, administrators are discovering certain deficiencies with the software, such as a feature that lets administrators escalate their rights and perform potentially damaging changes.

“Because of compliance regulations a lot of the security auditors are paying attention to Active Directory,” says John Enck, an analyst with Gartner. “And it is really coming up with deficits in auditing, change management, compliance, the ability to lock it down, ability to delegate. The limitations have always been there, but all of a sudden there is a lot more attention on them.”

Microsoft plans to begin closing those gaps with the release of Longhorn Server by including the ability to read only domain controllers. But the software is not due until 2007 if Microsoft stays on track with the server.

With previous versions of Lockdown, NetPro prevented changes from replicating, but the 4.0 version takes a more proactive approach by blocking the changes from occurring, says Richard Hoey, product manager for Lockdown.

“Now we are analyzing the changes before they even hit,” Hoey says.

Lockdown, which competes with similar change management software from NetIQ and Quest, is preconfigured to prevent any change to Active Directory’s configuration or schema naming context (SNC). Those two areas of the directory contain all the configuration data for the Active Directory infrastructure, such as definition of a site. Typically that information does not change frequently. The domain SNC contains the user data, and NetPro plans to protect that SNC with technology slated for inclusion in its SecurityManager product later this year.

Once Lockdown is installed, users can craft their own customized list of allowed changes. Any other changes are blocked. The software also includes a notification system that alerts IT executives and records the who, what, when and where of the attempted change.

Lockdown runs using a series of agents installed on domain controllers. A client, which can be run as a thin-client terminal server interface or installed on a desktop, collects the monitoring information from each client. The agents feature NetPro’s anti-tamper technology to protect their integrity. The client interface has been expanded to include such features as hot alerts that users can click on and get more detailed information.

Lockdown is priced at $6 per user.